12:01 AM
Connect Directly

Verizon DBIR: Mobile Devices Not A Factor In Real-World Attacks

New annual Verizon Data Breach Investigations Report shows most attacks affect a secondary victim, the average cost of a data breach is just 58 cents per stolen record -- and attackers are not going after mobile en masse.

BYOD may be a big fat security and management headache for the business world and mobile malware on the rise, but the reality is that so far, hackers aren't employing mobile malware for cybercrime or cyber spying purposes, according to findings in the newly published Verizon 2015 Data Breach Investigations Report.

"Mobile malware exists, but in a very insignificant fashion in our incident data," says Marc Spitler, senior risk analyst for Verizon and a co-author of the much-anticipated report, which was released today. "There's a lot of opportunistic malware and crimeware trying to take over a system to do something else -- to launch a denial-of-service attack, or use as a spambot. These are all ways to monetize, and they aren't going to do that with mobile or Internet of Things" devices, he says.

Verizon, which has found mobile mostly a nonexistent factor in previous years, saw similar trends this year in its breach investigations as well as in its contributors' data, but tapped Verizon Wireless for some data to be sure. The result: Verizon Wireless data shows some 100 smartphones per week were infected, out of tens of millions of devices (mostly Android), for a 0.68% infection rate. Overall, most infected Androids were unwanted adware and other "annoyance-ware," according to Verizon's report. Android by far is the main mobile target, too, as "most of the suspicious activity logged from iOS devices was just failed Android exploits," the report says.

What about targeted attacks? Spitler says targeted malware still rules on PCs rather than on mobile devices.

The mobile reality-check was one of the main findings in the vast report, which includes data from 70 contributing organizations spanning service providers, incident response firms, international Computer Security Information Response Teams (CSIRTs), government agencies, and the security industry. The data looks at 79,790 security incidents worldwide, of which 2,122 were confirmed data breaches.

Two-thirds of the incidents were in the US--mainly because most of the data came from US sources--and the top three industries were the public sector, with 50,315 reported incidents and 303 confirmed cases of data loss; technology (1,496 reported incidents and 95 confirmed cases of data loss), and financial services, (642 reported incidents and 277 confirmed cases of data loss). Retail, not surprisingly after 2014's wave of attacks on retailers, was close behind:  523 reported incidents and 164 confirmed cases of data loss.

Verizon also found that in 70% of attacks where the motive is known, a secondary victim is affected, and are mainly opportunistic attacks such as malware injected onto a website in hopes of infecting as many visitors as possible, or for denial-of-service attack purposes.

Meanwhile, the lifecycle of a malware variant is fleeting: 95% of malware types lived for less than a month, according to Verizon's report, and four of five variants live no longer than one week. That data comes from the 170 million malware events studied in the report. And 70- to 90% of malware samples are unique to an organization, and half of the organizations studied detected malware in 35 or fewer days last year. In 60% of breaches, attackers got in within minutes.

Attackers were quick to turn around exploits after vulnerabilities went public in 2014: half of the bugs exploited last year were exploited less than a month after their disclosure, Verizon found.

Phishing is still an easy -- and fast -- way to infect victim organizations, the report shows. Within the first hour after a phishing email is sent, close to half of users open the emails and click on the malicious links in the message. According to Verizon, which calculated this data based on data from two of its security awareness firm contributors, the median time to that first click is one minute and 22 seconds across all campaigns in the sample.

And nearly one-fourth of users open phishing email messages, and 11% actually click on the messages' attachments. "A campaign of just 10 e-mails yields a greater than 90% chance that at least one person will become the criminal’s prey," according to the report.

The Cost Of A Breach, For Real

The average cost per record in a data breach is 58 cents per record, according to Verizon, a big difference from the conventional wisdom of an average of $200 per record, a data point based on dividing the sum of losses by the total number of records lost. Why the dramatic  difference in cost data by Verizon versus previous calculations? "This is better than a cost per record model," Verizon's Spitler says of Verizon's measurement. "We were able to get some real impact data based on actual insurance payouts, versus survey models."

Verizon, with the help of new DBIR contributor NetDiligence, studied data on loss of payment cards, personal information, and medical records in 191 insurance claims. "If we apply the average cost-per-record approach to the loss claims data, we get a rather surprising amount: $0.58," the report says. Bottom line: cost-per-record alone isn't an accurate reflection, the report says, and there's more of a range of losses depending on the number of data records affected.

Using the new formula, the cost of a breach of 10 million records is between $2.1 million and $5.2 million in the majority of cases, but could hit $73.9 million at most. A breach of 100 million records costs between $5 million and $15.6 million most of the time, with the possibility of hitting $199 million.

Last year's DBIR report laid out nine threat patterns that are tied to most data breaches:  user error, crimeware insider/privilege misuse, physical theft/loss, Web application attacks, denial-of-service attacks, cyberespionage, point-of-sale intrusions, and payment card skimmers. More than 95% of the attacks in 2014 fit into those categories. 

The full report is available here.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
4/15/2015 | 9:32:57 AM
Re: big and fat? Why does it have to be fat too?
Darn wordplay. =)
User Rank: Ninja
4/15/2015 | 9:09:40 AM
big and fat? Why does it have to be fat too?
Why use big and fat together?

The problem may be big but I don't get the fat part.  Most of the phones and tablets I see are pretty thin these days.
One in Three SOC Analysts Now Job-Hunting
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/12/2018
Encrypted Attacks Continue to Dog Perimeter Defenses
Ericka Chickowski, Contributing Writer, Dark Reading,  2/14/2018
Can Android for Work Redefine Enterprise Mobile Security?
Satish Shetty, CEO, Codeproof Technologies,  2/13/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: One agent too many was installed on Bob's desktop.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.