Almost all tech security breaches over the past 10 years fit nine basic attack patterns.
Security researchers at Verizon have crunched a decade’s worth of security breach data from law enforcement, public and private sector organisations all across the world and have found while attack patterns vary between industries there are some distinct trends.
Releasing its 2014 Data Breach Investigations Report this week Verizon found that 92 per cent of all security incidents over a ten year period fit into the nine cycbercrime categories.
Here are the nine patterns.
1. Point of sale intrusions
POS breaches are usually remote attacks on retail transactions and usually target credit card purchases.
Verizon said the industries most likely to be hit by POS breaches are accommodation, food services and retail.
According to its report POS attacks are on a downward trend, but still happening.
“The motivator is money, retailers are seen as a good target because of the amount of data and card information which they collect and store,” Verizon Asia-Pacific regional managing principal Paul Black said.
The company’s senior solutions manager, Aaron Sharpe said POS intrusions have tapered off in recent years because of the data’s longer shelf life.
“If you go back a couple of years there were some really big retail breaches, the heartland type thing, and then we saw it taper off, and one of the reasons we think that was is because were so many cards breached that had a shelf life of a couple of years that the motivation was pretty low, we think that with those basically bleeding out of the system from a the big breeches a few years ago, the motivation from an organised crime perspective was there to go and get some more,” Sharpe said.
“The retailers tend to be a good target.
“They’ve got pretty automatised tools that can suck up this data pretty readily.”
Black said the the majority of retail sector breaches are linked to point-of-sale intrusions.
“What we tend to see in the retail environment is you have a large organisation where all of the systems are identical, so if you’re to insert or get vulnerability into that network it’s very easy to deploy across an entire organisation and collect huge amounts of data,” he said.
2. Web app attacks
The financial services sector is the most vulnerable to web app attacks, Verizon said.
A web app attack is an incident where a web application is the mode of attack and according to the report the motivation for hackers is driven by ideology – not money. Just under two out of every three web app attacks, or 65 per cent, were attributable to activist groups driven by ideology and fun.
The remainder were linked to espionage.
“Web apps are still a major attack vector for financially motivated crimes,” Sharpe said.
As this chart shows, web app activity is heading in the opposite direction to the POS downward trajectory.
3. Insider misuse
The malicious use of an organisation’s resources can cause security breaches and risk the exposure of a company’s intellectual property.
Verizon said over the past ten years most incidents of insider data misuse were for financial or personal gain.
Insider tech breaches can also expose a company’s customer and supplier details, as well as trade secrets and include people abusing privilege, bribery, email and data mishandling and the use of unapproved hardware.
In 2013, of the 63,437 incidents analysed by Verizon 18 per cent came under the insider security pattern and 8 per cent of those resulted in actual data breaches.
The most high profile cases of insider misuse leading to data or information breaches include former CIA employee Edward Snowden who was charged with espionage in 2013 after he leaked confidential documents to the media. Another notorious case was former US soldier Bradley Manning who was sentenced to 35 years’ jail after he leaker more than 700,000 documents and cables to Wikileaks.
4. Physical theft and loss
Losing laptops, phones and other tech hardware or information – whether it be through misplacement of malice, accounts for a huge amount of data breaches.
The report found most assets are stolen or lost from the employee’s workplace (43%), while 23% of items disappear from a car.
“We find it quite surprising that the highest proportion of thefts occur in the victim’s work area, which basically refers to the main office space,” the company said.
“That suggests simply having sensitive information ‘behind locked doors’ isn’t enough; there are still a lot of people inside those locked doors.”
Verizon said having a plan to control data breaches when items are lost or stolen is important and should include encrypting devices, keeping sensitive devices on your person, backing up information and locking the hardware down.
The security company also said using “unappealing tech” could also mitigate the issue.
“It might actually be an effective theft deterrent (though it will probably increase loss frequency). That shiny new MacBook Air on the passenger seat may be too tempting for anyone to resist, but only those truly dedicated crooks will risk incarceration for a 4” thick mid-90s lap brick,” the company said.
“Or, if being the fastest hunk of junk in the galaxy is a must, perhaps there’s a lucrative aftermarket for clunky laptop covers. She may not look like much, but she’s got it where it counts, kid.”
5. Miscellaneous errors
You can’t avoid human error. This threat pattern includes all the things humans do which have resulted in data security breaches including sending emails to the wrong person which is the biggest blunder in this data set (accounting for 44% of miscellaneous errors).
“After scrutinising 16K incidents, we’ve made a startling discovery — people screw up sometimes,” the company said.
The data suggests that repetitive and boring processes involving sensitive information are particularly error-prone.
Also included in this threat pattern are publishing and disposal errors making up 22% and 20% of incidents respectively.
Miscellaneous errors accounted for a quarter of all incidents analysed in 2013 but only 2 per cent resulted in data breaches – suggesting security and control mechanisms are working.
Usually the end goal of a crimeware threat is to gain control of systems for illicit uses, including stealing information, executing DDoS attacks and spamming.
The most common way of infecting a system is through web downloads.
Crimeware incidents accounted for one in five incidents in 2013, the second highest threat behind human error, Verizon said.
7. Card skimmers
Skimming devices are physically implanted on an asset to read a card’s magnetic strip at ATMs (86%), service stations (9%) and other POS terminals.
The sector’s at risk include finance and retail.
Verizon said the skimmers are becoming more realistic in appearance and increasingly more efficient at exporting data through the use of Bluetooth or cellular networks.
The company compared card skimming data threats to “get rich quick” type scams, saying it is a relatively easy threat to execute.
“While most incidents are linked to Eastern European actors, nearly all victims of payment card skimmers in this report are U.S. organisations (the U.S. Secret Service and public disclosures being the primary sources for this data),” the company said.
8. Cyber espionage
This includes unauthorised network or system access limited to state-affiliated actors.
Or government spies, if you prefer.
“Most surprising to us is the consistent, significant growth of incidents in the dataset,” Verizon said.
The number of attacks logged in the 2013 data is three times larger then the 2012 report.
“We knew it was pervasive, but it’s a little disconcerting when it triples last year’s already much-increased number,” the company said.
However a portion of the jump can be attributed to the type of data contributors included in this year’s report.
“We attribute this increase primarily to our ever-expanding set of contributors conducting research in this area, along with more community information sharing that improves discovery capabilities. Like a streetlight illuminating cars parked along the street, more contributors allow us to see more cars. Unfortunately, we can also see that those cars have broken windows and stolen stereos,” the company said.
9. Denial of service attacks
DoS attacks include any breach which compromises the availability of networks and systems.
The prevalence of such attacks in Verizon’s data was quite low, making up about 3% of all 2013 incidents. Data breaches which resulted from these attacks last year were less than 1%.
About 8% of all data breaches analysed by the company in the last decade didn’t fit into the nine patterns.
But what’s important is by understanding what went wrong and where it fits companies can figure out what types of attacks their industry is susceptible to and mitigate exposure.
For example you wouldn’t think the companies that dig up coal or iron ore out of the ground would really need to think about security threats but Sharpe said protecting the details around trade negotiations, IP around processes and the increasing automation of mines makes mining companies more vulnerable to disruptions which can impact companies’ reputations and share prices.
About 75% of cyber attacks on the financial services sector attacks originate from web applications, distributed denial of service and card skimming.
While in manufacturing 54% of all attacks are attributed to cyber-espionage and DDos.
The report found about the majority of retail sector breaches, about 33 per cent, are linked to Ddos and 31% to POS intrusions.