The Verizon Data Breach Report in Seven Minutes

By Ariel Ehrlich

It had started just like any other day. A typical morning, reviewing the schedule and mentally preparing for a budget meeting, and then it broke. It broke first on the internet, so the public knew before you did. Trending on twitter, reported en masse by news outlets ranging from Reuters, CNN to Wired. Suddenly everyone is hysterical, there are 100's of unread emails in your inbox that were not there a moment ago, and the phone is ringing, ringing-- You slam the office door to shut it out, stumble into the seat behind your desk, as the acute feelings of paranoia and panic set in. This is it. How could it happen? What did they take? Where do you go from here? Is it all over?
 
This is what it feels like to be breached, and in 2016 it is becoming the norm. We are all targets, regardless of industry, whether you a single mother, a student, a CEO, a two-person startup, or a global enterprise. It is not "if", but "when". 
 
And the numbers are staggering. According to a study done by MIT Technology Review, the average cost of a large data breach is $3.79 million. Breaches are now reaching staggering, daunting levels, costing companies millions of dollars and involving millions of stolen or compromised records, and astonishing terabytes-worth of data from seemingly well-protected multinational corporations, banks to government agencies.
 
The Verizon 2016 Data Breach Report analyzes thousands of data breaches and security incidents from the past year, revealing important trends and patterns. By examining the Data Breach Report, we can better anticipate how to protect ourselves in the future. 
 
WHO is affected?
Everyone. Every single industry is a target, whether you work in entertainment, transportation, education, mining, or agriculture. The top three most affected industries being public, information and financial services, but every industry is a target.

Industries are attacked in different ways. Never make any assumptions; just because we think that two things are alike, the threats they face can be completely different. Even within specific industries, subgroups of the same industry are attacked in different ways.

In a perplexing trend, it seems many subsectors in completely unrelated industries actually share a closer threat profile than do subsectors within the same industry. For example, laundry services and spectator sports share very similar threat profiles, and each of the manufacturing subsectors have more in common with central banks than with each other.

So what do laundry services and spectator sports, and what do manufacturing and banks have in common? We're not sure either. But this proves that there is no "one size fits all" solution, even on an industry-wide level.

WHO is hacking?
The hackers responsible for data breaches are: 
•    Activists ("hacktivists") 
•    State-affiliated
•    Related to organized crime

About 85% of hackers are external. The remaining hackers are mostly internal with a very small number of partner actors.

WHY are they attacking?
The exact motives for these attacks are hard to know, but they differ based on the target and type of attack.

  • Financial gain. This is the primary motivation for organized crime. Organized crime is responsible for 73% of "crimeware" on the web, which is malware designed for scamming victims for money, data theft or extortion. This includes “ransomware” which has grown increasingly popular in the last year. 
  • Ideological motivation.  Activists often have moral and political motivations, whether promoting social change, advocating for freedom of speech, human rights, or acting as internet vigilantes. Activists may use a DDoS attack to temporarily take down a government website as a form of political protest, or leak confidential government documents like Wikileaks, or user lists to the public, like the Ashley Madison leak.
  • Cyber-espionage. State-sponsored attacks focus on surveillance and information-gathering, as well as intellectual property. Often coming from the governments of North Korea, China and Iran (or our own United States), over 95% of cyber-espionage attacks use phishing campaigns to target government agencies, information and manufacturing industries. In addition to gathering information, these attacks establish a persistent presence on user devices, which allows the attackers to continue to explore the network undetected.

