The 2014 Verizon Data Breach Investigations Report

blog-verizon

POS Data Breaches Down, Cyber Espionage Reporting on the Rise

Verizon has just released its 8th annual Data Breach Investigations Report (DBIR), which combines and analyzes data breach statistics from 50 law enforcement agencies and private organizations around the world. In all, the report covers 1,367 confirmed data breaches and 63,437 security incidents from 95 countries.

Key Findings

The 60 page report breaks 2013 data breaches into 10 categories:

  • Point of Sale Intrusions
  • Web app attacks
  • Insider misuse
  • Physical theft/loss
  • Miscellaneous errors
  • Crimeware
  • Card Skimmers
  • Dos Attacks
  • Cyber Espionage
  • “Everything else”

Of particular interest are new trends in the realms of POS Intrusions, Crimeware, and Cyber Espionage.

POS Intrusions

One look at last year’s info sec headlines and any reader would be inclined to believe that 2013 was the year of the POS data breach – but Verizon’s figures tell a much different story. According to the report, POS intrusions have actually decreased by over 20% since 2010. Verizon notes that this statistic reflects a decrease in attacks on smaller franchises, and a relative increase in attacks on fewer, higher profile targets (no pun intended).

According to the report, 2013 saw a total of 198 data breach intrusions, all of which had confirmed data disclosure. Additionally, last year saw what Verizon has termed “a resurgence in RAM scraping malware” in place of less advanced and easier to detect keyloggers that have been used in the past.

Most notably, the Top 3 threat action varieties within POS intrusions were RAM scraping, data exportation, and brute force password hacking, indicating that the majority of last year’s POS Intrusions were carried out through a simple 3 step process where attackers: 1) scan the Internet for open remote access ports on POS systems, 2) break in through brute force password hacking, and 3) install a RAM scraper that can exfiltrate data.

Accordingly, businesses with open remote access ports and weak, reused system passwords are most at risk.

Crimeware

Verizon’s statistics on 12,535 separate Crimeware incidents are interesting because they use the term as somewhat of a blanket category to describe “any malware incident that did not fit other patterns like espionage or point-of-sale attacks.” This makes for a generic although still useful dataset, especially when compared to findings from other studies, such as Emsisoft’s 2014 Malwarelympics.

According to Verizon, the majority of Crimeware events included in their investigation connected victim devices to Command and Control servers. The most common propagation techniques were drive-by downloads and Trojan downloads, where the malware came hidden in files that users actually wanted and sought out.

Not surprisingly, the Top 3 Crimeware targets were Identification Credentials, Banking Information, and Payment Information. Verizon notes that Zeus and Citadel were among the most popular financial malware used against these targets, and even states that “the Zeus and Citadel family has a well-deserved reputation for evolving quickly to evade signature-based detection of the sort used by many AV products.”

While not an explicit endorsement for our Behavior Blocking Technology, that’s pretty close!

Cyber Espionage

Verizon defines Cyber Espionage as incidents that “include unauthorized network or system access to state-affiliated actors” – basically, the deployment of malware to spy on a governmental employee or organization. As governments are often reluctant to share information about such attacks with the public, Verizon admits that their dataset is anything but comprehensive. Nonetheless, this year’s report contains 3 times as many incidents as last year’s, for a total of 511 Cyber Espionage events, 306 of which had confirmed data disclosure. The majority of these events were carried out by one state-affiliated organization against another.

Verizon is quick to point out that this increase is most likely the result of more data submissions, not a tremendous spike in attacks. Accordingly, the report includes information from a broader range of nations than reports prior – a positive development on the whole.

In terms of malware, the overwhelming majority of Cyber Espionage attacks were propagated by email attachments, followed by drive-by downloads. Additionally, and in contrast to POS Intrusions and Crimeware, 2013’s Cyber Espionage events used a wide range of threat action varieties, making for highly complex malware campaigns that in the majority of cases took over months to detect.

Download the 2014 Verizon Data Breach Investigations Report

In all, Verizon’s annual DBIR offers a useful glimpse into the world of malware from a statistical perspective. The information provided in the 60 page report can be helpful to anyone interested in last year’s malware trends, and as each section now contains a newly added pragmatic subsection on “Recommended Controls” it can also help business owners understand what they need to do to secure their systems from the world’s most prevalent malware threats.

Two of Verizon’s most recurrent suggestions are to deploy an AV (anti-virus) and to educate users. We agree, except instead of an “AV”, we’d recommend an Anti-Malware!

The full Verizon 2014 Data Breach Investigations Report is available for download.

Have a Great (Malware-Free) Day!