In spite of widespread media attention to the problem of “advanced persistent threats” and nation-backed cyber espionage, most cyber attacks that result in the theft of data are opportunistic and rely on unsophisticated or non-technical means, according to Verizon’s 2013 Data Breach Investigations Report (DBIR).
Verizon said that its analysis of 47,000 security incidents and 621 confirmed cases of data loss showed that three-quarters were “opportunistic” – not targeted at a specific company or individual – and financially motivated. Around 20 percent of attacks were linked to what Verizon termed “state affiliated actors” conducting cyber espionage.
Verizon’s annual Data Breach Investigations Report presents the results of investigations conducted by Verizon’s RISK investigators, the U.S. Department of Homeland Security, US-CERT as well as by law enforcement agencies globally. In its sixth year, it is a highly regarded and oft-cited benchmark of malicious activity and threats to organizations.
In a press release accompanying the report, Verizon said that “large-scale financial cyber crime and state-affiliated espionage dominated the security landscape in 2012.” Hacktivism remained a persistent problem, though ideologically motivated hackers shifted tactics from data theft to distributed denial of service (DD0S) attacks in 2012.
“The bottom line is that unfortunately, no organization is immune to a data breach in this day and age,” said Wade Baker, principal author of the Data Breach Investigations Report series. “We have the tools today to combat cyber crime, but it’s really all about selecting the right ones and using them in the right way.
That last point is reinforced repeatedly by the report.
Less than 1% of the breaches studied in 2012 used tactics rated as ‘high’ on Verizon’s internal “VERIS” difficulty scale for initial compromise. In fact, 78% of the techniques rated ‘low’ or ‘very low.’ “The barriers to entry for becoming a hacker are pretty low,” Verizon concluded.
Media attention to sophisticated attacks tends to paint over that sober reality. Despite media attention to the thorny problem of “malicious insiders,” Verizon’s analysis of the global data breach data found that the vast majority – 84% – were the work of individuals outside of the target organization. And, while the technology press (including this online publication) have written volumes about the threat of ultra-sophisticated attacks, Verizon found that “very few of the breaches” it analyzed in 2012, or other years, are very surprising or different.
Traditional assets (laptops, desktops and servers) are the most frequent targets of attacks, rather than web applications. Furthermore, unapproved hardware like portable USB drives and hand held card skimmers were the biggest source (41% ) of the cases of data misuse in the report.
“While the sophistication of attacks is growing, most breaches could still be easily prevented,” Verizon said.
Rather than fretting about cyber warriors working for the People’s Liberation Army, in other words, companies should adjust their sites lower to find the real risk: malware, phishing and misuse of user credentials. Phishing techniques have become much more sophisticated, Verizon found, and often target specific individuals using tactics that are harder for IT to control, including phone calls and social networking.
Protecting data at rest also had a big return on investment. Verizon found two-thirds of breaches involved data ‘at rest’ in databases and on file servers. The remainder of breaches targeted data as it was being processed by an application. Verizon said it couldn’t find any evidence of data breaches that stemmed from the theft of data in transit.
“In other words, understand your adversary,” said Verizon’s Baker. “Know their motives and methods, and prepare your defenses accordingly and always keep your guard up.”