Verizon has released the 2013 edition of their Data Breach Investigations Report (DBIR), an analysis of the data obtained from breach investigations that they and other organizations have performed during the previous year. The data for this report includes incidents from Verizon's own investigations and 18 other organizations around the world, for a total of 621 confirmed data breaches and over 47,000 security incidents.
The report contains a wealth of information that paints a clear picture of the motives and techniques used by attackers to compromise their target organizations. It's an interesting read and there are many lessons that can be found within.
Anyone can be a target
When discussing the importance of information security we've probably heard excuses such as "we're too small to be a target" or "we don't have anything of value", but if there is anything this report can teach us, is that breaches can and do occur in organizations of all sizes and across a large number of industries. Profit drives several breaches, especially in the finance, retail, and food-services sectors, but cyber-espionage targets industries that possess wealth in the form of intellectual property, such as manufacturing and professional services.
Authentication: Achilles's heel
How are attackers gaining access? Of the 52% of breaches that involved some form of hacking, 80% involved guessing, cracking, or reusing valid credentials. The particular type of attack can vary depending on the size of the organization: smaller organizations tend to have more "brute force" attacks on authentication while larger organizations have more stolen credentials used against them. Moving to multi-factor authentication would be the best way to counter these attacks, but it isn't always a viable solution and the authors of the report also acknowledge that the password issue is not an easy problem to fix. In situations where the use of passwords is unavoidable, enforcing policies for proper password length and complexity can help reduce the risk posed by these types of attacks.
Phishing: the go-to tool of the cyber-spy
Another pattern that can be established is that regardless of the size of the organization, phishing is the preferred tool of the attacker focused on cyber-espionage for gaining a foothold on the target organization. And the reason why appears to be very simple: the report includes information from ThreatSim that indicates that a phishing campaign with more than 10 e-mails sent is almost guaranteed to generate at least one click. The preferred targets of these campaigns? Although there is a large percentage of unidentified targets, executives and managers top the list of those identified. And they are a good place to begin for a cyber-spy, not only because they tend to have a higher public profile, but because there is a greater probability that they have access to the information they want.
However, there is hope of fending off these attacks. Training users to recognize and report suspicious events (like a phishing e-mail) can be very effective in thwarting the attackers. Also, remember that a user clicking on a link doesn't necessarily mean a successful compromise: it's just the first step of many (a particular vulnerability has to exist in the machine used to click on the link and a backdoor has to be successfully and silently installed, for instance). A defense in depth strategy (user training, proper patching, anti-malware software, etc.) can minimize the probability of success of the attacker at each successive step.
Organizations struggle with breach detection
The majority of breaches (62%) take months (or even years!) to be discovered and it's usually by someone outside the organization (nearly 70% of all breaches). This is a depressing statistic because it seems to indicate that detection and response are not being considered seriously in the security strategy or there is a lot of faith in "security silver bullets" or the "invulnerable perimeter firewall" to prevent breaches from happening. Prevention is crucial, but we must remember that no defense is invulnerable and detection (at its most basic, a log review process will do) is also a crucial part of any security strategy. It might not be possible to stop all breaches, but timely detection can minimize their impact.
Don't forget about the insider threat
With all the media focusing on high-profile external APT attacks and state-sponsored cyber-espionage, it's easy to forget that there are also internal threats to your organization that you have to consider. In breaches due to insider involvement, profit appears to be the main motivation. However, unintentional misuse also appears in Verizon's data as well as the less-frequent risk of mistakes by administrators or programmers (the example given involves errors that resulted in sensitive data being exposed). Restricting data access, user awareness, and data auditing are some of the tools that can help mitigate some of the risks of a malicious insider.
These are just a few of the conclusions we can draw from this report. It's a highly recommended read, as security professionals can gain insight into the motives and tools an attacker will use against the organizations they are tasked to protect.
I am a technology specialist with over 10 years of experience performing a variety of corporate IT functions, including desktop and server operations, application development, and database administration. My latest role is in information security, focusing on multiple areas including log management and security incident investigation and response.