Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/27/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Verizon DBIR Shows Attack Patterns Vary Widely By Industry

It's not always the newest or the most sophisticated threat you need to worry about, Verizon's breach and security incident data for 2016 shows.

Among the many key takeaways in the 2017 edition Verizon’s annual Data Breach Investigations Report (DBIR), released Thursday, is that there are significant differences in why and how organizations across different industries are attacked.

Data that Verizon collected from security incidents and data breaches that it investigated in 2016 showed, for instance, that financial and insurance companies suffered about six times as many breaches (364) from web application attacks as organizations in the information services sector (61).

Similarly, Verizon’s dataset showed healthcare organizations suffered about 13 times as many breaches involving privilege misuse in 2016 compared to manufacturing companies—104 breaches to 8.

Point-of-sale breaches affected organizations in the accommodations and food service space disproportionately moreso than retail organizations. Manufacturing companies—and somewhat interestingly—educational institutions were the biggest targets of cyber espionage campaigns.

The data provides further evidence that organizations can benefit from having a better understanding of the threats that are specific to their industries and sectors, says Gabriel Bassett, a senior information data scientist with Verizon.

“It’s the kind of thing you would assume. But it is not thought about enough in industry,” he says. “If you are a financial firm are you putting botnets on top? Or are you putting PoS? If you are in education, do you realize just how starkly espionage has gone up,” in this sector, Bassett says.

What the breach data shows is that every organization should mitigate its own risks, he said. “It’s very easy to look at the newest attacks. But if it is not one of your risks, you need to prioritize the things that are,” and apply the appropriate controls and mitigations, Bassett says.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where a speaker from Verizon Business will discuss the real impacts of a data breach.]

The Verizon report highlights some other trends as well. Last year's data for instance showed that cyber espionage has emerged as a major threat for manufacturing companies, public sector entities, and to a lesser but still significant degree, for educational institutes as well.

In total, Verizon investigated 115 incidents involving cyber espionage at manufacturing companies, 108 of which resulted in a data breach. The total number of breaches at public sector organizations and educational institutions where cyber espionage was a motive was 98 and 19 respectively. Much of the interest in these sectors stems from the propriety research data, prototypes, and other intellectual property that such organizations typically possess, Verizon’s report noted.

Cyber espionage campaigns tend to be targeted, stealthy, and persistent since the effort is on stealing as much data as possible, says Brian Vecci, technical evangelist at Varonis Systems. “Attackers will follow the cyber kill chain once they compromise an account, which includes accessing the data they can get to, elevating their privileges to access more data, and then obfuscating their tracks,” he says.

Businesses often make it easier for such attackers, Vecci says. He pointed to a recent data risk report that Varonis released, which showed 47% of organizations had 1,000 or more files containing sensitive information open to every employee at any given time. “That’s making it pretty easy for the attacker to steal information.”

While organizations in the targeted sectors need to pay attention to the cyber espionage trend itself, the mitigations against the threat are not very different, Bassett notes.

“Espionage is one of those things where it feels like we need to do something different because it sounds like it is some super-duper elite cyber hacker somewhere that’s attacking,” he says.

In reality, the actual methods that attackers used to get at the data they were after were similar to the tactics used in attacks driven by financial and other motivations.

For example, the three most common actions used by attackers to target organizations in the manufacturing, public, and education sectors were hacking, social engineering, and malware. These were the same tactics that were most commonly used in attacks against organizations in almost every other sector in the Verizon study.

“The thing is espionage is the motive. It is the ‘why’ and it drives the ‘what’ gets stolen,” Bassett says. “But it not the ‘how.’ The ‘how’ stays very consistent,” across industries.

The Verizon report also showed that for yet another year, phishing, malware via email, and credential misuse, were among the most commonly used methods by attackers to try and gain access to target networks and systems. Distributed denial-of-service attacks were another major issue especially for organizations dependent on the Web, such as those in the entertainment, professional services, financial, and information sectors.

Verizon responded to a total of 11,246 denial-of-service incidents in all last year. However, only five of them across all sectors resulted in actual data disclosure.

Web application incidents increased last year as well compared to 2015, but the actual number of breaches resulting from these incidents was lower. A vast majority of web application attacks involved the use of botnets, most notably Dridex. Stolen credentials, SQL injection attacks and brute-force attacks were some of the other most commonly used tactics in web application attacks.

“Compared to network services, web applications tend to be much more vulnerable,” says Ilia Kolochenko, CEO of High-Tech Bridge. “Web applications are often developed in-house and accumulate dozens of vulnerabilities and weaknesses because of flawed, or simply missing, SDLC [secure development lifecycle] and insufficient security testing,” he says.

Many organizations continue to significantly underestimate the importance of web application security and perceive web apps as simply a web front-end to their organization. “However, as DBIR clearly states, the main attack vector is insecure applications.”

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
jeancharles
100%
0%
jeancharles,
User Rank: Apprentice
5/5/2017 | 11:46:15 AM
Interesting
Very interesting !
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19807
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.