Releasing its 70-page 2015 Data Breach Investigations Report earlier today, Verizon revealed a number of headline findings, from the rise of phishing and exploitable software vulnerabilities to data breaches costing up to £162 per lost record.
Meanwhile, the firm indicated that cyber-crime activity remains – as it was in 2014 – split into the same old categories. Over the last ten years, 92 percent of all 100,000 security incidents fell into nine basic patterns, with that increasing to 96 percent this year.
These were: miscellaneous errors (29.4 percent), crimeware (25.1 percent), privilege misuse (20.6 percent), lost and stolen assets (15.3 percent), web applications (4.1 percent), denial of service (3.9 percent), cyber-espionage (0.8 percent), point-of-sale (0.7 percent) and payment card skimmers (0.1 percent).
“While the threats against us may “seem” innumerable, infinity varied, and ever-changing, the reality is they aren't,” said researchers of the report. “This certainly doesn't diminish the significant challenges faced by defenders, but it does imply a threat space that is finite, understandable and at least measurable.”
The report further notes that people are ‘90 percent of the problem, and reveals that POS accounts for most data breach disclosures, followed by crimeware, cyber-espionage – featuring in DBIR for the second year running, privilege misuse, web applications, miscellaneous errors, lost and stolen assets, payment card skimmers, denial of service.
Researchers noted that “there has been a definite evolution in POS attacks” and that malware is now “part of the event chain in virtually every security incident” – with malware launching DDoS attacks rising significantly, though not ahead of C2 (command and control) as the preferred method of crimeware attack.
Elsewhere and it seems like old habits die hard – bank records and data are the most sought after by cyber-criminals, with stolen credentials most often used for web applications attacks.
The research acknowledges, as other reports have done recently, that the number of DDoS attacks has increased significantly, but finds that most other faults are easier to distinguish; over half of lost and stolen devices are taken from the work area while the same percentage of insider misuse incidents are down to excessive privileges. Meanwhile, 60 percent incidents under miscellaneous errors were attributed to errors made by sysadmins, with most down to sending data to incorrect recipients, putting non-public material on public web servers, and not securely disposing of personal and medical data.
Interestingly, two of the most-talked about attacks in recent months, cyber-espionage and those against mobile devices, were not considered serious. The report indicated that mobile attacks are common, but don't cause breaches, and also stated that two-thirds of those who cited cyber-espionage attack had no proof of attacker attribution whatsoever.
Lorenz Kuhlee, principal consultant at the Verizon EMEA RISK team, told SCMagazineUK.com that despite the ‘newness' of mobile and espionage, most security failings are down to the same old story of patching, stolen credentials (24 percent of attacks) and no logging.