Cyber threats “increasing in sophistication” yet many attacks use “decades-old techniques”

Mike Denning: vice-president of global security for Verizon Enterprise Solutions

Mike Denning: vice-president of global security for Verizon Enterprise Solutions

Verizon’s 2015 Data Breach Investigations Report reveals that cyber attacks are becoming increasingly sophisticated. However, many cyber criminals are still relying on decades-old techniques such as phishing and hacking. According to this year’s report, the bulk of cyber attacks (70% of them, in fact) use a combination of these techniques and involve a secondary victim, in turn adding complexity to a breach.

Another troubling area singled out in this year’s report is that many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced back to 2007, representing a gap of almost eight years.

As in prior reports, this year’s findings again point to what Verizon’s researchers term the ‘detection deficit’. In other words, the time that elapses between a breach occurring until it’s discovered. Sadly, in 60% of breaches, the attackers are able to compromise an organisation within minutes.

However, the report points out that many cyber attacks could be prevented simply through a more vigilant approach to cyber security.

“We continue to see sizeable gaps in how organisations defend themselves,” said Mike Denning, vice-president of global security for Verizon Enterprise Solutions. “While there’s no guarantee against being breached, organisations can greatly manage their risk by becoming more vigilant in covering their bases. This continues to be a main theme, based on more than ten years of data from our Data Breach Investigations Report series.”

This year’s comprehensive report offers an in-depth look at the cyber security landscape, including a first-time overview of mobile security, Internet of Things technologies and the financial impact of a breach.

The report indicates that, in general, mobile threats are overblown. In addition, the overall number of exploited security vulnerabilities across all mobile platforms is negligible.

While machine-to-machine security breaches were not covered in the 2014 report, the 2015 document examines incidents in which connected devices are used as an entry point to compromise other systems, and co-opting Internet of Things devices into botnets (a network of private computers infected with malicious software and controlled without the owners’ knowledge) for Denial-of-Service attacks.

This data reaffirms the need for organisations to make security a high priority when rolling out next generation intelligent devices.

New model for estimating the cost of a breach

Verizon security analysts used a new assessment model for gauging the financial impact of a security breach based on the analysis of nearly 200 cyber liability insurance claims. The model accounts for the fact that the cost-per-record stolen is directly affected by the type of data and total number of records compromised, and shows a high and low range for the cost of a lost record (ie a credit card number or a medical health record).

For example, the model predicts that the cost of a breach involving 10 million records will fall between $2.1 million and $5.2 million (95% of the time) and, depending on circumstances, could range up to as much as $73.9 million. For breaches with 100 million records, the cost will fall between $5 million and $15.6 million (95% of the time) and could top out at $199 million.

“We believe this new model for estimating the cost of a breach is ground-breaking,” said Denning, “although there’s definitely still room for refinement. We now know that it’s rarely, if ever, less expensive to suffer a breach than to put the proper defence mechanisms in place.”

Verizon security researchers explained that the bulk (96%) of the nearly 80,000 security incidents analysed this year can be traced to nine basic attack patterns that vary from industry to industry. This finding, first presented in last year’s report, is again central to Verizon’s 2015 Data Breach Investigations Report. This approach can help enterprises effectively prioritise their security efforts and establish a more focused and effective approach to fighting today’s cyber threats.

As identified in the 2014 Data Breach Investigations Report, the nine threat patterns are miscellaneous errors (such as sending an e-mail to the wrong person), crimeware (various malware aimed at gaining control of systems), insider/privilege misuse, physical theft/loss, web app attacks, Denial-of-Service attacks, cyber espionage, Point-of-Sale intrusions and payment card skimmers.

This year’s report finds that 83% of security incidents by industry involve the top three threat patterns, up from 76% in 2014.

Enterprise organisations must act now

The longer it takes for an organisation to discover a breach, the more time attackers have to penetrate its defence mechanisms and cause damage. More than 25% of all breaches take the victim organisation more than weeks – or even months – to contain.

This year’s Verizon report is packed with detailed information and improvement recommendations based on seven common themes: the need for increased vigilance. make people your first line of defence, only keep data on a ‘need-to-know’ basis, patch promptly, encrypt sensitive data, use two-factor authentication and don’t forget physical security.

Now in its eighth year of publication, the Data Breach Investigations Report analyses more than 2,100 confirmed data breaches for the 2015 edition and approximately 80,000 reported security incidents. Importantly, the Data Breach Investigations Report also includes security incidents that don’t result in breaches in order to offer a better survey of the cyber security landscape.

*Verizon is among 70 global organisation that contributed data and analysis to this year’s report

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts