Latest Report On Data Breaches: More Outsider Attacks, Many Of Them State-Sponsored
from the also,-you-will-fall-victim-to-phishing dept
Every year, Verizon releases a fairly detailed report looking into data breaches, and the recent release on the 2013 report is quite interesting, highlighting how much state-sponsored attacks are the root cause of data breaches. Not surprisingly, there's a strong correlation between that and espionage (rather than direct financial benefit) being the main reason for the attacks. And, also not surprising: China is a major source of these attacks. However, one thing the study does make clear is that for all the people who claim that insiders are the biggest threat, that's less and less likely true, at least on a pure numbers basis. Insiders may be able to do more direct damage per breach, but it seems clear that in terms of sheer numbers of attacks, it's all about outsider attacks these days. There's actually been a pretty noticeable shift on this front over the past few years:
The report is actually fairly entertaining and quite readable. It does note that the rise in data on state-sponsored attacks might not be due to an actual increase in those attacks, but better data and better evidence collection -- but either way, it does appear that China continues to be a pretty big threat when it comes to outside attacks for espionage purposes. On the financial side, it's apparently all about Romania.
Separately, there's a fantastic chart that lays out three major types of attackers, who they target and how they generally do what they do. It's a pretty handy chart for understanding the overall layout of data breaches and how they normally occur:
I'm actually somewhat surprised that phishing isn't used more often across all types, as the report also notes that phishing is astoundingly effective:
We try to avoid rolling out scary memes like “you will be compromised,” but when it comes to phishing attacks, that’s exactly what the data tells us. Phishing e-mails vary in quality, payload, and purpose, but they all share the same initial goal: get the user to take action. Getting the user to click (on a link or attachment) is the first obstacle for all phishing campaigns. So how many e-mails would it take to get one click?That said, the report notes that merely getting a click doesn't mean the person will put in their information, or create a true compromise, but it is somewhat astounding nonetheless.
[....] It’s pretty easy to see why this is a favored attack for espionage campaigns and the answer to our question is “three.” Running a campaign with just three e-mails gives the attacker a better than 50% chance of getting at least one click. Run that campaign twice and that probability goes up to 80%, and sending 10 phishing e-mails approaches the point where most attackers would be able to slap a “guaranteed” sticker on getting a click. To add some urgency to this, about half of the clicks occur within 12 hours of the phishing e-mail being sent.
The report also notes what a disaster it is that we still use one-factor passwords (i.e. typical passwords) for most things, rather than (at the very least) two-factor authentication, noting that this would kill off 80% of successful hacks.
Another interesting point in all of this is that the researchers note they've seen no evidence that attackers are targeting cloud-based services over in-house ones. It's not that there aren't attacks on cloud services, it's just that it doesn't seem like a clear thing that attackers focus on. Of course, a separate research report notes just how much investment is going into the enterprise cloud these days, so I'm guessing that cloud providers are going to become increasingly large targets. While they may have stronger security, breaking in will probably be so valuable to attackers that it'll be worth attacking that stronger fortress.
And, finally, if you want to be scared about how many of these attacks have probably gone on and aren't known about yet, well, the end of the report is not particularly comforting. It notes that, from the data the researchers are using, it shows that initial attacks happen pretty quickly (within a few hours, which is up from minutes a few years ago, but still relatively quick), and getting data out comes pretty soon after that. But (and here's the scary part) actually having those breaches noticed? That doesn't happen for months and more often than not happens because another outsider discovers it, rather than an insider or an internal system raising the alarm.
In about a third of those cases, the "outsider" is a totally unrelated party, but in 9% of cases, it's a customer who discovers the data breach. That can't be good for customer confidence.
There's a lot more data in the report, and it's well worth reading. However, as we've been talking so much lately about privacy and security when it comes to governments -- mainly with a focus on activities by intelligence agencies in the US and other allies -- it's worth nothing other forms of attacks as well, and the trends related to them. The growth of attacks that are really a form of espionage, rather than just organized crime, seems like a noteworthy, if not all that surprising, finding.This post is sponsored by The Hartford.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data breaches, data security, espionage, sponsored post
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
Most companies do not send e-mails with links anymore so I've decided to instruct my family to distrust links and attachments by default. So far we've had only one semi-successful infection (stopped by Comodo Firewall at the time) in 4 years. Seems reasonable considering my parents are the type of computer illiterates that could probably be tricked by the Nigerian prince e-mail..
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
No, I'm not going to bother to post the multi-page explanation for that in a text box on TechDirt.
Instead, I'll observe that in my work doing penetration testing that my success rate exploiting people who read their email with a web browser is 100.00%. It's never failed. It doesn't matter whether they're noobs or programmers, corporate executives or graduate students, engineers or accountants. It doesn't matter which browser they use. It doesn't matter which mail backend they're talking to. It doesn't matter.
Now I'm sure some of you reading this will be inclined to reply "but what about X?" where X might be a firewall, a mail filtering appliance, a blacklist, a phishing site repository, a Javascript sanitizer, a web proxy, yadda yadda yadda. No. They don't matter either. If you read your email with a web browser then you're holding up a big sign that reads "exploit me" and no doubt someone out there will eventually take you up on the offer.
[ link to this | view in thread ]
The friggin' owl was right!
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Reading headers
My modest proposal is for email reading programs to alert users when an email's "From:" address does not match the sending domain. Needless to say, there are many cases where this is perfectly normal, so you would need a way to whitelist certain senders/domain combinations.
[ link to this | view in thread ]
Phishing is the initial vector for most breaches
With few exceptions listed, aren't all the malware and hacking actions listed actually initiated with Phishing in most cases?
[ link to this | view in thread ]