When the history of computer security is written, 2013 is going to go down as something of a watershed year. It was the year of the Target breach that exposed the credit and debit card numbers of some 40 million consumers, and numerous attacks against Twitter, Facebook, Evernote and others. In short, it was a year when computer security incidents became something that mainstream people worried about a lot.
Yes, the number of overall attacks is on the rise. This is the bad news that you probably already knew. But there’s some oddly good news that may surprise you: Nearly all of the 1,300-plus data breaches confirmed last year were carried out using only nine basic attack patterns. Learn to better combat those nine patterns and you stand a better chance of resisting attacks — though as with all things related to computer security, what at first seems logical and easy is always messier and more difficult in practice.
The finding comes in a report from the security arm of the telecom giant Verizon set to be published on Wednesday. The Verizon annual Data Breach Investigations Report, one of the most highly regarded in the industry, is now in its tenth year. It contains data on attacks from 50 companies and organizations, covering more than 63,000 computer security incidents and 1,347 confirmed breaches in 95 countries. As these things go, the report contains more data to analyze than any other report of its kind, said Jay Jacobs, a Verizon analyst and one of the report’s co-authors.
If combating nine kinds of attacks sounds too ambitious, then maybe this will make it sound a little easier: On average, roughly 72 percent of all attacks were carried out using one of three methods, though the specifics tend to vary by industry.
For example, in the financial industry, 75 percent of attacks involved hacking Web applications, launching distributed denial of service (DDoS) attacks meant to overwhelm a server, or card skimming, a technique where an attacker obtains a scan of a credit or debit card with the intention of using it to commit fraud.
And while fraud and financial motivations still tend to dominate the spectrum of reasons behind cyber crime, believe it or not, they declined as a proportion of the whole in 2013. Meanwhile, attempts to steal intellectual property rose: “It’s not all about money anymore but who has the intellectual property,” he said.
So about that: Here’s something you may not have considered: Inside jobs. Verizon has collected data on nearly 11,700 incidents of what it classifies as “insider and privilege misuse,” and of those, there were 112 incidents where the attacker succeeded in making off with data. If it sounds minor, then you’ve never heard of someone named Edward Snowden and his former employer, the U.S. National Security Agency.
But as the NSA will tell you, Snowden’s activities were difficult to detect. Verizon concurs, saying in the report that “most insider misuse occurs within the boundaries of trust necessary to perform normal duties. … That’s what makes it so difficult to prevent.” It’s not uncommon for employees to email things to their personal addresses so they can work on them at home, or to take things out on their personal thumb drives.
But when your company deals with sensitive information, that can get dicey really fast. In most of these cases — 85 percent — the employees carried out their data theft while in the office and right under the noses of their co-workers. And there were two basic motivations: Sell the data to a competitor, or start a competitive company. Nearly half of these thefts — 48 percent — were discovered within days or hours. But a little less than one percent — a total of 70 incidents — went undiscovered for years.
Documented incidents involving state-sponsored and politically motivated cyber espionage tripled. Jacobs attributes the increase to Verizon having access to more data than before, and the category still accounted for a relatively small number of the total incidents, only 511. In these cases, 54 percent of the organizations attacked were in the U.S., while 49 percent of the attackers were in East Asia, mostly China.
Here’s another grouping of attacks that should make you nervous, especially if you handle security for a retailer: The report documents 198 incidents involving attacks against point-of-sale terminals. In each of those cases, attackers succeeded in disclosing data. Most of those — 85 percent — involved RAM-scraping software similar to the type used in the Target breach. And most of the time — 98 percent of these cases — the theft of data wasn’t discovered for weeks or months. The only good news? The number of these attacks declined by about half from 2011.
There’s lots more crunched security data worth reading in the report, and you can get it here.
Finally, here’s a table from the report that breaks things down by types of incidents and by industry. For example, on the top line you see that most of the attacks in the hotel and resort industry were against point-of-sale systems. Meanwhile, utilities were attacked most often via breaches of their Web apps. (Click to make it bigger.)