Web application attacks, point-of-sale intrusions, cyberespionage and crimeware were the leading causes of confirmed data breaches last year.
The findings are based on data collected by Verizon Enterprise Solutions and 70 other organizations from almost 80,000 security incidents and over 2,000 confirmed data breaches in 61 countries.
According to Verizon’s 2015 Data Breach Investigations Report, which analyzes security incidents that happened last year, the top five affected industries by number of confirmed data breaches were: public administration, financial services, manufacturing, accommodations and retail.
Humans were again the weak link that led to many of the compromises. The data shows that phishing—whether used to trick users into opening infected email attachments, click on malicious links, or input their credentials on rogue websites—remains the weapon of choice for many criminals and spies.
For the past two years, over two-thirds of cyberespionage incidents involved phishing, the Verizon team said in its report. Hundreds of incidents from the crimeware section have also included the technique in their event chain, they said.
The data showed that 23 percent of phishing email recipients are open the messages and 11 percent of them click on the attachment inside. A small phishing campaign of only 10 emails comes with an over 90 percent chance that at least one person will become a victim, the Verizon team said.
The time window for organizations to react to such attacks is very small, with the median time from when an email is sent to when the first user clicks on the link inside being just one minute and 22 seconds. Sanctioned tests have showed that nearly half of the users who end up opening phishing emails and clicking on links do so within the first hour.
Employees of certain business departments are more likely to fall victim to phishing attacks than others. Workers in departments like communications, legal and customer service are at greater risk because opening email is a central component in their jobs, so companies will probably want to start security awareness training with them.
Ironically, while users are the problem, they can also be the solution to phishing. If trained properly, they can become a network of human sensors that are better at detecting sophisticated email attacks than any technology.
As always, compromised credentials, whether they were obtained through phishing, spyware or brute-force methods, played a major role in many data breaches.
Credentials were the second most common type of record after bank information that was stolen by crimeware—malware attacks that don’t fall into more specific categories like cyberespionage. However, many stolen credentials are later used to compromise bank records, so they’re likely under-represented in the statistics, according to the Verizon team.
Weak or stolen credentials are also the leading cause of point-of-sale compromises and account for over 50 percent of breaches involving Web applications. As such, companies should strongly consider implementing two-factor authentication mechanisms wherever possible.
In this year’s report Verizon has again split security incident patterns into nine categories: crimeware, cyberespionage, denial of service, lost and stolen assets, miscellaneous errors, payment card skimmers, point of sale, privilege misuse and Web applications.
It then established relationships between those attack categories and various types of threat actors and targeted organizations. As such, readers can learn that hacktivists favor Web application attacks (61 percent) and denial-of-service attacks (31 percent) while organized crime groups favor crimeware (73 percent) and Web application attacks (20 percent).
Companies in the accommodation, entertainment and retail sectors are more likely to be the victims of point-of-sale intrusions, while those in the financial services sector are more likely to be targeted with crimeware and Web application attacks.
Healthcare institutions are likely to suffer security incidents as a result of errors (32 percent) or privilege misuse (26 percent). Otherwise, cyberspies most frequently target organizations in the manufacturing, professional and information sectors.
As such, companies should prioritize defenses based on the threats they’re most likely to face, which, perhaps surprisingly, are almost never mobile-based, according to Verizon.
Data shared for the report by mobile carrier Verizon Wireless, which monitors its network for signs of malware, revealed hundreds of thousands of potential infections. However, it turned out most of them were of the annoying advertising variety.
“An average of 0.03% of smartphones per week—out of tens of millions of mobile devices on the Verizon network—were infected with ‘higher-grade’ malicious code,” the Verizon team said.
This echoes a recent report from Google, which found that under 0.1 percent of devices that only allow the installation of apps from Google Play had a potentially harmful application installed. Kindsight Security Labs, a security division of Alcatel-Lucent now called Motive Security Labs, reported a 0.68 percent mobile infection rate for the second half of 2014.
“Mobile devices are not a theme in our breach data, nor are they a theme in our partners’ breach and security data,” Verizon said. “We feel safe saying that while a major carrier is looking for and monitoring the security of mobile devices on its network, data breaches involving mobile devices should not be in any top-whatever list. This report is filled with thousands of stories of data loss—as it has been for years—and rarely do those stories include a smartphone.”
Mobile devices should not be ignored, because they can be vulnerable to attacks and can pose risks to enterprise networks, the Verizon team said. However, for now hackers seem to favor other attack methods that don’t involve smart phones, so companies should focus on those, while striving to gain visibility into mobile devices in case the threat landscape shifts in the future.
For example, one thing companies should pay closer attention to is patching. Data from Verizon partner Risk I/O showed that just 10 vulnerabilities, some of them dating back to late 1990s and early 2000s accounted for almost 97 percent of all exploitation attempts.
At first glance this is encouraging, because everyone should have patches in place for those flaws by now. However, when looking at the total number of vulnerabilities that were targeted in 2014, a much darker picture emerges: attackers started exploiting half of them less than a month after they were publicly disclosed. Moreover, the patching window might actually be shorter because the time lines in the Verizon report are based on when the exploits were first detected; and there’s always a lag between the actual launch of an attack and when it’s first detected.
“These results undeniably create a sense of urgency to address publicly announced critical vulnerabilities in a timely (and comprehensive) manner,” the Verizon team said.