By Jeffrey Rosenthal
As April comes to a close, it’s time once again for Verizon Enterprise Solutions’ Data Breach Investigations Report to remind us just how important data security is to the corporate world.
Released Wednesday, the report, now in its tenth year, concluded that hackers and cybercriminals have gotten faster at breaching corporate website defenses than companies’ ability to detect attacks—meaning many attacks were already complete before victims could even respond.
Verizon, which received contributions from 50 organizations worldwide, recorded nearly 63,500 “security incidents”—i.e., any attempt to attack a corporate computer system, successful or not—as well as 1,300 confirmed data breaches. According to Verizon, nine out of ten security incidents in 2013 fell within nine basic categories, as discussed below:
1. Point-Of-Sale Intrusions.
Despite the widespread-publicity of the recent Target Corp. breach (resulting in hackers gaining access to the credit card numbers of around 40 million customers), the occurrence of point-of-sale intrusions has actually been trending downward over the last several years, Verizon claims. But retailers and hotel companies in particular still need to be concerned about this kind of intrusion, as even a single attack can be devastating.
2. Web App Attacks.
Described as the “proverbial punching bag of the Internet,” web application attacks are by far the most common type of breach. Accomplished by phishing techniques, installing malware, and correctly guessing security questions, Verizon insists better protection for Internet-facing applications starts with stronger passwords and two-factor authentication.
3. Insider And Privilege Misuse.
Common examples of insider misuse include employees using forbidden devices/services to send intellectual property to personal accounts, or sending messages while posing as another employee to get that person fired. Verizon observed that while many of the people committing these crimes are payment chain personnel and end users, C-suite managers were more to blame in prior years.
4. Physical Theft And Loss.
Corporate assets (phones, laptops etc.) are stolen from offices more often than from homes or vehicles. The primary cause is simple carelessness. To counter, Verizon suggests companies back up data, encrypt devices and encourage employees to closely guard devices.
5. Miscellaneous Errors.
Sending an email with sensitive information to the wrong recipient is the most common example of unintentional data disclosure. Other examples include accidentally posting non-public information to a company’s web server, or mailing documents to the wrong physical address. While some human error is unavoidable, Verizon says data loss prevention software and tighter processes around postings can reduce occurrences.
Crimeware consists of any illicit activity that does not fall under espionage or point-of-sale. Most crimeware occurs when users download malicious files. But it can also happen via “drive-by infections,” whereby a virus is downloaded when a user unknowingly clicks a deceptive pop-up window. Corporations’ best defense against crimeware is to maintain the most up-to-date browsers and software.
7. Payment Card Skimmers.
This type of attack is mainly directed at ATMs and gas pumps. Because it requires a skimming device be physically added to a machine, it’s considered a relatively crude manner of intrusion. According to Verizon, the most-recent development is that, rather than retrieve the skimming device itself, criminals can remotely collect data via wireless means, like Bluetooth. Although modern ATMs are mostly tamper-free, this is still a concern in certain parts of the world.
Commonly referred to as DDoS attacks, these threats include attacks aimed at compromising networks and systems availability to shut down corporate, consumer-facing websites. Primarily directed at the financial, retail and public sectors, potential motives include extortion, protest, or simple amusement.
Unauthorized network/system access associated with state-affiliated actors tripled from last year. Espionage also had the widest variety of “threat actions”—meaning once intruders gain access, they are engaging in multiple types of illegal activities. About 21% of reported incidents originated from Eastern Europe.
While, at first glance, the increasing volume of cyber attacks may seem disheartening, there is a silver-lining here. Because most attacks tend to follow one of the above nine patterns, companies stand a better chance of resisting intrusions if they take steps to combat the type of attack most common to their industry. Recognizing your company’s greatest vulnerability and prioritizing the most likely type of cyber attack can mean the difference between preventing the intrusion altogether, or becoming the next Target.
Once again: a little knowledge can be a powerful tool when defending against mounting cyber attacks.
A copy of Verizon’s complete 2014 Data Breach Investigations Report is available here, with the Executive Summary available here.