The numbers are in… and cybercrime had quite an active 2013 according to Verizon’s 2014 Data Breach Investigations Report (DBIR) – one of the information security industry’s most prominent studies compiled from over 50 contributing organizations. This year’s report includes an array of security issues, from denial of service (DOS) attacks to web application attacks and from cyber espionage to insider threats.
“We have more incidents, more sources, and more variation than ever before” say the authors of the report.
The ugly truth
“After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime – and the bad guys are winning,” said Wade Baker, principal author of DBIR.
With over 63,000 confirmed security incidents and 1,367 confirmed data breaches from 95 countries, web applications dominated the ‘most targeted’ list, and USA topped the charts as the country most impacted by cyber espionage; with 54% of victims hailing from the USA.
Here are a few highlights from the Verizon 2014 Data Breach Investigations Report:
- Web application attacks continue to be the best way to gain access to credentials. Web apps incidents - including code-level vulnerabilities – tallied to over 3,000 incidents – 490 of which with confirmed data disclosure – where 33% were financially motivated, and 65% were ideologically motivated (ie: where the main goals were website defacement or server hijacking to perform further attacks). The majority of ideologically motivated attacks were found to be focused on Content Management Systems such as Joomla! and WordPress, and their added plugins. “Web applications remain the proverbial punching bag of the Internet. They’re beaten in one of two ways: by exploiting a weakness in the application (typically inadequate input validation), or by using stolen credentials to impersonate a valid user,” states the report.
- Cyber espionage was reported to have 511 total incidents – out of those, 306 had a confirmed data disclosure – mainly targeting manufacturing industries (for their technological and intellectual assets), and public sectors (including government entities). The majority of external actors within the cyber espionage category were found to be from Eastern Asia (49%).
- Over 1,000 denial of service (DOS) incidents impacted financial, retail, professional and information sectors – none of which confirmed data disclosure however.
- The report also delves into insider and privilege misuse where the number of incidents totals to 11,698 – out of which 112 reported a confirmed data disclosure. The main actors in these cases were trusted employees; but organized crime and competitors also came into play.
- In most cases, discovery time proved to be slow. For example, 50% of web app attacks and 62% of cyber espionage incidents took months to discover – and were discovered by external parties. The DBIR authors commented, “…the bad guys seldom need days to get their job done, while the good guys rarely manage to get theirs done in a month of Sundays” and “…attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade”.
Shedding light on cybercrime
The report sheds new light on what hacking techniques are being used and who the targets are – hence providing insight on new ways to combat cyber-attacks more effectively. The report proposes “studying clustered incident patterns enables more tailored strategies to reduce risk.”
The DBIR identifies 9 distinct attack patterns (that vary according to industry) which make up 92% of 100,000 security incidents analyzed over the last 10 years: point-of-sale intrusions, web application attacks, insider misuse, physical theft, miscellaneous errors (sending confidential emails to the wrong recipient), crimeware (malware), payment card skimmers, cyber espionage, and DOS attacks.
For example, web app attacks were the main method used to exploit vulnerabilities in companies in the information, finance and retail industries.
How can you avoid becoming another statistic?
There’s no sure-fire way of completely eliminating all web security risks, ‘cause let’s face it – there’s just too many vulnerabilities out there and new ones will keep popping up. The most you can do is keep the risk at a minimum.
So are some tips on what you can do to stay one step ahead in the prevention game:
- Passwords: Avoid using weak or default passwords and make sure to use different passwords for different accounts. Enforce a strict password policy within your company so that employees do the same, to reduce the risk of insider threats and password theft.
- Two-step authentication: Set up two-step authentication for internal user accounts and on your website for your customers’ accounts.
- Patch software regularly: To quote the DBIR authors, “patch all the things!” – especially CMS, OS and browsers. In most cases, if you have no other web security measures in place, having updated software is your best bet against potential attacks.
- Lockout policies: Reduce the risk of brute force attacks by enforcing lockout policies (temporarily locking out accounts after multiple failed login attempts) across your web applications.
- Train users: Apart from training users not to click on strange links in emails and so on, train them to spot a (potential) breach in your systems and report it immediately.
- Use a vulnerability scanner to seek out vulnerabilities, and fix them right away – because you can be sure that hackers will be looking for them.
You’re probably still in denial…
Even after seeing the numbers with your own eyes, you’re probably still in denial about the fact that your company might be a target in the near future. The scary part is, no company is bulletproof and your company’s most important online assets are constantly at risk, be it from internal or external threats. There’s always a chance of weak points in your security system being easily exploited, and patching up the holes after the damage has been done, won’t always have a fairy tale ending.