For those in the security industry, the annual Verizon Data Breach Study (DBIR) is a must-read. Those of us who attended the Verizon session on theDBIR 2013 at the annual RSA event a few months back were treated to a first glance of some of the findings of this year’s report and an interesting panel discussion about the impacts. The finishing touches have been placed on this sixth edition of the publication, and it is more comprehensive and enlightening than ever.
The reason the DBIR gets such close scrutiny is because it includes data from 19 global security organizations with an analysis of over 47,000 security incidents and 621 confirmed breaches. In addition, the 2013 DBIR offers new insight into data thieves and their motives.
Key findings include:
- Taking the top spot for all breaches is financially-motivated cybercrime (75 percent), followed by state-affiliated espionage campaigns claiming the No. 2 spot (20 percent).
- Hactivist incidents held steady, but the amount of data stolen decreased as hactivists shifted to other forms of attacks, such as distributed denial of service attacks.
- Victims represented a wide range of industries, from financial organizations to manufacturing, transportation and utilities.
- 38 percent of breaches impacted larger organizations and represented 27 different countries.
- External attacks remain largely responsible for data breaches, with 92 percent of them attributable to outsiders and 14 percent committed by insiders.
- Hacking is the No. 1 way breaches occur. In fact, hacking was a factor in 52 percent of data breaches.
- 76 percent of network intrusions exploited weak or stolen credentials (user names and passwords).
- The proportion of breaches incorporating social tactics such as phishing was four-times higher in 2012, which the report found directly related to the tactic’s widespread use in targeted espionage campaigns.
“The bottom line is that unfortunately, no organization is immune to a data breach in this day and age,” said Wade Baker, principal author of the Data Breach Investigations Report series. “We have the tools today to combat cybercrime, but it’s really all about selecting the right ones and using them in the right way.
“In other words, understand your adversary – know their motives and methods, and prepare your defenses accordingly and always keep your guard up,” Baker said.
In his blog, Dave Hylendar of the Verizon team added some insights of note about the DBIR. He observes the increase in the diversity, frequency and sophistication of attacks on virtually anyone and every institution:
“As a result—perhaps agitated by ancient Mayan doomsday predictions—a growing segment of the security community adopted an ‘assume you’re breached’ mentality…Motives for these attacks appear equally diverse. Money-minded miscreants continued to cash in on low-hanging fruit from any tree within reach. Bolder bandits took aim at better-defended targets in hopes of bigger hauls. Activist groups DoS’d and hacked under the very different—and sometimes blurred—banners of personal ideology and just-for-the-fun-of-it lulz. And, as a growing list of victims shared their stories, clandestine activity attributed to state-affiliated actors stirred international intrigue.”
Furthermore, everyone in the online security community probably agrees with Hylendar’s statement: “All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity.”
The 63-page report is chock full of really interesting charts and descriptions of the various threats. It also concludes with a great recommendation. Verizon is working with the recently formed Consortium for Cybersecurity Actions (CCA) and mapped the most common threat action varieties to that organization’s “Critical Security Controls for Effective Cyber Defense.”
Verizon says the complexity and diversity of cyber threats makes it a challenge to make specific suggestions based on the DBIR and strong recommends, as do I, that if you want to get educated as to what to do, the CCA 20 Critical Security Controls is a fantastic place to start. It makes for a terrific companion piece to the DBIR.
As the headline says, the DBIR contains sobering information that the bad guys had a good year from their perspective in 2012. And, as the data showed, no business regardless of size is immune from attack.
We read on a daily basis that unfortunately 2013 is stacking up as another banner year for those with malicious intent. The good news is the industry is on the case. It is virtually impossible to mitigate all of the risks in a very complex online world. But having visibility to what is going on, using the best information and the right tools to understand and address the most glaring vectors and practices that make your enterprise susceptible to a data breach, can certainly help CIOs and CSOs rest a little easier. Let’s hope next year’s DBIR shows positive downward trend on bad actor exploit activities.
Edited by Rachel Ramsey