Verizon today issued its annual data-breach investigations report, a study of what happened in 1,367 known cases across dozens of industries in 95 countries last year, and the most common form of attack was breaking in through Web applications.
"Web applications remain the proverbial punching bag of the Internet," as Verizon puts it in its "2014 Data Breach Investigations Report." Thirty-five percent of the more than 1,300 data breaches examined fell into this category, as opposed to other categories, such as the 14% assigned to point-of-sale intrusions or the 8% attributed to "insider misuse" of data, for example. Over half of the time, the attackers breaking in through Web applications were doing it for ideological reasons, or just for the "lulz," the fun of disruption. About a third of the time, attackers did it for financial gain, but only seldom for cyber-espionage to steal important information.
"It's about strategic Web compromise," says Jay Jacobs, senior analyst at Verizon and co-author of the report. Most of the time, attackers took advantage of weaknesses in code, such as unvalidated inputs, and a prime attraction for them was going after large-scale content management systems, including Joomla, Drupal and WordPress.
+More on Network World: How do the FBI and Secret Service know your network has been breached before you do? | The Worst Data Breaches of 2014...So Far (Q1) +
Among other security recommendations for CMS, the Verizon report says companies need to "re-think" CMS to ensure there's an automated patch system for platforms used, or develop a manual process and stay with it.
Verizon, in addition to what it could glean from its own investigations into data breaches, received information contributed from about 50 partners on the project, including McAfee, Kaspersky, Akamai, and various national CERTS as well as groups such as the Financial Services Information Sharing and Analysis Center.
This year, the Verizon report not only examined the modus operandi for each confirmed breach, but also took a look at a wider category of more than 63,000 security incidents where the integrity or availability of a system was affected but it wasn't confirmed whether data was actually taken.
Because of rules governing the public sector, government agencies tended to report every single incident the most frequently, Jacobs pointed out. This skewed results toward the public sector, which ranked first with 47,479 security incidents, but the information industry and financial services appear to be the most targeted victim industries beyond government.
The Verizon report shows that there are patterns of attack against specific industries in distinct ways. For instance, the real estate industry saw a high level of "insider misuse," at 37% of incidents, but only 7% of attacks assigned to "crimeware,"such as a malicious e-mail attachment or Web downloads that could be associated with a command-and-control botnet operation.
The construction industry, however, saw 33% of its security incidents related to "crimeware," but only 13% due to "insider misuse." Not surprisingly, the accommodation industry -- hotels and the like -- had a full 75% of their incidents traced to "point-of-sale intrusion."
The report is a useful way for IT and security managers to identify the main types of attacks their organizations are likely to face, Jacobs notes. The report also seeks to identify where mistakes often happen -- sometimes systems administrators and code developers take the blame -- and recommendations for breach response and stronger controls.
Cyber-espionage linked to state-affiliated actors is hard to come by, the Verizon report acknowledges. But of the 505 incidents from last year analyzed in the report, the public sector, professional, scientific and technical services, manufacturing and information industry were the most hit, with the U.S. being the most victimized country at over half of the known cases. The attackers are going after a wide range of intellectual property, Jacobs notes.
Attackers seem to originate mostly from eastern Asia, such as China or North Korea, but last year's data indicates much more activity originating with Russian-speaking cyber-espionage. The notorious malicious e-mail attachment is the main vector for the commencement of a cyber-espionage campaign against an organization, with 78% of the cases starting that way. Twenty percent of cyber-espionage cases appeared to originate with a Web drive-by malicious download.
The Verizon report asks the question how the victimized organization in each instance found out about a data breach -- whether it was from an "internal" source within, or an "external" source, such as a third-party vendor or law enforcement. Interestingly, most of the time the discovery of the data breach is made by an external source that contacts the victim organization.
In cyber-espionage, 67% of the time it was an "unrelated party," such as security and forensics firm analyzing one breach and finding evidence to indicate attackers had gone after other companies as well. Sixteen percent of the time is was law enforcement that came upon the evidence of the breach while conducting its own investigation related to a separate case. Jacobs says Verizon itself has seen this happen several times with its own professional investigations, too.
Externally, the customers of victimized companies made the discovery 1% of the time as well. However, internal assets still helped somewhat. Antivirus products were seen as identifying cyber-espionage attacks 8% of the time, and network intrusion systems 2% of the time, with the internal user reporting 2% as well. Log reviews and other means accounted for the remaining 2% of internal detections.
In point-of-sale breach cases -- where it's noted that RAM scraping has usurped keyloggers as the most common malware associated with POS compromises -- the discovery of this type of crime was made 99% of the time through sources external to the victimized organization. Seventy-five percent of the time it was law enforcement, with the remainder attributed to discoveries by external fraud-detection methods and customers. "Long story short, we're still discovering payment card breaches only after the criminals begin using their ill-gotten gains for fraud and other illicit purposes," the Verizon report points out.
When it comes to discovery methods for financially-motivated incidents with Web application attacks, 88% of the time it was external sources that discovered it -- and 74% of that time, it was the customer. In the 12% of the time that internal sources made the discovery, it was the internal audit, fraud detection or users the victim organizations could thank.
When it comes to "insider misuse," internal sources managed to identify the breach 55% of the time, and 45% was external.
Another "discovery" factor the Verizon report sought to quantify was the length of time it took for these breach discoveries. That ranged widely from "seconds" to discover 32% of crimeware to a long period of "months" to discover 63% of the stealthy cyber-espionage crimes that happened last year.
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com
Read more about wide area network in Network World's Wide Area Network section.