In one of the more interesting reads this year, Verizon recently released its 2015 Data Breach Investigative Report, which can be downloaded at this link. Verizon works with seventy security firms from around the world to compile and document major security breaches. This report is fascinating and provides both the big picture of how the bad guys are attacking us, as well as interesting statistics about the details of the attacks. I highly recommend the report if you have a spare hour.
The report looks at nearly 80,000 security incidents including 2,122 confirmed security breaches in the last year, many of which hit the news. One thing that Verizon saw was that almost all of those breaches (96%) were the result of nine different types of attacks used by hackers. Those nine types of attacks are: point-of-sale intrusions, payment card skimmers, crimeware, web app attacks, denial-of-service attacks, physical theft, insider misuse, cyber-espionage, and miscellaneous errors.
The most common external cause of major breaches last year was from attacks by web applications (things like phishing and malware), which caused 458 breaches. This was followed by attacks on point-of-sale systems in stores which caused 419 breaches and attacks by state-sponsored espionage units which accounted for 290 breaches.
Some of the statistics in the report are really interesting:
- A little more than 20% of breaches come from inside an organization where an employee or trusted contractor steals credit card numbers or corporate secrets. This percentage has remained consistent since 2010.
- In 2010, over 95% of attacks came from compromised credentials (somebody stealing login information from employees and using it to gain entry to systems) or spyware of some sort. In 2014, the threat from direct spyware has largely disappeared as a corporate threat and companies are getting good at combatting common malware from the web. But the bad guys have changed tactics and the two new major malware threats are from RAM scraping and phishing. (RAM scraping is using malware to steal unencrypted credit card data in the few milliseconds between the time that a credit card is swiped at a retail location and the data is encrypted).
- Verizon’s study shows that 23% of recipient employees in businesses open phishing messages and 11% click on the infected attachments. Nearly 50% of phishing emails are opened within the first hour of receipt. The three big groups within companies that fall prey to phishing are communications, legal, and customer service. Unfortunately it often only takes one phishing breach to infect a network.
- Hackers are really good at what they do and in 60% of the breaches they were inside company systems within minutes of the onset of the attack.
- Sadly, almost all of the exploited vulnerabilities happen after the industry as a whole has found a way to block or patch against the threat, with many of these breaches coming a year or more after a patch was created. There is obviously a big gap between the fixes being developed by security experts and the time it takes to get these fixes into business systems.
- The shelf life of the vast majority of malware is about a month. Within that time a way to block the malware is developed and distributed to the companies that scrub web traffic on the Internet before it gets to end users. But there are always tons of new malware, and it’s a constant battle between hackers and security companies.
- There are still very few effective hacks against cell phones. Verizon estimates that only 0.03% of cellphones are infected with truly malicious software.
- There is a big difference in the amount of malware aimed at different industries. For instance, the average financial institution sees 350 malware attempts per day, the average retail location sees 801 and the average education location sees 2,332. A lot of malware is very specific to an industry or even to a specific location.
- The industry has touted the cost to a business for a compromised record at $0.58 per record. This was calculated by looking at insurance claims and is conservative since very large companies often self-insure. Verizon estimates that the true cost to a business is between $52 and $87 per compromised record. The bigger the breach, the larger the cost per compromised record.
The main thing I get from this report is a reminder each year of how many bad guys there are in the world trying to steal credit card numbers, corporate data, and other valuable information. It’s also interesting to see over time how the methods of attacking networks change in the never-ending cat and mouse game between hackers and security systems. It’s also interesting to look through the list of the companies who participate in this report since they are the Who’s Who of Internet security around the world.