Verizon’s pretty brilliant data breach investigations report (DBIR) for 2014 has confirmed a theory put forward by the company this time last year – hackers rely on nine specific routes to get at your stuff.
In an entertainingly written 69-page report, Verizon looked into 80,000 security incidents – with 2,122 confirmed breaches – across dozens of countries.
It found that, in the most part, we, the users, are to blame for a lot of these problems. We click on things we are not supposed to, we go on to unsecure networks and we trust untrustworthy sources.
For the vast majority of security incidents (nearly 90pc) people, regular people, are the ones letting the baddies in.
“Whether it’s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC and iD-10T über-patterns,” reads the report.
“At this point, take your index finger, place it on your chest, and repeat ‘I am the problem’, as long as it takes to believe it. Good – the first step to recovery is admitting the problem.”
The nine ways hackers like to go a-hacking are:
1. POS intrusions
“There has been a definite evolution in POS attacks from simple storage scraping to active RAM skimming across all breach types. We can, however, see distinct differences between large and small organisations in the methods used to gain access to the POS devices. For small orgs, the POS device is directly targeted, normally by guessing or brute-forcing the passwords. Larger breaches tend to be a multi-step attack with some secondary system being breached before attacking the POS system.”
2. Payment card skimmers
“Previous DBIRs document the use of locally mounted pinhole cameras and remote cameras (both designed to obtain the coveted PIN) and the use of remote stripe-data collection via Bluetooth or cellular devices. This year’s improvements include the use of ridiculously thin and translucent skimmers that fit inside the card reader slot as well as direct tapping of the device electronics to capture the data with nary a trace of visibility.
“Gone (mostly) are the days of the quick tug to test for the presence of these devices. Still, all it really takes to thwart certain classes of these card-present cybercrime advancements is shielding the video capture component with your hand; and – remember – be as creative as you like when doing so.”
“Like speeches by a politician, Crimeware incidents in our corpus are large in number and short on details, as these everyday incidents are less likely to receive a full forensic investigation or rise to the level of law enforcement involvement. They are also predominantly opportunistic and financially motivated in nature.
“When there is confirmed data breaches, bank records and credentials traded places for the top spot, though we suspect credentials may be under-represented given that it’s common practice for criminals to use keyloggers to steal credentials, which are ultimately used to gain banking information.”
4. Web app attacks
“A long time ago in a DBIR far, far away, we began to see high-profile instances of hackers targeting web servers just to set up an attack on a different target, a tactic known as a Strategic Web Compromise.
“We began to track this type of attack last year (so, it shows up in this year’s data) and we’re seeing that secondary attacks make up nearly two-thirds of Web App Attacks. Virtually every attack in this data set (98pc) was opportunistic in nature, all aimed at easy marks.”
5. Denial-of-service attacks
“Distributed denial-of-service (DDoS) attacks got worse again this year, with our reporting partners logging double the number of incidents from last year (in other shocking news: water is wet). However, we also noticed an interesting pattern that might have some practical implications for defenders. Essentially, we saw some indication that there may be two distinct tiers – or clusters – of DDoS attacks based on bandwidth, velocity, and duration.”
6. Physical theft/loss
“We were almost at a loss for words for this section and, if you were hoping this would finally be the year for a spike in stolen mainframes, we’re afraid we must let you down (again). As was the case with our previous reports, people are people; so, why should it be that we expect perfection when it comes to the physical security of their corporate devices? Also (predictably), folks still steal things.
“The data is heavily biased towards U.S. industries (99.8pc) that operate under mandatory disclosure regulations, with the public sector dominating the field (Healthcare was also well represented). Despite valiant efforts by our crack team, all the king’s data scientists couldn’t find a chart or data visualisation to put together that was actionable to you, our beloved readers and defenders. In the end, every industry loses things, and almost all theft was opportunistic in nature.”
7. Insider misuse
“[This] shines a light on those in whom an organisation has already placed trust – they are inside the perimeter defences and given access to sensitive and valuable data, with the expectation that they will use it only for the intended purpose. Sadly, that’s not always the way things work.
“As with prior years, the top action was privilege abuse – which is the defining characteristic of the internal actor breach. We see individuals abusing the access they have been entrusted with by their organisation in virtually every industry. And it’s all about grabbing some easy Benjamins for these mendacious malefactors.”
8. Miscellaneous errors
“Stephen Dedalus, a character in James Joyce’s Ulysses, says, “Mistakes are the portals of discovery”. In the case of the DBIR, they are also the gateways to breaches. The globe spins, people continue to make mistakes, and organisations suffer losses across the C-I-A triad as a result.”
Verizon goes on to highlight three main error incidents. ‘D’oh!’ – sensitive information reaching the wrong person, ‘My bad’ – publishing non-public data to public web servers, and ‘Oops!’ – the insecure disposal of personal and medical data.
9. Cyber espionage
“The reality is that if a determined, state-sponsored adversary wants your data, they’re going to get it unless another state-sponsored entity helps you defend it. Having said that, if you’ve got your own Gobstoppers to protect, start collecting data. Now.
“Seriously. Put this report down and go set up your syslog servers. We’ll wait. You back? Good. Now, specifically, start amassing e-mail transaction logs (in general), records of attachments, and records of links in e-mails.
“Log all DNS web-proxy requests and invest in solutions that will help you ingest and analyse this data both on the fly and forensically. Even if you don’t manage to detect or deter these adversaries, you will at least have a much easier time figuring out what they did after the fact.”
Nine billiard balls, via Shutterstock