Web app attacks, PoS intrusions and cyberespionage leading causes of data breaches

Phishing attacks continue to be effective, but mobile threats are not a big concern, according to a Verizon report

Web application attacks, point-of-sale intrusions, cyberespionage and crimeware were the leading causes of confirmed data breaches last year.

The findings are based on data collected by Verizon Enterprise Solutions and 70 other organizations from almost 80,000 security incidents and over 2,000 confirmed data breaches in 61 countries.

According to Verizon's 2015 Data Breach Investigations Report, which analyzes security incidents that happened last year, the top five affected industries by number of confirmed data breaches were: public administration, financial services, manufacturing, accommodations and retail.

Humans were again the weak link that led to many of the compromises. The data shows that phishing -- whether used to trick users into opening infected email attachments, click on malicious links, or input their credentials on rogue websites -- remains the weapon of choice for many criminals and spies.

For the past two years, over two-thirds of cyberespionage incidents involved phishing, the Verizon team said in its report. Hundreds of incidents from the crimeware section have also included the technique in their event chain, they said.

The data showed that 23 percent of phishing email recipients are open the messages and 11 percent of them click on the attachment inside. A small phishing campaign of only 10 emails comes with an over 90 percent chance that at least one person will become a victim, the Verizon team said.

The time window for organizations to react to such attacks is very small, with the median time from when an email is sent to when the first user clicks on the link inside being just one minute and 22 seconds. Sanctioned tests have showed that nearly half of the users who end up opening phishing emails and clicking on links do so within the first hour.

Employees of certain business departments are more likely to fall victim to phishing attacks than others. Workers in departments like communications, legal and customer service are at greater risk because opening email is a central component in their jobs, so companies will probably want to start security awareness training with them.

Ironically, while users are the problem, they can also be the solution to phishing. If trained properly, they can become a network of human sensors that are better at detecting sophisticated email attacks than any technology.

As always, compromised credentials, whether they were obtained through phishing, spyware or brute-force methods, played a major role in many data breaches.

Credentials were the second most common type of record after bank information that was stolen by crimeware -- malware attacks that don't fall into more specific categories like cyberespionage. However, many stolen credentials are later used to compromise bank records, so they're likely under-represented in the statistics, according to the Verizon team.

Weak or stolen credentials are also the leading cause of point-of-sale compromises and account for over 50 percent of breaches involving Web applications. As such, companies should strongly consider implementing two-factor authentication mechanisms wherever possible.

In this year's report Verizon has again split security incident patterns into nine categories: crimeware, cyberespionage, denial of service, lost and stolen assets, miscellaneous errors, payment card skimmers, point of sale, privilege misuse and Web applications.

It then established relationships between those attack categories and various types of threat actors and targeted organizations. As such, readers can learn that hacktivists favor Web application attacks (61 percent) and denial-of-service attacks (31 percent) while organized crime groups favor crimeware (73 percent) and Web application attacks (20 percent).

Companies in the accommodation, entertainment and retail sectors are more likely to be the victims of point-of-sale intrusions, while those in the financial services sector are more likely to be targeted with crimeware and Web application attacks.

Healthcare institutions are likely to suffer security incidents as a result of errors (32 percent) or privilege misuse (26 percent). Otherwise, cyberspies most frequently target organizations in the manufacturing, professional and information sectors.

As such, companies should prioritize defenses based on the threats they're most likely to face, which, perhaps surprisingly, are almost never mobile-based, according to Verizon.

Data shared for the report by mobile carrier Verizon Wireless, which monitors its network for signs of malware, revealed hundreds of thousands of potential infections. However, it turned out most of them were of the annoying advertising variety.

"An average of 0.03% of smartphones per week -- out of tens of millions of mobile devices on the Verizon network -- were infected with 'higher-grade' malicious code," the Verizon team said.

This echoes a recent report from Google, which found that under 0.1 percent of devices that only allow the installation of apps from Google Play had a potentially harmful application installed. Kindsight Security Labs, a security division of Alcatel-Lucent now called Motive Security Labs, reported a 0.68 percent mobile infection rate for the second half of 2014.

"Mobile devices are not a theme in our breach data, nor are they a theme in our partners' breach and security data," Verizon said. "We feel safe saying that while a major carrier is looking for and monitoring the security of mobile devices on its network, data breaches involving mobile devices should not be in any top-whatever list. This report is filled with thousands of stories of data loss -- as it has been for years -- and rarely do those stories include a smartphone."

Mobile devices should not be ignored, because they can be vulnerable to attacks and can pose risks to enterprise networks, the Verizon team said. However, for now hackers seem to favor other attack methods that don't involve smart phones, so companies should focus on those, while striving to gain visibility into mobile devices in case the threat landscape shifts in the future.

For example, one thing companies should pay closer attention to is patching. Data from Verizon partner Risk I/O showed that just 10 vulnerabilities, some of them dating back to late 1990s and early 2000s accounted for almost 97 percent of all exploitation attempts.

At first glance this is encouraging, because everyone should have patches in place for those flaws by now. However, when looking at the total number of vulnerabilities that were targeted in 2014, a much darker picture emerges: attackers started exploiting half of them less than a month after they were publicly disclosed. Moreover, the patching window might actually be shorter because the time lines in the Verizon report are based on when the exploits were first detected; and there's always a lag between the actual launch of an attack and when it's first detected.

"These results undeniably create a sense of urgency to address publicly announced critical vulnerabilities in a timely (and comprehensive) manner," the Verizon team said.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecuritydata breachVerizon Enterprise Solutionsdata protection

More about Alcatel-LucentGoogleLucentVerizonVerizon Wireless

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts