Compiling 10 years of information and 100,000 incidents, Verizon [VZ] has found that the vast majority of data breaches follow nine basic patterns.
“The techniques to exploit computer vulnerabilities are actually dropping in complexity,” said Bryan Sartin, director of the Research, Investigations, Solutions, Knowledge (RISK) Team at Verizon Enterprise Solutions.
The company’s 2014 Data Breach Investigations Report (DBIR) charts attacks across industries and found that the most common incidents occurred via these patterns: denial of service (DOS); insider privilege misuse; physical theft or loss of devices; cyberespionage; attacks through Web applications; crimeware (malware that gains control of systems); point-of-sale intrusions; payment card skimmers; and miscellaneous errors, including sending an email to the wrong person.
A high percentage of hackers can compromise systems in several days, whereas a low percentage of organizations can discover the hack in several days.
A high percentage of hackers can compromise systems in several days, whereas a low percentage of organizations can discover the hack in several days. Photo: Verizon, DBIR 2014.
Along with these patterns, Verizon found the time between the initial intrusion to the first data theft is “shrinking fast.” In other words, the bad guys are getting faster, which Sartin called the “single greatest weakness in security.”
For the public sector, insider threats, physical loss, crimeware, DOS attacks, miscellaneous errors and cyberespionage were the top patterns. The study charted a rise in insider misuse of credentials, which corresponded with an upward trend in cyberespionage.
“A lot of that privilege misuse is the result of insiders,” Sartin said.
Passwords or other forms of authentication falling into the wrong hands provide an “easy way in” for attackers, he said. Two out of three network breaches exploited weak or stolen credentials.
For crimeware and DOS attacks, the report also charts a major shift this year from individual criminals to organized groups of criminals acting in concert. Sartin said this should be a concern of government agencies that are prime targets for coordinated attacks between nation-states and criminals. Last year’s DOS attacks against the U.S. financial sector serve as an example of what may come in this realm.
“It’s never just a single attack happening in a vacuum,” Sartin said. “So much is organized groups in campaigns that are pooling resources.”