The 2014 Verizon Data Breach Investigations Report (DBIR) was released on April 22, providing the deep empirical analysis of cybersecurity incidents we’ve come to expect from this annual report. The primary messages of this year’s DBIR are the targeting of Web applications, continued weaknesses in payment systems, and nine categories of attack patterns that cover almost all recorded incidents. Further, despite the attention paid to last year's enormous data breach at Target, this year’s data shows that attacks against point-of-sale (POS) systems are actually decreasing somewhat. Perhaps most importantly, the underlying thread that is found throughout this year’s DBIR is the need for increased education and application of digital hygiene.
Each year’s DBIR is compiled based on data from breaches and incidents investigated by Verizon, law enforcement organizations, and other private-sector contributors. This year, Verizon condensed their analysis to nine attack patterns common to all observed breaches. Within each of these patterns, Verizon cites the software and vectors attackers are exploiting, as well as other important statistics, such as time to discovery and remediation. The nine attack patterns listed in the DBIR are POS intrusions, Web application attacks, insider misuse, physical theft/loss, miscellaneous errors, crimeware, card skimmers, denial-of-service (DoS) attacks, and cyber-espionage. Within industry verticals, most attacks can be characterized by only three of the nine categories.
Attacks on Web applications attacks were by far the most common threat type observed last year, with 35 percent of all confirmed incidents linked to Web application security problems. These numbers represent a significant increase over the three-year average of 21 percent of data breaches from Web application attacks. The DBIR states that nearly two-thirds of attackers targeting Web applications are motivated by ideology, while financial incentives drive another third. Attacks for financial reasons are most likely to target organizations from the financial and retail industries. These attacks tend to focus on user interfaces like those at online banking or payment sites, either by exploiting some underlying weakness in the application itself or by using stolen user credentials. To avoid the use of stolen credentials, the DBIR advised companies to consider implementing some form of two-factor authentication, a recommendation that is made to combat several attack types in this year’s report. As Web applications continue to grow in popularity, and are used in substantive areas such as health care and finance, we expect attacks against these Web applications to continue to be prevalent.
The 2014 DBIR contains a wide array of detailed advice for companies who wish to do a better job of mitigating these threats. The bulk of this advice can be condensed into the following categories:
Be vigilant: Organizations often only find out about security breaches when they get a call from the police or a customer. Log files and internal systems monitoring including alerts can give you early warning.
Make your people your first line of defense: Teach staff about the importance of security, how to spot the signs of an attack, and what to do when they see something suspicious.
Keep data on a need-to-know basis: Limit access to the systems staff need to do their jobs. And make sure that you have processes in place to revoke access when people change role or leave.
Patch promptly: Attackers often gain access using the simplest attack methods, ones that you could guard against simply with a well-configured IT environment and up-to-date anti-virus protection.
Encrypt sensitive data: Then if data is lost or stolen, it’s much harder for a criminal to use.
Use two-factor authentication: This won’t reduce the risk of passwords being stolen, but it can limit the damage that can be done with lost or stolen credentials.
Don’t forget physical security: Not all data thefts happen online. Criminals will tamper with computers or payment terminals or steal boxes of printouts.
These recommendations are further broken down by industry in the DBIR, but they largely come down to “elbow grease” on the part of companies and organizations. An important lesson in this report is the fact that sloppy security practices may be subject to regulatory audit and enforcement actions.1 Executing on cybersecurity plans requires diligence and a determination to keep abreast of continual changes to the threat landscape.
1 See Jeffrey L. Vagle and Sharon R. Klein, New Jersey Federal Court Upholds the FTC’s Authority to Regulate Data Security (Apr. 9, 2014), available at http://www.pepperlaw.com/publications_update.aspx?ArticleKey=2909.