Web app attacks, PoS intrusions and cyberespionage leading causes of data breaches

Phishing attacks continue to be effective, but mobile threats are not a big concern, according to a Verizon report

Web application attacks, point-of-sale intrusions, cyberespionage and crimeware were the leading causes of confirmed data breaches last year.

The findings are based on data collected by Verizon Enterprise Solutions and 70 other organizations from almost 80,000 security incidents and over 2,000 confirmed data breaches in 61 countries.

According to Verizon's 2015 Data Breach Investigations Report, which analyzes security incidents that happened last year, the top five affected industries by number of confirmed data breaches were: public administration, financial services, manufacturing, accommodations and retail.

Humans were again the weak link that led to many of the compromises. The data shows that phishing -- whether used to trick users into opening infected email attachments, click on malicious links, or input their credentials on rogue websites -- remains the weapon of choice for many criminals and spies.

For the past two years, over two-thirds of cyberespionage incidents involved phishing, the Verizon team said in its report. Hundreds of incidents from the crimeware section have also included the technique in their event chain, they said.

The data showed that 23 percent of phishing email recipients are open the messages and 11 percent of them click on the attachment inside. A small phishing campaign of only 10 emails comes with an over 90 percent chance that at least one person will become a victim, the Verizon team said.

The time window for organizations to react to such attacks is very small, with the median time from when an email is sent to when the first user clicks on the link inside being just one minute and 22 seconds. Sanctioned tests have showed that nearly half of the users who end up opening phishing emails and clicking on links do so within the first hour.

Employees of certain business departments are more likely to fall victim to phishing attacks than others. Workers in departments like communications, legal and customer service are at greater risk because opening email is a central component in their jobs, so companies will probably want to start security awareness training with them.

Ironically, while users are the problem, they can also be the solution to phishing. If trained properly, they can become a network of human sensors that are better at detecting sophisticated email attacks than any technology.

As always, compromised credentials, whether they were obtained through phishing, spyware or brute-force methods, played a major role in many data breaches.

Credentials were the second most common type of record after bank information that was stolen by crimeware -- malware attacks that don't fall into more specific categories like cyberespionage. However, many stolen credentials are later used to compromise bank records, so they're likely under-represented in the statistics, according to the Verizon team.

Weak or stolen credentials are also the leading cause of point-of-sale compromises and account for over 50 percent of breaches involving Web applications. As such, companies should strongly consider implementing two-factor authentication mechanisms wherever possible.

In this year's report Verizon has again split security incident patterns into nine categories: crimeware, cyberespionage, denial of service, lost and stolen assets, miscellaneous errors, payment card skimmers, point of sale, privilege misuse and Web applications.

It then established relationships between those attack categories and various types of threat actors and targeted organizations. As such, readers can learn that hacktivists favor Web application attacks (61 percent) and denial-of-service attacks (31 percent) while organized crime groups favor crimeware (73 percent) and Web application attacks (20 percent).

Companies in the accommodation, entertainment and retail sectors are more likely to be the victims of point-of-sale intrusions, while those in the financial services sector are more likely to be targeted with crimeware and Web application attacks.

Healthcare institutions are likely to suffer security incidents as a result of errors (32 percent) or privilege misuse (26 percent). Otherwise, cyberspies most frequently target organizations in the manufacturing, professional and information sectors.

As such, companies should prioritize defenses based on the threats they're most likely to face, which, perhaps surprisingly, are almost never mobile-based, according to Verizon.

Data shared for the report by mobile carrier Verizon Wireless, which monitors its network for signs of malware, revealed hundreds of thousands of potential infections. However, it turned out most of them were of the annoying advertising variety.

"An average of 0.03% of smartphones per week -- out of tens of millions of mobile devices on the Verizon network -- were infected with 'higher-grade' malicious code," the Verizon team said.

This echoes a recent report from Google, which found that under 0.1 percent of devices that only allow the installation of apps from Google Play had a potentially harmful application installed. Kindsight Security Labs, a security division of Alcatel-Lucent now called Motive Security Labs, reported a 0.68 percent mobile infection rate for the second half of 2014.

"Mobile devices are not a theme in our breach data, nor are they a theme in our partners' breach and security data," Verizon said. "We feel safe saying that while a major carrier is looking for and monitoring the security of mobile devices on its network, data breaches involving mobile devices should not be in any top-whatever list. This report is filled with thousands of stories of data loss -- as it has been for years -- and rarely do those stories include a smartphone."

Mobile devices should not be ignored, because they can be vulnerable to attacks and can pose risks to enterprise networks, the Verizon team said. However, for now hackers seem to favor other attack methods that don't involve smart phones, so companies should focus on those, while striving to gain visibility into mobile devices in case the threat landscape shifts in the future.

For example, one thing companies should pay closer attention to is patching. Data from Verizon partner Risk I/O showed that just 10 vulnerabilities, some of them dating back to late 1990s and early 2000s accounted for almost 97 percent of all exploitation attempts.

At first glance this is encouraging, because everyone should have patches in place for those flaws by now. However, when looking at the total number of vulnerabilities that were targeted in 2014, a much darker picture emerges: attackers started exploiting half of them less than a month after they were publicly disclosed. Moreover, the patching window might actually be shorter because the time lines in the Verizon report are based on when the exploits were first detected; and there's always a lag between the actual launch of an attack and when it's first detected.

"These results undeniably create a sense of urgency to address publicly announced critical vulnerabilities in a timely (and comprehensive) manner," the Verizon team said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags intrusionsecuritydata breachVerizon Enterprise Solutionsdata protection

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?