Wade Baker, Managing Principal, Verizon Risk Team and the author of Verizon’s Data Breach Investigation Report (DBIR) 2013 in this conversation with Mehak Chawla, discusses the security landscape, threat patterns of 2012, key finding of DBIR 2013 and much more. Excerpts…
Were there any common patterns in those breaches or attacks of 2012?
Some interesting things came out in our DBIR report. About 52% of all breaches we studied, used the one-two combo of hacking and malware. While this percentage is lower than last year, it still cannot be ignored. Also, a whopping 76% of network intrusions exploited weak or stolen credentials. The proportion of breaches incorporating social tactics like phishing was four times higher in 2012. We can credit the rise of this challenger to its widespread use in targeted espionage campaigns.
About 75% intrusions that we analyzed were driven by financial motives and more and more attacks (71%) targeted user devices to get entry into the organization.In most cases, its the third parties that unearth a breach and in many cases, its revealed months later.
What are the key findings of the report around Advanced Persistent Threats (APTs) and how have they evolved over the last couple of years?
One clear trend with respect to APTs has been that there are many more targeted attacks happening now. In previous years, APT kind of activity accounted for less than 5% of the total attacks. This year however, more than 20% of attacks we analyzed were targeted in nature. This could partly be because over the years, more and more companies have come out to report APTs, whereas earlier, reporting APTs was a taboo. Another factor is that given the advancements in security technologies, we can now detect more APTs than we could a few years back.
Ninety three percent of all APTs we have studied start with simple phishing. There’s hardly any plausible explanation to that because the hackers of today can use a number of sophisticated technologies to mark their point of entry into the enterprise. Another interesting fact about APTs is that they are no longer targeted only at financial institutions or government agencies. In fact, while 37% of breaches were targeted at financial institutions, 24% of breaches occurred in retail environments and restaurants. And 20% of network intrusions involved manufacturing, transportation and utility companies. We are also seeing APTs increasingly moving beyond large organizations and affecting even the smaller and upstream players.
Has there been a marked change in the way governments and organizations are dealing with targeted attacks?
When it comes to state attacks, we have seen that states are not very sure how to deal with these breaches. While some see it as an active war in the cyber space, some consider it as espionage and try to counter spy. However, though few countries are taking the proactive approach, not many countries are actively forming laws relating to these attacks. For instance, the Australian government has been taking active steps in educating businesses and government departments about targeted espionage attacks. Enterprises too are grappling with techniques to deal with targeted attacks and most of them are yet to come out with concrete policies around the same.
How are new technologies like cloud, mobile and big data impacting the threat landscape?
From a breach perspective, these new technologies are not having any significant impact on the nature of attacks, yet. However, more attacks are expected to target mobile devices . Attackers could definitely exploit vulnerabilities in open systems like Android.
When it comes to cloud, though there have been breaches in the cloud, we haven’t yet seen attacks intended to exploit weaknesses specifically within the cloud infrastructure. Big data, in the near future, could be a threat to enterprise security because it is collected from various sources and thus a perimeter based security model is unlikely to work for big data.
What are the key findings of DBIR 2013 and how has been the attack scenario last year?
When it comes to breach trends across the world, a prime element we have noticed is that reporting laws can make all the difference. For instance, data breaches must be reported in the U.S while in India, , reporting hasn’t been made mandatory. That also leads to very little data being available for security related analysis because enterprises don’t want to discuss what exactly happened.