Mobile malware threat “negligible” but pressure is on to respond faster as verticals targeted: Verizon

Public-sector organisations suffered by far the most security incidents but had proportionally the fewest out of 20 surveyed industries in which data was confirmed lost, Verizon has found in a major data-breach report that also concluded security teams have less time than ever to act against new attacks.

Just 0.06 percent (303 of 50,315) of security incidents affecting public-sector organisations resulted in data loss, according the 2015 Data Breach Investigations Report (DBIR), which details 79,790 security incidents of security breaches provided by 70 contributing organisations in 61 countries.

That compared with 45 percent (235 of 525) of incidents against manufacturing companies; 43 percent (277 of 642) of incidents against financial services institutions; 42 percent (146 of 347) of professional-services organisations; 39 percent (65 of 165) incidents against educational institutions; and 31 percent (164 of 523) against retail companies.

Trends in attacks against vertical industries transcended national boundaries and offered strong insight into the changing pattern of global attacks, Robert Parker, Verizon Enterprise Services' APAC head of security, told CSO Australia.

“Quite often we'll see a campaign where a particular group will target an industry sector in one geography, then move around the global in a week or two's time,” Parker said.

“That's why the industry vertical approach is more appropriate: these vertical industries have the same threat patterns, and that's going to be the same whether you're in Australia or India or the US.”

RAM scrapers and phishing attacks grew significantly during 2013 compared with the previous year, while spyware, keyloggers and credential-based attacks declined as a percentage of all attacks.

Among the DBIR's significant findings: although victims are getting more effective at discovering attacks quickly – measured as a percentage of incidents where an attack was discovered within “days or less” – malicious actors have also been getting more effective, measured against the same criteria, over the last decade.

The 2014 figures showed a glimmer of hope, with the gap between time-to-compromise and time-to-discover figures closing from 77 percent in 2013 to just 45 percent in 2014. This suggests that the last year saw attackers' efficacy dropping while victim organisations got better at mounting a quick response – although, the report notes, “we'll see if that's a trick or a budding trend next year.”

That trend could go either way, if figures suggesting that attacks are tearing from one victim to the next are anything to go by. Some 75 percent of attacks spread from their initial victim to their second victim within 24 hours – and 40 percent do so in less than an hour.

“That puts quite a bit of pressure on us as a community to collect, vet, and distribute indicator-based intelligence very quickly in order to maximize our collective preparedness,” the report warns.

Also putting pressure on the security community is the ongoing careless behaviour of users, with 23 percent of recipients opening phishing messages, 11 percent clicking on attachments and DBIR data showing that nearly half of users open emails or click on phishing links within the first hour.

This, despite regular exhortations not to do so by frazzled security managers who are – if DBIR data suggesting that the median time for the first click on a new phishing campaign is just 82 seconds is correct – incredibly time-pressured to act both quickly and effectively against new threats.

The 82-second figure, Parker said, was “the real scary thing” to emerge from the report – particularly because many people were so focused on complex persistent threats that they forgot how they became infected in the first place.

“Controls and education still have to play a part,” he said. “Phishing really hasn't been as visible, and people generally take it for granted that phishing occurs [before an attack]. It's very easy to fall into the trap of not seeing it as one of the key vectors these days.”

Even older threats were also continuing to cause trouble, with an analysis of patching patterns suggesting that – while just 10 vulnerabilities were behind nearly 97 percent of exploits observed in 2014 – attackers were still seeing great success exploiting software vulnerabilities for which fixes had been available for more than a year.

DBIR figures suggested that fully 99.9 percent of exploits fell into this category – again highlighting the importance of a regular patching regime.

Read more: Malware-tracking portal helps Australian ISPs trace bots to device level

“Patching is one of those actionable things that can make a real difference” in preventing companies from being savaged by old exploits, Verizon security solutions consultant Aaron Sharp said.

Strikingly, despite the hype about mobile malware infections, the DBIR found that despite a flood of reports on security incidents and a popular narrative in which mobile malware is a rapidly emerging threat, when it comes to the real world mobile devices “are not a preferred vector in data breaches.”

The majority of mobile infections were simply annoying, Verizon reported, and once the figures on compromises were adjusted to remove them “the count of compromised devices was truly negligible”.

Out of tens of millions of devices monitored, just 0.03 percent per week were infected with what Verizon termed 'higher-grade' malicious code. “Data breaches involving mobile devices should not be in any top-whatever list,” the analysis concludes.

Read more: How responsible are employees for data breaches and how do you stop them?

“Mobile devices are not a theme in our breach data, nor are they a theme in our partners' breach and security data. This report is filled with thousands of stories of data loss, and rarely do those stories include a smartphone.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags verizonRobert ParkerVerizon Enterprise ServicesCSO AustraliaDBIR dataData Breach Investigations Reportmalware infectionsdata breachesmobile malwaremalicious softwarepublic-sectorapacsecurity incidents

More about APACCSOEnex TestLabSharpVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts