According to a new report, large-scale financial cybercrime and government-led espionage were on the rise in 2012, 75 percent of all attacks were financially motivated, and about 19 percent of security breaches were attributed to government-led or government-sponsored attacks aimed at stealing intellectual property or trade secrets.
Drawing on 47,000 reported security incidents, 621 confirmed data disclosures and at least 44 million compromised records, the Verizon 2013 Data Breach Investigations Report paints a picture of today's cybercrime landscape -- and makes general suggestions and recommendations for organizations looking to be secure while also warning that there is no cure-all in the mercurial world of cybersecurity.
Jay Jacobs, senior analyst on the Verizon RISK (Research Investigations Solutions Knowledge) team, says that when it comes to cybersecurity, researchers either lack complete data, or the data they do have isn't necessarily a perfect reflection of the environment. To account for this, researchers must conduct “convenience studies,” he said, which are studies based on the best data an organization can acquire. Though their data isn’t perfect, Jacobs said, it’s getting better all the time.
“We’ve got 18 global contributors to the report this year,” he said, noting that last year's report only had five. "It gave us a pretty big and comprehensive view of the breach landscape.”
Top cybersecurity victims in 2012 were financial organizations and retail environments, taking 37 percent and 24 percent of attacks, respectively. While many believe that cybersecurity risks come from within an organization, this report found that a gross majority of attacks come from outsiders, 92 percent of reported attacks came from outside the organization in 2012, the report states, and past annual reports have found similar results.
State-led attacks made the news frequently last year, and the report’s data supported the idea that such attacks are on the rise. About 19 percent of security breaches were attributed to government-led or government-sponsored attacks, and were aimed at stealing intellectual property or trade secrets. Attacks from China were most dominant in this category in 2012, representing about 20 percent.
Attacks on user devices was on the rise in 2012, the report found, with devices such as personal computers or public kiosks being involved in 71 percent of attacks. About 54 percent of attacks compromised servers and, perhaps worst of all, 78 percent of initial intrusions were considered “low-difficulty.” There is no data in the report on mobile device security, Jacobs said, because their data found that mobile devices are not the easiest route into an organization, and most attacks are opportunistic.
For government, Jacobs said, the challenges are no different than for any other organization. The important thing to learn, he said, is that there is no single approach that will work for every organization. The best approach to security will vary depending on an organization’s industry, size and age.
One thing that did set government apart was a proportionately larger number of social activism and espionage attacks. Activism attacks usually focus on the Web application layer, Jacobs said, while espionage almost always begins with phishing. For instance, the attack in 2012 on the South Carolina Department of Revenue -- that cost the state more than $14 million and compromised millions of social security numbers and financial records -- began after an employee clicked on an email link and “unwittingly executed malware, and became compromised," according to a commissioned report by security firm Mandiant.
Every IT organization has to think about preventing outside attackers from gaining valid credentials and spending time inside the system. In the case of South Carolina, it took the attackers weeks weeks after initial entry into the system to find the financial data they were looking for, but the breach was not even discovered until two months later, which is par for the course, according to the report.
A lot of security breaches will never be prevented from the outset, Jacobs said, but sometimes being a fast-acting detective is just as good. Though checking log files can be a great way to detect a security breach, he said almost no one actually detects breaches that way. Usually, by the time someone finds a breach, it’s too late and the damage has been done.
The main thing people should learn from Verizon's 2013 report is that there isn’t a one-size-fits-all approach to security, Jacobs said -- there are security standards and best practices found in the report, he noted, but each organization needs to identify its own unique challenges.
“This is a really good example of where information sharing is working," Jacobs said. "We’re seeing success and we’re starting to pull information out of the data and be able to make hopefully better decisions and better spending decisions in the next year."