Data breaches can be traced back to nine attack 'patterns', says Verizon report

Many attacks are sector specific

Almost every security incident and data breach recorded during 2013 can be traced back to a series of basic threat types or 'patterns', many of which are specific to industry sectors, Verizon's bellwether 2014 Data Breach Investigations Report (DBIR) has concluded.

The firm's latest report - the result of input from an unprecedented 50 organisations in 95 countries - offers this as a nugget of hope for a business world hit by a surge in data breach incidents that reached record proportions during the year.

This DBIR crunched numbers from 1,367 confirmed breaches and 60,437 security incidents, uncovering nine basic patterns that seemed to lie at the root of almost of data loss event. These were point of sale, web app attacks, insider misuse, lost or stolen devices, miscellaneous/employee error, crimeware and malware, payment card skimming, DDoS, and last but not least, cyber-espionage.

While these categories are not new Verizon's hugely expanded DBIR analysis is the first to relate specific types of incidents to real data breaches and reported incidents, in the process discovering something that security experts have long suspected but never been able to prove; every enterprise is vulnerable to a subset of these security threats but which threat will depend on an organisation's type of business.

For confirmed breaches, the commonest single cause was web app attacks (e.g. software flaws and online bank phishing) on 35 percent, ahead of cyber-espionage on 22 percent, and Point-of-Sale (POS) intrusions on 14 percent. The data is striking; seven out of ten real-world data breaches were caused by only these three underlying attack vectors, ahead of card skimmers on 9 percent and insider misuse on 8 percent.

Finance led the way in terms of breaches with 465, with public sector second on 175 thank to notification laws that compel disclosure, retail third with 148, and accommodation fourth on 137.

When looking at overall security incidents (which might or might not have led to breaches), a surprising number of involved employees, with miscellaneous staff errors first on 25 percent, crimeware (i.e. malware) second on 20 percent, insider misuse third on 18 percent and physical loss fourth on 14 percent.

If this sounds a bit convoluted the takeaway is that organisations should draw a distinction between attacks that cause security incidents and ones likely to lead to actual breaches. Which attacks are likely to lead to breaches will vary widely by sector.

For a finance organisation this means defending against phishing and authentication/web app attacks, payment card skimmers and DDoS attacks designed to take down portals. By contrast, for retail the threat is overwhelmingly about stopping POS attacks and DDoS. As to another breach-prone sector, healthcare, the major issue could be insider abuse and data theft.

Understanding the future of security could come down to grasping the way that real-world threats vary by sector over time, getting away from the generalisations that have ruled a lot of security discussion in recent years.

This might help enterprises fight back because, according to report author Wade Baker, "after analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime and the bad guys are winning."

"Organizations need to realize no one is immune from a data breach. Compounding this issue is the fact that it is taking longer to identify compromises within an organization - often weeks or months, while penetrating an organization can take minutes or hours," Baker said. The attackers were simply innovating faster than the defenders.

A major weakness that jumped out was the way customer credentials were being abused in many breaches, exploiting weaknesses in privilege management and authentication, he said.

After a year that witnessed some of the largest data breaches in history, Verizon's DBIR comes bearing more bad news: every enterprise, large and small, well-protected or not, is now vulnerable to data loss whether it wants to face this fact or not. Salvation lies in information and analysis, in making the specific nature of some attacks visible.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenancesecurityhardware systemsData Centre

More about VerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts