from the also,-you-will-fall-victim-to-phishing dept
Every year, Verizon releases a fairly detailed report looking into data breaches, and the recent release on the 2013 report is quite interesting, highlighting how much state-sponsored attacks are the root cause of data breaches. Not surprisingly, there's a strong correlation between that and espionage (rather than direct financial benefit) being the main reason for the attacks. And, also not surprising: China is a major source of these attacks. However, one thing the study does make clear is that for all the people who claim that insiders are the biggest threat, that's less and less likely true, at least on a pure numbers basis. Insiders may be able to do more direct damage per breach, but it seems clear that in terms of sheer numbers of attacks, it's all about outsider attacks these days. There's actually been a pretty noticeable shift on this front over the past few years:
The report is actually fairly entertaining and quite readable. It does note that the rise in data on state-sponsored attacks might not be due to an actual increase in those attacks, but better data and better evidence collection -- but either way, it does appear that China continues to be a pretty big threat when it comes to outside attacks for espionage purposes. On the financial side, it's apparently all about Romania.
Separately, there's a fantastic chart that lays out three major types of attackers, who they target and how they generally do what they do. It's a pretty handy chart for understanding the overall layout of data breaches and how they normally occur:
I'm actually somewhat surprised that phishing isn't used more often across all types, as the report also notes that phishing is astoundingly effective:
We try to avoid rolling out scary memes like “you will be compromised,” but when it comes to phishing attacks, that’s exactly what the data tells us. Phishing e-mails vary in quality, payload, and purpose, but they all share the same initial goal: get the user to take action. Getting the user to click (on a link or attachment) is the first obstacle for all phishing campaigns. So how many e-mails would it take to get one click?That said, the report notes that merely getting a click doesn't mean the person will put in their information, or create a true compromise, but it is somewhat astounding nonetheless.
[....] It’s pretty easy to see why this is a favored attack for espionage campaigns and the answer to our question is “three.” Running a campaign with just three e-mails gives the attacker a better than 50% chance of getting at least one click. Run that campaign twice and that probability goes up to 80%, and sending 10 phishing e-mails approaches the point where most attackers would be able to slap a “guaranteed” sticker on getting a click. To add some urgency to this, about half of the clicks occur within 12 hours of the phishing e-mail being sent.
The report also notes what a disaster it is that we still use one-factor passwords (i.e. typical passwords) for most things, rather than (at the very least) two-factor authentication, noting that this would kill off 80% of successful hacks.
Another interesting point in all of this is that the researchers note they've seen no evidence that attackers are targeting cloud-based services over in-house ones. It's not that there aren't attacks on cloud services, it's just that it doesn't seem like a clear thing that attackers focus on. Of course, a separate research report notes just how much investment is going into the enterprise cloud these days, so I'm guessing that cloud providers are going to become increasingly large targets. While they may have stronger security, breaking in will probably be so valuable to attackers that it'll be worth attacking that stronger fortress.
And, finally, if you want to be scared about how many of these attacks have probably gone on and aren't known about yet, well, the end of the report is not particularly comforting. It notes that, from the data the researchers are using, it shows that initial attacks happen pretty quickly (within a few hours, which is up from minutes a few years ago, but still relatively quick), and getting data out comes pretty soon after that. But (and here's the scary part) actually having those breaches noticed? That doesn't happen for months and more often than not happens because another outsider discovers it, rather than an insider or an internal system raising the alarm.
In about a third of those cases, the "outsider" is a totally unrelated party, but in 9% of cases, it's a customer who discovers the data breach. That can't be good for customer confidence.There's a lot more data in the report, and it's well worth reading. However, as we've been talking so much lately about privacy and security when it comes to governments -- mainly with a focus on activities by intelligence agencies in the US and other allies -- it's worth nothing other forms of attacks as well, and the trends related to them. The growth of attacks that are really a form of espionage, rather than just organized crime, seems like a noteworthy, if not all that surprising, finding.
This post is sponsored by The Hartford.