Verizon’s annual report, now in its eighth year, analyzes breach intelligence and data from multiple sources, including customers of Verizon’s forensics response division and customers of FireEye, the firm that investigated the recent hack of Sony Pictures Entertainment. It also examines data from cases investigated by law enforcement agencies, and from government and industry computer incident response teams around the world. This year, Verizon analyzed data involving nearly 80,000 breaches contributed by 70 different organizations.
CVEs discovered decades ago still in circulation
This latest edition of the Verizon data breach report has some interesting findings in relation to web app attacks and vulnerabilities. For example, a study of exploited CVEs found that those discovered as far back as 1999 are still being actively exploited, not only the 2014 ones such as Heartbleed which are still in the media spotlight. In fact a whopping 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published.
However, they also found that new CVEs are mostly exploited in less than a month following publication and most often, in less than two weeks. Interestingly, yet probably unsurprisingly, a mere 10 CVEs spanning from discovery in 1999-2014 account for a huge 97% of all exploits observed in 2014. The reports’ authors were quick to remind that this does not mean you can patch just those 10 vulnerabilities and have only a 3% risk of attack; if someone wants to attack you they’ll find the vulnerabilities you do have and they’ll exploit those instead. It was also reported that in 60% of cases, attackers are able to compromise an organisation within minutes.
Industries most frequently subject of all forms of data breaches were also analysed again, with Information, Financial Services and Public Sector most at risk. Closely behind was retail, unsurprising considering the number of high-profile breaches in 2014 such as Target, Home Depot, Staples and Kmart.
DoS Attacks on the rise
Nearly 70% of the attacks where a motive for the attack is known include a secondary victim. i.e. Compromised servers were used to participate in denial-of service (DoS) attacks, host malware, or be re-purposed for a phishing site. This occurs when a vulnerability leads to a machine being enrolled in a botnet. A common vulnerability exploited for this purpose is stored Cross Site Scripting.
Web attacks as the cause of data breaches
In 2014 organized crime became the most frequently seen threat actor for Web App Attacks, with financial gain being the most common of the primary motives for attacking.
Over 95% of the attacks involve harvesting credentials from customer devices, then logging into web applications with them, although a lack of detailed analysis of this makes it difficult to examine further.
In the overview of confirmed data breaches (removing the 90% which are caused by human error) web app attacks accounted for 9.4% of malicious causes for data breaches. In terms of cyber attack, these were second only to the use of crimeware (a specific group of malware used to automate acts of cyber crime), which accounted for 18% of the breaches. ‘Cyber espionage’ also account for 18% but the majority (77.3%) of these class of attacks are done using social engineering techniques rather than cyber attacks using malware or vulnerability exploits.
In a breakdown of Critical Security Control preventative measures, extremely helpful for CISOs, Verizon identified a few measures as being the recommended strategy and gave the percentage of their analyzed breaches where each would have come on top. Two factor authentication tied in first place with patching of web services as being the two measures which would have been the recommended course of action for 48% of the data breaches analyzed. In joint second place were verifying the need for devices to be internet-facing, using a proxy for outbound traffic and testing web applications (7% each). So despite the report not focusing so much on web app attacks this year, prevention of such attacks does feature highly in the measures identified as capable of having prevented many of the breaches analyzed.
Cost of breach
One of the aspects of this year’s report which info security officers might most welcome is a study of the costs associated with a data breach. Considering that often a determined attacker will successfully breach their target eventually, being aware of the costs of such a breach and being able to take out appropriate insurance is a must. The Verizon team have done this in a couple of different ways. Initially, they calculated the average cost of a breach per record; this amounted to 58c per record. However, they didn’t think this was an accurate model to work out an overall cost so taking other factors into account they came up with the following:
The average loss for a breach of 1,000 records is $67,480
For 10,000 records $178,960
For 100,000 records $474,600
For 10,000,000 records $3,338,020
You get the picture. If anyone intends to use these statistics for expense justification or insurance purposes we strongly suggest you read this chapter of the report thoroughly.
Overall, the report offers a set of stats and insights as interesting and informative as usual, while confirming things we might already have anticipated such as the increase in social engineering tactics and crimeware. Likewise, the fact that around 90% of data breaches are actually the fault of employees. That should be enough to justify some investment in staff training!