Infosec 2013: Every business a target of cyber attack, Verizon breach report shows

Every business is a target of some kind of threat, the most comprehensive Verizon data breach report to date has shown

Every business is a target of some kind of threat, the most comprehensive Verizon data breach report to date has shown.

The Verizon 2013 Data Breach Investigations Report, launched at Infosecurity Europe 2013 in London, is based on the broadest set of data breach sources since the report was introduced five years ago.

Verizon is joined by 18 organisations from around the world that contributed data and analysis to this year’s report, representing a more than threefold increase in data contributors.

“Analysis showed that we are getting to the point where everybody needs to recognise they are a target,” said Wade Baker, main author of the report and managing principal of risk intelligence at Verizon.

“Whether it is espionage, organised crime or hacktivists, everybody is a target of some kind of threat if they are in business and part of their business processes are carried out online,” he told Computer Weekly.

Data breaches affect organisations of all sizes across all sectors

The research also shows that breaches are no longer most common in smaller businesses of below 1,000 employees, but more evenly spread across all sizes of enterprise and all sectors.

Of all cyber attacks, 38% of breaches affected larger organisations, up from around 10% the year before.

In the past year, 37% of breaches affected financial organisations, 24% affected retailers and restaurants, 20% involved the manufacturing, transportation and utilities industries, with the same percentage affecting information and professional services firms.

In particular, espionage attacks are no longer confined to government agencies, military departments and defence contractors, but include manufacturing companies as well as IT and professional organisations.

Most attacks in this category targeted intellectual property, trade secrets and technical resources to further national and economic interests.

The breach data shows that fewer companies are in a position to say that espionage is not an issue, and companies need to realise that when planning their information security defences, said Baker.

The report shows that state-affiliated espionage dominated the security landscape in the past year, alongside large-scale financial cyber crime, accounting for 20% and 75% of breaches respectively.

The data does not necessarily mean there has been an increase in the espionage activity in real terms, but the broader data inputs are providing a much clearer picture than before, said Baker.

Understand the threat to improve security strategy

While there was little change in the proportion of incidents involving hacktivists, the study showed that the amount of data stolen decreased as hacktivists shifted to other forms of attack, such as distributed denial-of-service (DDoS) attacks.

These attacks are aimed at paralysing or disrupting systems, and also have significant costs because they impair business and operations.

“We have the tools today to combat cyber crime, but it is really all about selecting the right ones and using them in the right way. In other words, understand your adversary – know their motives and methods, and prepare your defences accordingly and always keep your guard up,” said Baker.

This approach, he said, also helps prioritise security projects by helping organisations to identify the attack methods that are most likely to be used and the data assets that are most likely to be targeted.

For example, the report shows that the top three breach scenarios account for 70% of breaches, so by prioritising defences against just three types of attack organisations can defend against most attacks.

The report, said Baker, is aimed at helping organisations to see the proportion of attack methods and increasing the awareness of cyber crime to help the security industry improve security technologies and organisations to better tailor their defence strategies.

The research shows that 76% of network intrusions exploited weak or stolen credentials, but Baker said he doubted many companies are spending 80% of their security budget on controlling network access and managing user accounts.

“Yet it is absolutely clear to me that criminals are shifting to those sorts of attacks,” he said. Similarly, Baker said he hears a lot of concern about security of the cloud, mobile devices and bring-your-own-device (BYOD) practices, yet none of these show up yet in the data as being directly responsible for data breaches to any significant extent.

Top attack methods

The research also found that external attacks remain largely responsible for data breaches, with 92% of them attributable to outsiders and 14% committed by insiders.

This category includes organised crime, activist groups, former employees, lone hackers and even organisations sponsored by foreign governments.

As in the prior year’s report, business partners were responsible for about 1% of data breaches.

In terms of attack methods, hacking is the top way breaches occur, and was involved in 52% of data breaches.

Some 40% of network intrusions incorporated malware to compromise information, 35% involved physical attacks such as ATM skimming, and 29% use social engineering tactics such as phishing.

The proportion of breaches incorporating social tactics was four times higher in 2012, which, according to the breach report, is directly related to the tactic’s widespread use in targeted espionage campaigns.

The research found that the compromise-to-discovery timeline continues to be measured in months and even years, not hours and days.

Finally, the report noted that third parties continue to detect the majority of breaches, with 69% of breaches not being detected by the organisation most directly affected.

Image: iStockphoto/Thinkstock


Read more on Hackers and cybercrime prevention