Verizon’s data breach report for 2015 is out, and it’s packed with fresh insight on the threat landscape and how it’s evolved.
Don’t have time to read the 60+ pages? No problem. We pulled our 10 favorite charts and summarized them below.
If you do have time, the full report is worth reading: Verizon 2015 Data Breach Investigations Report.
The DBIR is an authoritative source of research on the threat landscape across industries and the world. The new 2015 report is based on data from:
- 79,790 security incidents
- 2,122 data breaches
- 70 contributors, including incident response forensics firms, government agencies, Computer Security Information Response Teams (CIRTs), security vendors, and others.
And without further ado, our summary and favorite 10 charts are below.
Top 5 industries breached most
The Verizon DBIR covers a ton of data and charts. Some speak to security incidents and others speak to data breaches. To avoid confusion, let’s clarify these terms:
- Security incident – An event that compromises the confidentiality, integrity, or availability of data. It’s less severe than a breach.
- Data breach – A confirmed disclosure of data to an unauthorized party. This is more serious than an incident.
The top three industries affected by security incidents remain the same as last year: public, information, and financial service sectors.
However, when we look at breaches a different picture arises:
The top most-breached industries in descending order are:
- Financial services
Manufacturing is in the top three for breaches but not security incidents. This may be related to it being the industry most-targeted for cyber espionage (more on that later).
In two of the top five, small organizations appear to be breached far more often than large ones:
- In retail, the researchers found more than four-times as many breaches of small organizations.
- In accommodation, they found a whopping 18-times as many.
1 in 4 breaches hits POS
Last year’s Data Breach Investigations Report noted that 92% of the more than 100,000 breaches analyzed by Verizon over the last 10 years fell into nine basic patters, or types of threats.
The threat landscape did not change dramatically in 2014. The chart below shows the “incident classification patterns” with the greatest number of breaches for the year.
Note that POS intrusions accounted for 1 in 4 breaches observed last year (not surprising given the major retail breaches in the news). Combined with crimeware, these two threats comprise nearly half of all the breaches for 2014.
Things get even more interesting as we review the distribution of breaches by the type of threat across industries:
More than 90% of breaches in the accommodation sector hit point-of-sale machines (and remember from earlier that most of those breaches hit small organizations). POS systems were also the biggest targets for the entertainment and retail industries.
Cyber espionage hit manufacturing and professional organizations particularly hard, and espionage combined with crimeware accounted for almost 95% of all breaches in manufacturing.
Shooting phish in a barrel
Though it doesn’t contain a chart, the phishing section of the DBIR is jaw-dropping. In short: phishing is just too easy.
On average, phishing emails can receive email open and click rates that rival email marketing of the business world:
- 23% of recipients open phishing messages
- 11% click on attachments
Think about those stats for a moment. A phishing campaign sent to 50 people will net five to six victims in the catch.
Small, targeted campaigns are almost guaranteed to work:
- A campaign of just 10 emails yields a greater than 90% chance that at least one person will become the criminal’s prey, according to the Verizon data breach report 2015.
In a controlled test involving more than 150,000 emails, Verizon’s team found the median time-to-first-click was 1 minute 22 seconds! Nearly 50% of people opened and clicked in the first hour.
Recommendations from the report to combat phishing:
- Block filter, and alert on phishing emails at the gateway
- Launch an engaging and thorough security awareness program
- Improve detection and response capabilities
97% of exploits target 10 CVEs
In another jaw-dropping section Verizon’s team notes that 99.9% of exploited vulnerabilities in 2014 were disclosed and given a CVE number more than a year prior.
Another fantastic chart highlights the 10 CVEs responsible for nearly 97% of all exploits observed. Only three exploits out of 100 will use a different vulnerability.
We plan to publish another post discussing this chart in more detail. For now, remember to always patch your systems, and do it automatically where possible (the AccessEnforcer UTM firewall includes automatic updates for free).
Mobile malware is not a primary threat
Most mobile malware is not malicious – it’s just annoying. Discounting that category and focusing on the truly dangerous malware, an average 0.03% smartphones per week on the Verizon network in 2014 were infected. That’s just three in 10,000.
A few other insights:
- 96% of mobile malware targets the Android platform
- Over 5 billion downloaded Android apps are vulnerable to remote attack
While the data breach report does not suggest that organizations should ignore mobile security or that mobile malware will not increase in the future, it does note that organizations may receive better results by prioritizing their resources on threats that are more prevalent.
Cyber espionage loves email
When you consider the term “cyber espionage,” you may think of huge countries with massive resources launching the most sophisticated, cutting edge attacks across the globe.
Surprisingly, most espionage begins with a simple email, according to the Verizon DBIR 2015:
Three out of four (77.3%) of these attacks require someone to engage with an email attachment or email link. The report notes that web drive-by attacks were more popular in espionage than years past.
What are these actors looking for? Your secrets. More than 85% were targeting secret information. The second highest category, credentials, were targeted in 11.4% of the attacks.
The industries most commonly attacked via cyber-espionage in 2014 were manufacturing, public, professional, and information, as you can see in the chart below. This is partly why two of these industries (manufacturing and public) were among the most breached overall.
RAM scrapers are growing fast
Verizon’s 2015 data breach report also looks at threat actions, which can be roughly summarized by the type of attack behind a breach. Examples include POS intrusions, web app attacks, insider misuse, etc.
Phishing attacks continue to increase but their growth has slowed. The real break-out is RAM scraping which has seen tremendous growth since 2012.
Ram-scraping malware was used in the major breaches at national retailers such as Target, Home Depot, and others. It’s the most common kind of POS malware today.
RAM scraping is commonly used by malware on point-of-sale systems. POS machines often hold cardholder data in memory a moment before its encrypted. This tiny window provides enough time for malware to scrape the unencrypted data and send it to a log file.
Keystroke logging seems to be falling out of fashion as RAM scraping makes its rise. And phishing may have lost ground in 2013, but it has climbed back to exceed its 2012 level.
Stealing and compromising access credentials remains the most common threat action. Nothing beats having the key to the front door.
External threats are (still) greater
Internal actors may enable a breach inadvertently, but the overwhelming percentage of breaches are caused by external threats.
More than 80% of breaches reviewed in the report are attributed to external threats. Roughly 17% are from internal actors, and a tiny sliver are attributed to partners.
So the enemy is not within – but it will use your resources against you.
DDoS attacks double in 2014
Denial of service (DOS) attacks were also in the news last year. Although not quite as prominent a topic as ransomware or retail data breaches, the number of attacks doubled according to the report’s authors.
The most affected industries are the public, retail, and financial services sectors. As you can see in the chart below, these attacks may target large organizations (those with more than 1,000 employees) more often, but the overwhelming majority hit organizations of unknown size.
The data breach report also notes that most DOS attacks trend toward one of two sizes: about 15 Gbps and 59 Gbps. Though we did see huge DOS attacks in 2014 peak as high as 500 Gbps, they are outliers.
POS attacks hit businesses large and small
As mentioned earlier, RAM scraping is a popular means of attacking point of sale machines. However, the DBIR notes a difference in tactics when the target is small instead of large organizations.
Small organizations often see POS devices directly targeted with attackers guessing or brute-forcing the credentials. Larger organizations typically see more sophisticated, multi-step attacks with a secondary system being breached first.
“The attack methods are becoming more varied, event against small businesses,” according to the breach report.