HOW are they attacking?
There are many attack methods that can be used to cause a massive data breach, but here are some of the most common attack trends that you need to know:

  • Phishing. Phishing is a type of social engineering, which arrives in the form of an email that tricks the user into installing a type of malware. The top three methods are usually email attachment or email link, and sometimes through web drive-by. Phishing campaigns are alarmingly effective; if 10 emails are sent, there is a 90% chance that at least one person fall victim, and nearly half of people open and click on phishing links within the first hour.
  • Denial-of-Service. Denial-of-service (DoS) attacks make a machine or network unavailable to its intended users by interrupting services of a host connected to the internet. Distributed denial-of-service (DDoS) attacks are DoS attacks that use many computers, often a compromised system, or a botnet which is a network of computers programmed to receive commands without their owner's knowledge. The targeted system is flooded with traffic until the target server can no longer receive new connections and becomes inaccessible to users. DDoS attacks are less common overall but have gotten more severe.  
  • Malware. Short for "malicious software," malware is software that is intended to damage or disable computers or perform other unwanted activities; it can steal passwords, enable remote access, or encrypt user data. Common malware examples include viruses, worms, trojans and spyware. Malware has multiple possible delivery vectors, including phishing emails, either as email attachments or links, installed through web drive-by, vulnerabilities in web applications, remote exploits and even targeted attacks. Twenty types of malware account for 70% of all malware activity, topped by a nefarious "Sinister 7". Most malware aims for command-and-control botnet membership, credential theft and/or other forms of fraud, and organized crime is responsible for most of malware, and public, information and retail industries are most targeted.
  • Point-of-Sale. This is malware written to steal customer payment data (usually credit card data) from retail checkout systems, also known as the “point-of-sale”. POS attacks can be aimed at small businesses as well as large businesses, and mostly affect the accommodation, entertainment and retail industries. POS attacks peaked in 2011 and 2012, but they are still a common trend and have become more complex in the past few years, adapting to attack larger organizations with more complex, multi-step attacks including active RAM scraping.
  • Vulnerabilities. Many attackers take advantage of well-known vulnerabilities in software programs. Common vulnerability exposures are published in a free, public dictionary. Unfortunately, many companies don't pay attention, even if the vulnerabilities are common and openly known and patches have been available for months or even years. 99.9% of exploited vulnerabilities were compromised more than a year after the vulnerability was published. Well-publicized vulnerabilities from last year include Stagefright and Heartbleed.
  • Mobile. Mobile devices are not generally a preferred vector in data breaches, but they are still important to consider. Almost all mobile malware is found on Android devices (96% mobile malware is targeted at Android), and most of it is adware, which is software that delivers ads to make money. Adware is not typically actually harmful but will aggressively collect user data, often without user permission. Fortunately most mobile malware is very short-lived, 95% lasts less than a month, and only a very small amount includes truly malicious malware.

WHAT can we learn from this?
There is no "one size fits all" solution to prevent data breaches. This implies that security regulations (compliance) imposed on an industry level are not the best approach. Companies should consider what asset they most value, what level of risk is acceptable, and devise a unique plan to protect and secure their own assets.
 
Constant vigilance is necessary. It is essential to make sure your software is up to date, firewalls and anti-virus software are maintained, and patch vulnerabilities as quickly as possible, and review these technical measures on a quarterly basis.

Improving detection and response times. Most data breaches happen very quickly. A shocking 60% percent of attackers are able to compromise an organization within mere minutes, and 75% of attacks spread from victim 0 to victim 1 within one day. Detection and response times vary depending on the types of attack (for example, half of organizations took 35 or fewer days to discover malware events), but improving response times can have a great impact on minimizing and preventing data breaches.

Human behavior and human errors. Humans are really the weakest link. Most data breaches can be traced back to something a person did or did not do, like an employee opening a phishing email and triggering malware, or a vulnerability that has been neglected to be fixed, because of laziness or ignorance, or an employee with more authorization than necessary accessing systems they shouldn’t. This is very alarming, but it also a good sign because human behavior can be changed as awareness is increased. This also reveals that things are within our control. Phishing, social engineering, insider misuse, and miscellaneous errors especially are all very direct results of human decisions. Improving employee awareness and training employees on these topics will help prevent data breaches. 

Citations:
- Verizon 2016 Data Breach Investigations Report
- http://whatis.techtarget.com/definition/POS-malware-point-of-sale-malware
- https://www.technologyreview.com/s/545616/cybersecurity-the-age-of-the-megabreach/