Attacks/Breaches

4/14/2015
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Verizon DBIR: Mobile Devices Not A Factor In Real-World Attacks

New annual Verizon Data Breach Investigations Report shows most attacks affect a secondary victim, the average cost of a data breach is just 58 cents per stolen record -- and attackers are not going after mobile en masse.

BYOD may be a big fat security and management headache for the business world and mobile malware on the rise, but the reality is that so far, hackers aren't employing mobile malware for cybercrime or cyber spying purposes, according to findings in the newly published Verizon 2015 Data Breach Investigations Report.

"Mobile malware exists, but in a very insignificant fashion in our incident data," says Marc Spitler, senior risk analyst for Verizon and a co-author of the much-anticipated report, which was released today. "There's a lot of opportunistic malware and crimeware trying to take over a system to do something else -- to launch a denial-of-service attack, or use as a spambot. These are all ways to monetize, and they aren't going to do that with mobile or Internet of Things" devices, he says.

Verizon, which has found mobile mostly a nonexistent factor in previous years, saw similar trends this year in its breach investigations as well as in its contributors' data, but tapped Verizon Wireless for some data to be sure. The result: Verizon Wireless data shows some 100 smartphones per week were infected, out of tens of millions of devices (mostly Android), for a 0.68% infection rate. Overall, most infected Androids were unwanted adware and other "annoyance-ware," according to Verizon's report. Android by far is the main mobile target, too, as "most of the suspicious activity logged from iOS devices was just failed Android exploits," the report says.

What about targeted attacks? Spitler says targeted malware still rules on PCs rather than on mobile devices.

The mobile reality-check was one of the main findings in the vast report, which includes data from 70 contributing organizations spanning service providers, incident response firms, international Computer Security Information Response Teams (CSIRTs), government agencies, and the security industry. The data looks at 79,790 security incidents worldwide, of which 2,122 were confirmed data breaches.

Two-thirds of the incidents were in the US--mainly because most of the data came from US sources--and the top three industries were the public sector, with 50,315 reported incidents and 303 confirmed cases of data loss; technology (1,496 reported incidents and 95 confirmed cases of data loss), and financial services, (642 reported incidents and 277 confirmed cases of data loss). Retail, not surprisingly after 2014's wave of attacks on retailers, was close behind:  523 reported incidents and 164 confirmed cases of data loss.

Verizon also found that in 70% of attacks where the motive is known, a secondary victim is affected, and are mainly opportunistic attacks such as malware injected onto a website in hopes of infecting as many visitors as possible, or for denial-of-service attack purposes.

Meanwhile, the lifecycle of a malware variant is fleeting: 95% of malware types lived for less than a month, according to Verizon's report, and four of five variants live no longer than one week. That data comes from the 170 million malware events studied in the report. And 70- to 90% of malware samples are unique to an organization, and half of the organizations studied detected malware in 35 or fewer days last year. In 60% of breaches, attackers got in within minutes.

Attackers were quick to turn around exploits after vulnerabilities went public in 2014: half of the bugs exploited last year were exploited less than a month after their disclosure, Verizon found.

Phishing is still an easy -- and fast -- way to infect victim organizations, the report shows. Within the first hour after a phishing email is sent, close to half of users open the emails and click on the malicious links in the message. According to Verizon, which calculated this data based on data from two of its security awareness firm contributors, the median time to that first click is one minute and 22 seconds across all campaigns in the sample.

And nearly one-fourth of users open phishing email messages, and 11% actually click on the messages' attachments. "A campaign of just 10 e-mails yields a greater than 90% chance that at least one person will become the criminal’s prey," according to the report.

The Cost Of A Breach, For Real

The average cost per record in a data breach is 58 cents per record, according to Verizon, a big difference from the conventional wisdom of an average of $200 per record, a data point based on dividing the sum of losses by the total number of records lost. Why the dramatic  difference in cost data by Verizon versus previous calculations? "This is better than a cost per record model," Verizon's Spitler says of Verizon's measurement. "We were able to get some real impact data based on actual insurance payouts, versus survey models."

Verizon, with the help of new DBIR contributor NetDiligence, studied data on loss of payment cards, personal information, and medical records in 191 insurance claims. "If we apply the average cost-per-record approach to the loss claims data, we get a rather surprising amount: $0.58," the report says. Bottom line: cost-per-record alone isn't an accurate reflection, the report says, and there's more of a range of losses depending on the number of data records affected.

Using the new formula, the cost of a breach of 10 million records is between $2.1 million and $5.2 million in the majority of cases, but could hit $73.9 million at most. A breach of 100 million records costs between $5 million and $15.6 million most of the time, with the possibility of hitting $199 million.

Last year's DBIR report laid out nine threat patterns that are tied to most data breaches:  user error, crimeware insider/privilege misuse, physical theft/loss, Web application attacks, denial-of-service attacks, cyberespionage, point-of-sale intrusions, and payment card skimmers. More than 95% of the attacks in 2014 fit into those categories. 

The full report is available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/15/2015 | 9:32:57 AM
Re: big and fat? Why does it have to be fat too?
Darn wordplay. =)
SgS125
50%
50%
SgS125,
User Rank: Ninja
4/15/2015 | 9:09:40 AM
big and fat? Why does it have to be fat too?
Why use big and fat together?

The problem may be big but I don't get the fat part.  Most of the phones and tablets I see are pretty thin these days.
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.