Verizon DBIR: Mobile Devices Not A Factor In Real-World Attacks

New annual Verizon Data Breach Investigations Report shows most attacks affect a secondary victim, the average cost of a data breach is just 58 cents per stolen record -- and attackers are not going after mobile en masse.

BYOD may be a big fat security and management headache for the business world and mobile malware on the rise, but the reality is that so far, hackers aren't employing mobile malware for cybercrime or cyber spying purposes, according to findings in the newly published Verizon 2015 Data Breach Investigations Report.

"Mobile malware exists, but in a very insignificant fashion in our incident data," says Marc Spitler, senior risk analyst for Verizon and a co-author of the much-anticipated report, which was released today. "There's a lot of opportunistic malware and crimeware trying to take over a system to do something else -- to launch a denial-of-service attack, or use as a spambot. These are all ways to monetize, and they aren't going to do that with mobile or Internet of Things" devices, he says.

Verizon, which has found mobile mostly a nonexistent factor in previous years, saw similar trends this year in its breach investigations as well as in its contributors' data, but tapped Verizon Wireless for some data to be sure. The result: Verizon Wireless data shows some 100 smartphones per week were infected, out of tens of millions of devices (mostly Android), for a 0.68% infection rate. Overall, most infected Androids were unwanted adware and other "annoyance-ware," according to Verizon's report. Android by far is the main mobile target, too, as "most of the suspicious activity logged from iOS devices was just failed Android exploits," the report says.

What about targeted attacks? Spitler says targeted malware still rules on PCs rather than on mobile devices.

The mobile reality-check was one of the main findings in the vast report, which includes data from 70 contributing organizations spanning service providers, incident response firms, international Computer Security Information Response Teams (CSIRTs), government agencies, and the security industry. The data looks at 79,790 security incidents worldwide, of which 2,122 were confirmed data breaches.

Two-thirds of the incidents were in the US--mainly because most of the data came from US sources--and the top three industries were the public sector, with 50,315 reported incidents and 303 confirmed cases of data loss; technology (1,496 reported incidents and 95 confirmed cases of data loss), and financial services, (642 reported incidents and 277 confirmed cases of data loss). Retail, not surprisingly after 2014's wave of attacks on retailers, was close behind:  523 reported incidents and 164 confirmed cases of data loss.

Verizon also found that in 70% of attacks where the motive is known, a secondary victim is affected, and are mainly opportunistic attacks such as malware injected onto a website in hopes of infecting as many visitors as possible, or for denial-of-service attack purposes.

Meanwhile, the lifecycle of a malware variant is fleeting: 95% of malware types lived for less than a month, according to Verizon's report, and four of five variants live no longer than one week. That data comes from the 170 million malware events studied in the report. And 70- to 90% of malware samples are unique to an organization, and half of the organizations studied detected malware in 35 or fewer days last year. In 60% of breaches, attackers got in within minutes.

Attackers were quick to turn around exploits after vulnerabilities went public in 2014: half of the bugs exploited last year were exploited less than a month after their disclosure, Verizon found.

Phishing is still an easy -- and fast -- way to infect victim organizations, the report shows. Within the first hour after a phishing email is sent, close to half of users open the emails and click on the malicious links in the message. According to Verizon, which calculated this data based on data from two of its security awareness firm contributors, the median time to that first click is one minute and 22 seconds across all campaigns in the sample.

And nearly one-fourth of users open phishing email messages, and 11% actually click on the messages' attachments. "A campaign of just 10 e-mails yields a greater than 90% chance that at least one person will become the criminal’s prey," according to the report.

The Cost Of A Breach, For Real

The average cost per record in a data breach is 58 cents per record, according to Verizon, a big difference from the conventional wisdom of an average of $200 per record, a data point based on dividing the sum of losses by the total number of records lost. Why the dramatic  difference in cost data by Verizon versus previous calculations? "This is better than a cost per record model," Verizon's Spitler says of Verizon's measurement. "We were able to get some real impact data based on actual insurance payouts, versus survey models."

Verizon, with the help of new DBIR contributor NetDiligence, studied data on loss of payment cards, personal information, and medical records in 191 insurance claims. "If we apply the average cost-per-record approach to the loss claims data, we get a rather surprising amount: $0.58," the report says. Bottom line: cost-per-record alone isn't an accurate reflection, the report says, and there's more of a range of losses depending on the number of data records affected.

Using the new formula, the cost of a breach of 10 million records is between $2.1 million and $5.2 million in the majority of cases, but could hit $73.9 million at most. A breach of 100 million records costs between $5 million and $15.6 million most of the time, with the possibility of hitting $199 million.

Last year's DBIR report laid out nine threat patterns that are tied to most data breaches:  user error, crimeware insider/privilege misuse, physical theft/loss, Web application attacks, denial-of-service attacks, cyberespionage, point-of-sale intrusions, and payment card skimmers. More than 95% of the attacks in 2014 fit into those categories. 

The full report is available here.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights