Attacks/Breaches
4/22/2013
04:18 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

No 'One Size Fits All' In Data Breaches, New Verizon Report Finds

Verizon Data Breach Investigations Report 2013 says financial cybercrime accounting for three-fourths of real-world breaches, followed by cyberespionage in one-fifth of breaches

If there's one big theme of the just-released Verizon Data Breach Investigations Report (DBIR), it's demographics: All sizes of organizations are getting hacked, and different industries are getting hit for different reasons and with different attack methods.

"We shouldn't have a one-size-fits-all approach," Jay Jacobs, senior analyst for the Verizon RISK Team, says is one of the biggest takeaways from this year's report, which was the biggest one yet in terms of data and sources. "There's a big difference between [attacks hitting] a retailer and financial institutions versus manufacturers or consultants."

The report -- which draws from 621 confirmed data breaches, 47,000 reported security incidents, and 44 million compromised records worldwide in 2012 from Verizon as well as the US Computer Emergency Response Team and other national CERTs, the U.S. Secret Service, and law enforcement agencies in Europe -- shows that 75 percent of all breaches last year were the result of financially motivated cyberattacks, while 20 percent were cyberespionage for stealing intellectual property or other information for competitive purposes. Hacktivism remained steady, but with more distributed denial-of-service (DDoS) attacks than "doxing" or other forms or data theft.

Outsiders again reigned as the top attackers, making up 92 percent of the attackers that hit organizations last year. Next were state-sponsored attackers -- the majority from China -- with 19 percent of the attacks, and 14 percent were executed by insiders. Financial firms were hit the most, with 37 percent of last year's breaches, followed by retailers and restaurants, 24 percent; manufacturing, transportation, and utilities, 20 percent; and information services and professional services, 20 percent.

Nearly 40 percent of all attacks hit large organizations, but smaller organizations represented a large number of breached organizations when it came to cyberespionage-type attacks: Some 22 of the organizations suffering cyberespionage last year were firms with only one to 100 employees, mainly in manufacturing and professional services, and 23 firms with 101 to 1,000 employees, mainly in manufacturing. Firms with 1,001 to 10,000 employees accounted for 36 of the cyberespionage attacks.

"That size variable was a surprise to me," Jacobs says. "We saw an even split [overall] between large and small organizations ... The best theory we could come up with was that in a lot of the main industries here -- manufacturing and professionals services like consultants, programming or engineering -- there's a lot of intelligence-gathering in their relationships. So attackers may go after a small manufacturing company because they manufacture something on behalf of a bigger company. So they generate this intellectual property."

[Half of all targeted attacks last year hit companies with less than 2,500 employees, and overall, targeted cyberattacks jumped 42 percent in 2012, new Symantec data show. See Small Businesses Now Bigger Targets In Cyberattacks.]

Other key findings were that organizations typically don't discover that they've been breached for months and even years after the fact, and nearly 70 percent of them learn from a third party. And when it comes to cyberespionage attacks, 96 percent of them were attributed to attackers in China, while the majority of financially motivated breaches came from attackers in the U.S. or Eastern Europe. Romania was No. 1 there, with 28 percent of the attacks.

Origin of External Actors: Top 10

Source: 2013 Verizon Data Breach Investigations Report (DBIR)

And even amid growing concerns about mobile security and the bring-your-own device explosion, mobile wasn't a factor in the breaches last year, according to Verizon's report. "We're just not seeing [mobile] yet," Verizon's Jacobs says. "It's either because it's not holding data, or there's an easier path to the data ... But that may change as it becomes more ubiquitous and standardized."

A combination of methods contributed to attackers hitting their marks, but hacking (52 percent) was the most common technique, followed by malware (40 percent); physical, such as ATM skimmers (35 percent); social (29 percent); misuse (13 percent); and user mistakes (2 percent).

Meanwhile, the report highlights just how crucial demographics are to unraveling data breach incidents. Different industries are more prone to specific threats than others, for instance, and also face different types of attack methods. Smaller firms also face different attack methods than larger ones. "We see a diverse set of tactics," Jacobs says.

Financial cybercrime actors typically hit smaller organizations by compromising weak passwords on an admin's account, for example, and gather their intel on this via automated scans looking for open ports and weak passwords to gain remote admin control. "With smaller targets, it's more of low-hanging fruit," Jacobs says. "With larger targets, we see a more diverse set of attacks."

With larger targets, phishing and malware are a popular combination, especially in cyberespionage, but that also is typical with targeted spying attacks on smaller firms. The bottom line is a one-size-fits-all approach to security is detrimental, according to Verizon. "Any attempt to enforce a one-size-fits-all approach to securing our assets may result in leaving some organizations underprotected from targeted attacks, while others potentially overspend on defending against simpler opportunistic attacks," the report says.

Overall, phishing tactics quadrupled in 2012, a jump Verizon attributes to the popularity of phishing in targeted cyberespionage campaigns.

Organized crime syndicates mostly out of Eastern Europe and North America typically target the finance, retail, and food industries for payment cards, credentials, and bank information, while state-sponsored attackers mostly out of China go after manufacturing, professional, and transportation firms for credentials, organizations, data, trade secrets, and system information, the report says.

Hacktivists, mostly from North America and Western Europe, target information, public, and other services, mainly for credentials, personal information, and internal organization data, Verizon says.

"The bottom line is that unfortunately, no organization is immune to a data breach in this day and age," said Wade Baker, principal author of the DBIR reports. "We have the tools today to combat cybercrime, but it's really all about selecting the right ones and using them in the right way. In other words, understand your adversary -- know their motives and methods, and prepare your defenses accordingly and always keep your guard up."

The full Verizon 2013 DBIR is available here (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
4/29/2013 | 5:43:59 PM
re: No 'One Size Fits All' In Data Breaches, New Verizon Report Finds
I donGt think that it
is so much the size of the organizations as it is the ease of access into these
systems. Financial gains and corporate espionage
make up the top 2 on the list, and those factors do not care about the size or
demographic of your company. The chart really puts it into perspective for the reader.
Now take for example the governments in these countries and it also makes sense
as to high number of corporate espionage that is taking place in that county.
With the growing number of mobile devices and technology in the mobile field
constantly expanding the attacks and the vulnerabilities are sure to be on the
rise just as quickly as the industry.

Paul Sprague

InformationWeek Contributor
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
4/23/2013 | 11:38:00 AM
re: No 'One Size Fits All' In Data Breaches, New Verizon Report Finds
Good catch, John! The URL in Verizon's release on the report was incorrect--updating my article now with the link to the latest report. Thank you.

Kelly Jackson Higgins, Senior Editor, Dark Reading
John Jameson
50%
50%
John Jameson,
User Rank: Apprentice
4/23/2013 | 7:50:09 AM
re: No 'One Size Fits All' In Data Breaches, New Verizon Report Finds
That link is to the 2012 report. The 2013 report is here-http://www.verizonenterprise.c...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, well take a close look at some of the latest research and practices in application security.