For the last decade, Verizon has published its annual Data Breach Investigations Report.
The first comprised only Verizon's own investigations and was focused on the finance and retail sectors. Today the report covers every vertical, compiling contributions from some 70 organisations around the world.
This year’s report – described by Verizon as an “InfoSec coddiwomple that has now culminated in a decade of nefarious deeds and malicious mayhem” – includes analysis on 42,068 incidents and 1,935 breaches from 84 countries.
What has been learnt from 10 years of scrutinizing cyber investigations? That users are still clicking on dodgy links in emails, are still using weak passwords, and are still falling for scams. Malicious actors meanwhile continue to seek cash and secrets, and continue to get better at finding them every year.
“There is no doubt that you can view this report, throw up your arms in despair, and label us – the risk management and information security community – as ‘losing’. All of us must take a realistic approach to this and similar reports by our peers and acknowledge that we can do better. Yet we do firmly believe there is great cause for hope,” the report states.
That hope comes from the report being used “as a tool to evangelize and garner support for your information security initiatives”, it reads.
Social attacks were utilised in 43 per cent of all the breaches in Verizon’s latest dataset, representing more than 1600 incidents and more than 800 breaches.
Phishing was the most common type of social attack, found in more than 90 per cent of both incidents and breaches. Successful phishing trips led to software installation in 95 per cent of cases.
The use of pretexting – which involves a persona and dialogue between the actor and victim rather than just a one-off email – was also on the rise, happening over email in 88 per cent of financial sector incidents, and over the phone in 10 per cent.
“Cyber-attacks targeting the human factor are still a major issue,” says Bryan Sartin, Verizon Enterprise Solutions’ executive director global security services.
“Cybercriminals concentrate on four key drivers of human behaviour to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty. And as our report shows, it is working, with a significant increase in both phishing and pretexting this year.”
For the first time, the Verizon report analysed breaches per sector. The top three industries for data breaches are financial services (24 per cent); healthcare (15 per cent) and the public sector (12 per cent).
Key differences between sectors stand out. Insider misuse, for example, proves to be a major issue for the healthcare industry; the only industry where employees are the predominant threat actors in breaches.
Those insiders’ motives were found to be almost equally divided between financial gain and ‘fun’.
The public administration and manufacturing sectors represent over half of the victims of social attacks, which led to the compromise of ‘secrets’ in 150 cases and personal information in 30 incidents.
“The cybercrime data for each industry varies dramatically,” says Sartin. “It is only by understanding the fundamental workings of each vertical that you can appreciate the cybersecurity challenges they face and recommend appropriate actions.”
Scourge of the internet
Over the previous year, of the breaches included in the report, 62 per cent featured some form of hacking, and of those 81 per cent leveraged either stolen or weak passwords.
More than half of breaches featured in the report included malware while 43 per cent were social attacks. Two thirds of incidents involving malware found it had been installed via malicious email attachments. A worrying 25 per cent of breaches involved internal actors.
Ransomware rose to the fifth most common specific malware variety, a 50 per cent increase from last year’s report, and a huge jump from the 2014 report where it ranked 22 in the types of malware used. The report dubbed it “the latest scourge of the internet”.
Verizon has firsthand experience of the consequences of data breaches, in February knocking US$350 million off the price it paid for Yahoo after the struggling web pioneer reported two major data breaches. Those breaches affected more than a billion user accounts.
In February, Verizon opened its Asia-Pacific Advanced Security Operations Centre in Canberra, one of nine centres worldwide.