Verizon's annual Data Breach Investigations Report is one of the most hotly anticipated cybersecurity publications of the year. Based on 1,367 data breaches and more than 63,000 security incidents in 95 countries, the Data Breach Investigations Report paints a realistic picture of the current state of cybercrime.
Bryan Sartin, director of the Risk Team at Verizon, told Chris Dorobek on the DorobekINSIDER program how Verizon collected the data.
“We were really trying slice through the fear, uncertainty and doubt that surrounds security issues,” said Sartin. “We wanted to get to the heart of how these situations are happening, who are the threat adversaries and what you can do to detect and protect.”
Verizon’s goal in putting out their report was to derive “actionable” information that would be of actual use. The report analyzed data from some 50 organizations around the world, taking a look at more than 63,000 security incidents that resulted in 1,367 confirmed data breaches in 2013. And the targets weren’t just anybody, Sartin pointed out. “These organizations are some of the world’s most cyber capable law enforcement agencies, government, intelligence organizations, as well as some a the biggest private sector entities.”
Verizon found that 92% of these 63,000 incidents actually fell within nine basic patterns or buckets of attacks. “We are able to slice and dice those in terms of detection, prevention, investigation and so forth, and study the different security parameters for each one,” said Sartin. “One of the most important facets is that a reader of the study, depending upon what kind of an entity or government agency they represent, can look and say, ‘Only five of these nine [breaches] actually are germane to what we do for a living or our business,’ and can discard the rest. That way they can focus on what is immediately actionable and relevant to them.”
One of the biggest data breaches in the past year was the Target attack. The data breach included the theft of about 40 million credit and debit card records and 70 million other records of customer details late last year. Sartin says financially motivated crimes may dominate headlines, but they are not the only threat out there.
“In years past, financially motivated crimes were what you needed to deal with in terms of actual verifiable data breaches. But it’s not the only game in town. I think people were so kind of caught up around the axle about advanced persistent threats and cyber espionage for the last couple years, but now all of a sudden, one or two of these big financially motivated breaches occur, and it doesn’t take too many of these to remind people that financial crimes are still king.”
A few years ago, 90% of cyberattacks were financially motivated, but that has changed. “Especially in the public sector, when you look at critical infrastructure and government entities, they are dealing with in-appreciable quantities with all 3 of these big criminal motivations, and each one of these has a very different recipe for success in terms of detection and prevention,” said Sartin.
Of the 63,000 attacks that make up the Data Breach report, public sector entities represent 47,000 attacks. “It’s fascinating that even within public sector, not only do you see hacktivism and espionage, but you also see a number of financially motivated attacks as well,” said Sartin.
“When you look at the point of entry, there’s a very fascinating 1-2 punch strategy criminals employ. The first punch is very basic. It is the exploitation of very commoditized computer based vulnerability. But, then if you spend more than 90 minutes or so as a crook, trying to find easily identifiable computer based you’re wasting your time. The number two punch is social engineering. It’s almost as if we’ve gotten to a point now where it’s easier for crooks to identify and exploit weaknesses in humans than it is weaknesses in computers.”
86% of every initial avenue of intrusion in these data breaches could have been prevented with basic two-factor authentication. “There is an inability for victims to recognize and react to those little lead indicators of a cyber attack,” said Sartin
Verizon is in its 10th year of releasing its Data Breach report. “I think a fascinating thing for the scientists among us to look at the ebbs and flows of electronic crimes over time. One of the things that really jumped out at me, is the weakness in incident detection,” said Sartin. “In the past 10 years you can see cyber incidents develop faster. The difference in time between the initial compromise and the point of entry of data theft is actually shrinking quickly. It suggests that the bad guys are getting better, faster. Something has to change.”