Espionage outpacing financial crime as better reporting improves security picture: Verizon

Growing data sharing between security and law-enforcement organisations may be improving visibility of the global cybercrime risk, but many Asia-Pacific region companies continue to jeopardise their data with lax security, senior Verizon security executives have warned on the release of the company's latest comprehensive security report.

Fully 88 percent of the 63,347 incidents reported in 2013 – and covered in the company's latest Data Breach Investigations Report (DBIR) – fall into nine specific categories, APAC regional managing principal Paul Black told CSO Australia, with a surge in the number of data sources reflecting the increasingly collaborative nature of the fight against cybercrime.

"This year was a big step forward," Black explained, noting that the DBIR – a widely referenced report that has become a key reference for the security industry – has jumped from just five organisations in 2012 and 18 last year, to encompass information from some 50 contributing organisations.

That had not only provided new insight into a broader range of attacks, but had given Verizon enough of a high-level view that it has been able to categorise the security attacks into broad categories including denial of service (DoS), crimeware, Web applications, cyber espionage, insider misuse, miscellaneous errors, card skimmers and theft/loss.

Particular industries were more vulnerable to particular types of attacks: for example, healthcare organisations were the most highly represented in the theft/loss category while management companies dominated the DoS space and mining companies were most likely to be victim to espionage attacks.

"The data seems to suggest that highly repetitive and mundane business processes are particularly prone to errors," the report's authors concluded. "Misdelivery is the error that we see the most....A mundane blunder, but one that very often exposes data to unauthorized parties."

The DBIR data include specifics about 1361 confirmed data breaches across 95 countries, up from 27 countries in last year's report – providing "a more realistic representation of the threats out there," added Verizon network architect Aaron Sharp.

Interestingly, the figures showed a "downward trend" in financially motivated crimes – due to what the report called "a distorted picture of data breaches" due to unfocused media coverage – while espionage "is on the up", Black said, "and continues to do so year on year."

In many cases, he added, companies were proving to be their own worst enemies as staff proved to be susceptible to social engineering and poor internal security practices left many Asia-Pacific organisations exposed to security attacks.

Poor passwords, for example, were frequently found in many of the organisations where Verizon's own security team had been engaged.

"It's staggering the number of situations companies find themselves in," said Black, noting that numerous Asia-Pacific companies were found to be using passwords like 1234 "across every system in the organisation."

"This is the reality of what we've walked into," he said. "It feels like a conversation we have every year despite the best efforts of everyone. The exploitation of stolen credentials continues to be a issue; we see this as a massive issue around identity management, and a challenge for organisations because of the macro trends in industry around mobility and cloud.

Efforts to secure those environments were continuing to expose weaknesses in companies' security infrastructure, Sharp added, noting that companies "are not just having to manage those credentials, but having to get some control over those credentials."

There were some positives in the report, with the time between a breach happening and its being detected reducing over time – although it is still "a lot longer on average than the security people out there would like," he said.

Shortening the detection timeframe will require a massive effort on the part of the corporate world, but better information is a key part of informing that transformation as the industry recovers from serious attacks like the recent Heartbleed vulnerability.

"One of the motivators behind the DBIR in the first place is to provide some real evidence to the community," Sharp explained. "When I go to talk with customers' security organisations, I have seen security being taken increasingly seriously – and being taken up to the board level. Every circumstance is different, but we hope this information will be useful in helping security people prioritise their security spend."

Tags cybercrimeriskspasswordsverizonAaron Sharpsecurity attacksPaul Black

Show Comments