The 2015 Verizon Data Breach Investigations Report, published since 2008, was released last month, and it details a thorough investigation of common data security threat patterns, as well as the effects of different kinds of data breaches in various industries. Called “the Data Breach Bible” by Tripwire, the report compiled the data of nearly 80,000 security incidents and more than 2,000 data incidents from seventy organizations in sixty-one countries over the course of 2014. As the introduction puts it, the report seeks to “paint the clearest picture yet of the threats, vulnerabilities, and actions that lead to security incidents, as well as how they impact organizations suffering them” (DBIR, 1). With 2014 dubbed “The Year of the Data Breach,” security experts and industries were anxious to learn how the year in retrospect stacked up, what changes were observed, and which areas of their organization might be vulnerable to attack based on current trends.
It’s important to note that the vast majority of confirmed data disclosures can still be attributed to nine major attack types, listed here in descending order of frequency:
- Point-of-sale (28.5%)
- Crimeware (18.8%)
- Cyber-espionage (18%)
- Privilege Misuse (10.6%)
- Web Applications (9.4%)
- Miscellaneous Errors (8.1%)
- Lost and Stolen Assets (3.3%)
- Payment Care Skimmers (3.1%)
- Denial of Service (0.1%)
As the DBIR puts it, “The common denominator across the top four patterns – accounting for nearly 90% of all incidents – is people” (32). While the causes of data compromises haven’t changed much, there are a few notable discoveries unearthed in this year’s report.
While malware attacks on point-of-sale systems and foreign threats have been in the limelight as far as data breach causes go, it turns out that a more pernicious threat has been gaining prominence. According to the Verizon report, phishing accounts for 20% of recorded data breaches. IT professionals need to be aware of this rising attack from phishing threats, since phishing attacks have even started to incorporate malware installation as the second stage of the attack. Organizations don’t seem to be training employees on phishing attack prevention, though, with 23% of recipients reported as opening phishing messages, and 11% clicking on attachments.
Vulnerabilities Don’t Expire
The vast majority of attacks exploit known vulnerabilities for which a patch had been available for months or even over a year. Furthermore, 97% of those attacks exploiting known vulnerabilities came from just ten of those vulnerabilities. This suggests that a focus on patches might be better directed at covering widely-known gaps in security vs. immediately deploying patches for new issues as soon as they’re released.
Don’t Worry So Much About Mobile
With the rise of the mobile workplace and BYOD policies, a lot of lip service has been paid to mobile security threats. The Verizon DBIR reports that out of tens of millions of mobile devices surveyed on the Verizon network, only 0.03% per week were infected with “truly malicious exploits.” Verizon also reports that 95% of mobile malware types didn’t persist for longer than a month. So this suggests that mobile attacks are much less pervasive than expected, but that doesn’t mean IT professionals should stop properly training employees on using well-known and trusted applications when on company networks, only opening emails from known sources, and other mobile security best practices.
What the DBIR makes abundantly clear once again is that people are the biggest security vulnerability. Year after year, we see that the majority of data compromises can be avoided by properly training employees on security policies and data management, and by enforcing those policies both within the organization and with third-party vendors and contractors. Restricting access to data to only necessary users and implementing secure file-sharing tools can go a long way in bypassing user error and privilege misuse. Also, the DBIR makes it clear that continuing to deploy patches and update anti-virus software will be worth your IT department’s while.