Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:01 AM
Connect Directly

Verizon DBIR: Mobile Devices Not A Factor In Real-World Attacks

New annual Verizon Data Breach Investigations Report shows most attacks affect a secondary victim, the average cost of a data breach is just 58 cents per stolen record -- and attackers are not going after mobile en masse.

BYOD may be a big fat security and management headache for the business world and mobile malware on the rise, but the reality is that so far, hackers aren't employing mobile malware for cybercrime or cyber spying purposes, according to findings in the newly published Verizon 2015 Data Breach Investigations Report.

"Mobile malware exists, but in a very insignificant fashion in our incident data," says Marc Spitler, senior risk analyst for Verizon and a co-author of the much-anticipated report, which was released today. "There's a lot of opportunistic malware and crimeware trying to take over a system to do something else -- to launch a denial-of-service attack, or use as a spambot. These are all ways to monetize, and they aren't going to do that with mobile or Internet of Things" devices, he says.

Verizon, which has found mobile mostly a nonexistent factor in previous years, saw similar trends this year in its breach investigations as well as in its contributors' data, but tapped Verizon Wireless for some data to be sure. The result: Verizon Wireless data shows some 100 smartphones per week were infected, out of tens of millions of devices (mostly Android), for a 0.68% infection rate. Overall, most infected Androids were unwanted adware and other "annoyance-ware," according to Verizon's report. Android by far is the main mobile target, too, as "most of the suspicious activity logged from iOS devices was just failed Android exploits," the report says.

What about targeted attacks? Spitler says targeted malware still rules on PCs rather than on mobile devices.

The mobile reality-check was one of the main findings in the vast report, which includes data from 70 contributing organizations spanning service providers, incident response firms, international Computer Security Information Response Teams (CSIRTs), government agencies, and the security industry. The data looks at 79,790 security incidents worldwide, of which 2,122 were confirmed data breaches.

Two-thirds of the incidents were in the US--mainly because most of the data came from US sources--and the top three industries were the public sector, with 50,315 reported incidents and 303 confirmed cases of data loss; technology (1,496 reported incidents and 95 confirmed cases of data loss), and financial services, (642 reported incidents and 277 confirmed cases of data loss). Retail, not surprisingly after 2014's wave of attacks on retailers, was close behind:  523 reported incidents and 164 confirmed cases of data loss.

Verizon also found that in 70% of attacks where the motive is known, a secondary victim is affected, and are mainly opportunistic attacks such as malware injected onto a website in hopes of infecting as many visitors as possible, or for denial-of-service attack purposes.

Meanwhile, the lifecycle of a malware variant is fleeting: 95% of malware types lived for less than a month, according to Verizon's report, and four of five variants live no longer than one week. That data comes from the 170 million malware events studied in the report. And 70- to 90% of malware samples are unique to an organization, and half of the organizations studied detected malware in 35 or fewer days last year. In 60% of breaches, attackers got in within minutes.

Attackers were quick to turn around exploits after vulnerabilities went public in 2014: half of the bugs exploited last year were exploited less than a month after their disclosure, Verizon found.

Phishing is still an easy -- and fast -- way to infect victim organizations, the report shows. Within the first hour after a phishing email is sent, close to half of users open the emails and click on the malicious links in the message. According to Verizon, which calculated this data based on data from two of its security awareness firm contributors, the median time to that first click is one minute and 22 seconds across all campaigns in the sample.

And nearly one-fourth of users open phishing email messages, and 11% actually click on the messages' attachments. "A campaign of just 10 e-mails yields a greater than 90% chance that at least one person will become the criminal’s prey," according to the report.

The Cost Of A Breach, For Real

The average cost per record in a data breach is 58 cents per record, according to Verizon, a big difference from the conventional wisdom of an average of $200 per record, a data point based on dividing the sum of losses by the total number of records lost. Why the dramatic  difference in cost data by Verizon versus previous calculations? "This is better than a cost per record model," Verizon's Spitler says of Verizon's measurement. "We were able to get some real impact data based on actual insurance payouts, versus survey models."

Verizon, with the help of new DBIR contributor NetDiligence, studied data on loss of payment cards, personal information, and medical records in 191 insurance claims. "If we apply the average cost-per-record approach to the loss claims data, we get a rather surprising amount: $0.58," the report says. Bottom line: cost-per-record alone isn't an accurate reflection, the report says, and there's more of a range of losses depending on the number of data records affected.

Using the new formula, the cost of a breach of 10 million records is between $2.1 million and $5.2 million in the majority of cases, but could hit $73.9 million at most. A breach of 100 million records costs between $5 million and $15.6 million most of the time, with the possibility of hitting $199 million.

Last year's DBIR report laid out nine threat patterns that are tied to most data breaches:  user error, crimeware insider/privilege misuse, physical theft/loss, Web application attacks, denial-of-service attacks, cyberespionage, point-of-sale intrusions, and payment card skimmers. More than 95% of the attacks in 2014 fit into those categories. 

The full report is available here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
4/15/2015 | 9:09:40 AM
big and fat? Why does it have to be fat too?
Why use big and fat together?

The problem may be big but I don't get the fat part.  Most of the phones and tablets I see are pretty thin these days.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
4/15/2015 | 9:32:57 AM
Re: big and fat? Why does it have to be fat too?
Darn wordplay. =)
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-15
Use after free in Accessibility in Google Chrome prior to 91.0.4472.101 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-06-15
Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-06-15
Use after free in Extensions in Google Chrome prior to 91.0.4472.101 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-06-15
Use after free in Network service in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-06-15
A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untruste...