Attacks/Breaches
4/14/2015
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Verizon DBIR: Mobile Devices Not A Factor In Real-World Attacks

New annual Verizon Data Breach Investigations Report shows most attacks affect a secondary victim, the average cost of a data breach is just 58 cents per stolen record -- and attackers are not going after mobile en masse.

BYOD may be a big fat security and management headache for the business world and mobile malware on the rise, but the reality is that so far, hackers aren't employing mobile malware for cybercrime or cyber spying purposes, according to findings in the newly published Verizon 2015 Data Breach Investigations Report.

"Mobile malware exists, but in a very insignificant fashion in our incident data," says Marc Spitler, senior risk analyst for Verizon and a co-author of the much-anticipated report, which was released today. "There's a lot of opportunistic malware and crimeware trying to take over a system to do something else -- to launch a denial-of-service attack, or use as a spambot. These are all ways to monetize, and they aren't going to do that with mobile or Internet of Things" devices, he says.

Verizon, which has found mobile mostly a nonexistent factor in previous years, saw similar trends this year in its breach investigations as well as in its contributors' data, but tapped Verizon Wireless for some data to be sure. The result: Verizon Wireless data shows some 100 smartphones per week were infected, out of tens of millions of devices (mostly Android), for a 0.68% infection rate. Overall, most infected Androids were unwanted adware and other "annoyance-ware," according to Verizon's report. Android by far is the main mobile target, too, as "most of the suspicious activity logged from iOS devices was just failed Android exploits," the report says.

What about targeted attacks? Spitler says targeted malware still rules on PCs rather than on mobile devices.

The mobile reality-check was one of the main findings in the vast report, which includes data from 70 contributing organizations spanning service providers, incident response firms, international Computer Security Information Response Teams (CSIRTs), government agencies, and the security industry. The data looks at 79,790 security incidents worldwide, of which 2,122 were confirmed data breaches.

Two-thirds of the incidents were in the US--mainly because most of the data came from US sources--and the top three industries were the public sector, with 50,315 reported incidents and 303 confirmed cases of data loss; technology (1,496 reported incidents and 95 confirmed cases of data loss), and financial services, (642 reported incidents and 277 confirmed cases of data loss). Retail, not surprisingly after 2014's wave of attacks on retailers, was close behind:  523 reported incidents and 164 confirmed cases of data loss.

Verizon also found that in 70% of attacks where the motive is known, a secondary victim is affected, and are mainly opportunistic attacks such as malware injected onto a website in hopes of infecting as many visitors as possible, or for denial-of-service attack purposes.

Meanwhile, the lifecycle of a malware variant is fleeting: 95% of malware types lived for less than a month, according to Verizon's report, and four of five variants live no longer than one week. That data comes from the 170 million malware events studied in the report. And 70- to 90% of malware samples are unique to an organization, and half of the organizations studied detected malware in 35 or fewer days last year. In 60% of breaches, attackers got in within minutes.

Attackers were quick to turn around exploits after vulnerabilities went public in 2014: half of the bugs exploited last year were exploited less than a month after their disclosure, Verizon found.

Phishing is still an easy -- and fast -- way to infect victim organizations, the report shows. Within the first hour after a phishing email is sent, close to half of users open the emails and click on the malicious links in the message. According to Verizon, which calculated this data based on data from two of its security awareness firm contributors, the median time to that first click is one minute and 22 seconds across all campaigns in the sample.

And nearly one-fourth of users open phishing email messages, and 11% actually click on the messages' attachments. "A campaign of just 10 e-mails yields a greater than 90% chance that at least one person will become the criminal’s prey," according to the report.

The Cost Of A Breach, For Real

The average cost per record in a data breach is 58 cents per record, according to Verizon, a big difference from the conventional wisdom of an average of $200 per record, a data point based on dividing the sum of losses by the total number of records lost. Why the dramatic  difference in cost data by Verizon versus previous calculations? "This is better than a cost per record model," Verizon's Spitler says of Verizon's measurement. "We were able to get some real impact data based on actual insurance payouts, versus survey models."

Verizon, with the help of new DBIR contributor NetDiligence, studied data on loss of payment cards, personal information, and medical records in 191 insurance claims. "If we apply the average cost-per-record approach to the loss claims data, we get a rather surprising amount: $0.58," the report says. Bottom line: cost-per-record alone isn't an accurate reflection, the report says, and there's more of a range of losses depending on the number of data records affected.

Using the new formula, the cost of a breach of 10 million records is between $2.1 million and $5.2 million in the majority of cases, but could hit $73.9 million at most. A breach of 100 million records costs between $5 million and $15.6 million most of the time, with the possibility of hitting $199 million.

Last year's DBIR report laid out nine threat patterns that are tied to most data breaches:  user error, crimeware insider/privilege misuse, physical theft/loss, Web application attacks, denial-of-service attacks, cyberespionage, point-of-sale intrusions, and payment card skimmers. More than 95% of the attacks in 2014 fit into those categories. 

The full report is available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/15/2015 | 9:32:57 AM
Re: big and fat? Why does it have to be fat too?
Darn wordplay. =)
SgS125
50%
50%
SgS125,
User Rank: Ninja
4/15/2015 | 9:09:40 AM
big and fat? Why does it have to be fat too?
Why use big and fat together?

The problem may be big but I don't get the fat part.  Most of the phones and tablets I see are pretty thin these days.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I decided to treat the kiddos to a TV dinner tonight.
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.