Public-sector organisations suffered by far the most security incidents but had proportionally the fewest out of 20 surveyed industries in which data was confirmed lost, Verizon has found in a major data-breach report that also concluded security teams have less time than ever to act against new attacks.
Just 0.06 percent (303 of 50,315) of security incidents affecting public-sector organisations resulted in data loss, according the 2015 Data Breach Investigations Report (DBIR), which details 79,790 security incidents of security breaches provided by 70 contributing organisations in 61 countries.
That compared with 45 percent (235 of 525) of incidents against manufacturing companies; 43 percent (277 of 642) of incidents against financial services institutions; 42 percent (146 of 347) of professional-services organisations; 39 percent (65 of 165) incidents against educational institutions; and 31 percent (164 of 523) against retail companies.
Trends in attacks against vertical industries transcended national boundaries and offered strong insight into the changing pattern of global attacks, Robert Parker, Verizon Enterprise Services' APAC head of security, told CSO Australia.
“Quite often we'll see a campaign where a particular group will target an industry sector in one geography, then move around the global in a week or two's time,” Parker said.
“That's why the industry vertical approach is more appropriate: these vertical industries have the same threat patterns, and that's going to be the same whether you're in Australia or India or the US.”
RAM scrapers and phishing attacks grew significantly during 2013 compared with the previous year, while spyware, keyloggers and credential-based attacks declined as a percentage of all attacks.
Among the DBIR's significant findings: although victims are getting more effective at discovering attacks quickly – measured as a percentage of incidents where an attack was discovered within “days or less” – malicious actors have also been getting more effective, measured against the same criteria, over the last decade.
The 2014 figures showed a glimmer of hope, with the gap between time-to-compromise and time-to-discover figures closing from 77 percent in 2013 to just 45 percent in 2014. This suggests that the last year saw attackers' efficacy dropping while victim organisations got better at mounting a quick response – although, the report notes, “we'll see if that's a trick or a budding trend next year.”
That trend could go either way, if figures suggesting that attacks are tearing from one victim to the next are anything to go by. Some 75 percent of attacks spread from their initial victim to their second victim within 24 hours – and 40 percent do so in less than an hour.
“That puts quite a bit of pressure on us as a community to collect, vet, and distribute indicator-based intelligence very quickly in order to maximize our collective preparedness,” the report warns.
Also putting pressure on the security community is the ongoing careless behaviour of users, with 23 percent of recipients opening phishing messages, 11 percent clicking on attachments and DBIR data showing that nearly half of users open emails or click on phishing links within the first hour.
This, despite regular exhortations not to do so by frazzled security managers who are – if DBIR data suggesting that the median time for the first click on a new phishing campaign is just 82 seconds is correct – incredibly time-pressured to act both quickly and effectively against new threats.
The 82-second figure, Parker said, was “the real scary thing” to emerge from the report – particularly because many people were so focused on complex persistent threats that they forgot how they became infected in the first place.
“Controls and education still have to play a part,” he said. “Phishing really hasn't been as visible, and people generally take it for granted that phishing occurs [before an attack]. It's very easy to fall into the trap of not seeing it as one of the key vectors these days.”
Even older threats were also continuing to cause trouble, with an analysis of patching patterns suggesting that – while just 10 vulnerabilities were behind nearly 97 percent of exploits observed in 2014 – attackers were still seeing great success exploiting software vulnerabilities for which fixes had been available for more than a year.
DBIR figures suggested that fully 99.9 percent of exploits fell into this category – again highlighting the importance of a regular patching regime.
“Patching is one of those actionable things that can make a real difference” in preventing companies from being savaged by old exploits, Verizon security solutions consultant Aaron Sharp said.
Strikingly, despite the hype about mobile malware infections, the DBIR found that despite a flood of reports on security incidents and a popular narrative in which mobile malware is a rapidly emerging threat, when it comes to the real world mobile devices “are not a preferred vector in data breaches.”
The majority of mobile infections were simply annoying, Verizon reported, and once the figures on compromises were adjusted to remove them “the count of compromised devices was truly negligible”.
Out of tens of millions of devices monitored, just 0.03 percent per week were infected with what Verizon termed 'higher-grade' malicious code. “Data breaches involving mobile devices should not be in any top-whatever list,” the analysis concludes.
“Mobile devices are not a theme in our breach data, nor are they a theme in our partners' breach and security data. This report is filled with thousands of stories of data loss, and rarely do those stories include a smartphone.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.