Attacks/Breaches
4/27/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Verizon DBIR Shows Attack Patterns Vary Widely By Industry

It's not always the newest or the most sophisticated threat you need to worry about, Verizon's breach and security incident data for 2016 shows.

Among the many key takeaways in the 2017 edition Verizon’s annual Data Breach Investigations Report (DBIR), released Thursday, is that there are significant differences in why and how organizations across different industries are attacked.

Data that Verizon collected from security incidents and data breaches that it investigated in 2016 showed, for instance, that financial and insurance companies suffered about six times as many breaches (364) from web application attacks as organizations in the information services sector (61).

Similarly, Verizon’s dataset showed healthcare organizations suffered about 13 times as many breaches involving privilege misuse in 2016 compared to manufacturing companies—104 breaches to 8.

Point-of-sale breaches affected organizations in the accommodations and food service space disproportionately moreso than retail organizations. Manufacturing companies—and somewhat interestingly—educational institutions were the biggest targets of cyber espionage campaigns.

The data provides further evidence that organizations can benefit from having a better understanding of the threats that are specific to their industries and sectors, says Gabriel Bassett, a senior information data scientist with Verizon.

“It’s the kind of thing you would assume. But it is not thought about enough in industry,” he says. “If you are a financial firm are you putting botnets on top? Or are you putting PoS? If you are in education, do you realize just how starkly espionage has gone up,” in this sector, Bassett says.

What the breach data shows is that every organization should mitigate its own risks, he said. “It’s very easy to look at the newest attacks. But if it is not one of your risks, you need to prioritize the things that are,” and apply the appropriate controls and mitigations, Bassett says.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where a speaker from Verizon Business will discuss the real impacts of a data breach.]

The Verizon report highlights some other trends as well. Last year's data for instance showed that cyber espionage has emerged as a major threat for manufacturing companies, public sector entities, and to a lesser but still significant degree, for educational institutes as well.

In total, Verizon investigated 115 incidents involving cyber espionage at manufacturing companies, 108 of which resulted in a data breach. The total number of breaches at public sector organizations and educational institutions where cyber espionage was a motive was 98 and 19 respectively. Much of the interest in these sectors stems from the propriety research data, prototypes, and other intellectual property that such organizations typically possess, Verizon’s report noted.

Cyber espionage campaigns tend to be targeted, stealthy, and persistent since the effort is on stealing as much data as possible, says Brian Vecci, technical evangelist at Varonis Systems. “Attackers will follow the cyber kill chain once they compromise an account, which includes accessing the data they can get to, elevating their privileges to access more data, and then obfuscating their tracks,” he says.

Businesses often make it easier for such attackers, Vecci says. He pointed to a recent data risk report that Varonis released, which showed 47% of organizations had 1,000 or more files containing sensitive information open to every employee at any given time. “That’s making it pretty easy for the attacker to steal information.”

While organizations in the targeted sectors need to pay attention to the cyber espionage trend itself, the mitigations against the threat are not very different, Bassett notes.

“Espionage is one of those things where it feels like we need to do something different because it sounds like it is some super-duper elite cyber hacker somewhere that’s attacking,” he says.

In reality, the actual methods that attackers used to get at the data they were after were similar to the tactics used in attacks driven by financial and other motivations.

For example, the three most common actions used by attackers to target organizations in the manufacturing, public, and education sectors were hacking, social engineering, and malware. These were the same tactics that were most commonly used in attacks against organizations in almost every other sector in the Verizon study.

“The thing is espionage is the motive. It is the ‘why’ and it drives the ‘what’ gets stolen,” Bassett says. “But it not the ‘how.’ The ‘how’ stays very consistent,” across industries.

The Verizon report also showed that for yet another year, phishing, malware via email, and credential misuse, were among the most commonly used methods by attackers to try and gain access to target networks and systems. Distributed denial-of-service attacks were another major issue especially for organizations dependent on the Web, such as those in the entertainment, professional services, financial, and information sectors.

Verizon responded to a total of 11,246 denial-of-service incidents in all last year. However, only five of them across all sectors resulted in actual data disclosure.

Web application incidents increased last year as well compared to 2015, but the actual number of breaches resulting from these incidents was lower. A vast majority of web application attacks involved the use of botnets, most notably Dridex. Stolen credentials, SQL injection attacks and brute-force attacks were some of the other most commonly used tactics in web application attacks.

“Compared to network services, web applications tend to be much more vulnerable,” says Ilia Kolochenko, CEO of High-Tech Bridge. “Web applications are often developed in-house and accumulate dozens of vulnerabilities and weaknesses because of flawed, or simply missing, SDLC [secure development lifecycle] and insufficient security testing,” he says.

Many organizations continue to significantly underestimate the importance of web application security and perceive web apps as simply a web front-end to their organization. “However, as DBIR clearly states, the main attack vector is insecure applications.”

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jeancharles
100%
0%
jeancharles,
User Rank: Apprentice
5/5/2017 | 11:46:15 AM
Interesting
Very interesting !
Cloud Security's Shared Responsibility Is Foggy
Ben Johnson, Co-founder and CTO, Obsidian Security,  9/14/2017
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.