Verizon 2015 Data Breach Report – nine common breach patterns

It’s that time of year again – Verizon has just released its data breach report looking back over the reported security incidents and confirmed breaches that occurred during 2014.  One of the key findings were that more than 92% of security incidents collected by Verizon over the last 10 years matched just nine attack patterns, providing at least a straw of hope to cling on to if you are an information security professional feel overwhelmed by the seemingly innumerable number of security threats out there.  Below is the stats-infested list of nine:

  1. Miscellaneous Errors (29.4%) – Human error still tops the charts.  This includes information sent to the wrong recipients (30%), publishing non-public information to public web servers (17%), and insecure disposal of personal or medical records (12%).  And its not just end-users making mistakes.  System Adminstrators were responsible for over 60% of incidents!
  2. Crimeware (25.1%) – Drive-by malware is still high on the list, especially malware that targets bank details, user credentials and sensitive personal, classified or internal information.  Malware that opens up Command & Control channels in preparation for subsequent stages of the attack or that creates bots for Denial of Service (DoS) attacks also rank highly.  DoS malware has moved from 8th to 2nd in the rankings, which may indicate DDoS-based extortion attempts could be on the rise.
  3. Insider Misuse (20.6%) – The threat within remained a firm favourite in 2014, with more incidents than ever before.  Another key change is that in back 2011 cashiers topped the actors’ chart for misuse – this year end-users were at the top of the list, with over 37% of all incidents attributed to this treat actor group.  Cashiers, although in second place, made up less than half of that at only 16.8%.
  4. Physical Theft/Loss (15.3%) – Although this statistic is mainly US-based as they have a number of mandatory disclosure regulations, it is still interesting to see that 55% of all thefts occurred within the victim’s work area, and 22% from employee-owned vehicles.
  5. Web App Attacks (4.1%) – This year organised crime became the most frequently seen threat actor for Web App Attacks.  Almost all of these attacks were opportunistic in nature, with very few industries escaping the attention of these criminal gangs.  Stolen user credentials is still used in more than 50% of attacks, but Command & Control and backdoor malware is in a strong second place with 40.5%.  Our old friend SQL Injection is in third place with 19% – proof that we still need to heed the advice from OWASP and their Top 10.
  6. Denial of Service (3.9%) – The number of attacks in this category has almost doubled in the last year, with a significant proportion associated with malware (see no 2 above). These attacks mainly involved re-purposing devices to use in amplification or reflection attacks, which in turn exploits weaknesses in improperly secured services such as Network Time Protocol (NTP), Domain Name Service (DNS) and Simple Service Discovery Protocol (SSDP).  NTP topped the list with a maximum attack bandwidth hitting 325 Gigabit/second in one attack.
  7. Cyber-espionage (0.8%) – Phishing by e-mail or web drive-by are still firm favourites for nation states to deploy their malware onto their targets’ networks.  Perhaps not surprising, the end goal of more than 85% of these attacks were to obtain secret information, followed in the distance by access to credentials as well internal and system data.  Also worth noting is that in more than two thirds of attacks, it is not possible to attribute these to a specific the attacker – proper Spy vs. Spy stuff then!
  8. POS Intrusion (0.7%) – Whilst the number of Point of Sale attacks in 2014 were low relative to other types of incidents, much larger organsitions fell victim to this type of attack alongside with small retailers and retaurants that have traditionally been the attackers’ ‘cash cows’ for years.  Attacks have also evolved from simple storage scraping to active RAM skimming as technical security controls have improved through the PCI:DSS standard.  POS vendors themselves were also targeted through phishing or network penetration – remote access credentials were compromised giving the attackers free access to customer Cardholder Data Environments.  Attacks also now tend to be more targeted, for example relying on the use of credentials stolen rather than exploiting insecure default user accounts.
  9. Payment Card Skimmers (0.1%) – Another old favourite, but the attackers continue to innovate in this area.  This includes the development of thin, translucent skimmers that fit insite ATM and POS card readers as well as direct tapping of the POS device electronics to capture  data without being detected.  Poor implementations of Chip & Pin are also still vulnerable to attack.  It is also expected that attackers will continue to hone ther attack methods on other related target-rich vectors such as card-not-present/online transactions.

These statistics have some interesting implications for security risk management. It suggests that, while the threats against us may seem innumerable, infinitely varied, and ever-changing, the reality is they aren’t. It does not diminish the significant challenges faced by defenders, but it does imply that the information security threat space is finite, measurable to an extent, and largely understandable.

But a health warning is probaby necessary – the research is based on reported incidents only and a bit US-biased.  Who knows how many incidents and breaches go unreported, not to mention undetected.  Verizon’s analysis is certainly a useful indicator, but as a security professional we still need to be very aware of the security threats specific to our organisation and the industry it operates within.  You still don’t want to be caught out by any of the remaining 8% of attack patterns!

The full Verizon report can be downloaded from here.