If you haven’t had a chance to read through any of the 2015 reports yet, I’d highly suggest taking some time to do so. The data presented in these reports is highly valuable to any information security professional, and it really gives a clear overview of how the field is changing year by year. Two reports I would suggest reading are the Verizon Data Breach Report and the WhiteHat Security Website Security Statistics Report. The Verizon DBR is my favorite, and I’ll be covering a few sections that interested me a lot. It covers all areas of information security, and it’s actually a pretty entertaining read (I got a few laughs out of it). But I know you cyber security professionals are to busy hacking everything the world has to offer to read these, so I’ll break it down for you.
Data Breach Overview
From the 70 organizations the contributed to the Verizon Data Breach Report, there were:
- 79,790 recorded security incidents (any event the compromised the C.I.A of an information asset)
- 2,122 confirmed data breaches (any incident that resulted in confirmed disclosure to an unauthorized party)
- 61 countries represented
Yeah, I know, holy s#!% that’s a lot of incidents. Verizon goes on to break the numbers down by industry and size of the incident. I’ll highlight the top three industries affected:
|Number of Security Incidents||Confirmed Data Loss|
|Total (All Industies)||79,790||694||50,081||29,015||2,122||573||502||1,047|
That’s right, in almost half (49.3%) of all data breaches reported, the size of the breach is unknown. From an incident response point of view, this number is shocking, but some what understandable. When responding to a potential incident, first responders are given the difficult (and some times impossible) task of tracing the intruders every move to see where he/she has been, what data has possibly been compromised, and evaluate the possibility of a follow up attack. Oh, and you don’t know how long the intruder has been in the system. If your networks aren’t segmented and your logs haven’t been backed up, my deepest condolences to you.
Phishing and Social Engineering
If you work in a corporate environment, I’m sure you’ve had the pleasure of sitting through one of those anti-phishing training courses. I’m sure you rapidly clicked on the “Next” button as fast as your index finger would let you until you reached the quiz at the end, and then used common sense to answer the 10 questions acting as the metaphorical gate keepers standing between you and that auto-generated certificated that proved you completed the course.
I’m also sure you’ve picked up on my utter disdain for these “courses”. The brutal truth is that this method of educating employees on phishing and social engineering is far from effective. Every other employee in that company is doing the exact same thing: skipping through all the content and guessing answers until they get a passing score. Of course, no one is sending financial assistance to the nephew of the Nigerian king anymore, but phishing/social engineer attacks have become extremely organized and sophisticated. Here’s a few statistics:
- Phishing accounted for about 22% of all threat actions last year
- 23% of recipients open phishing messages
- 11% of recipients click on attachments
- 50% of users open phishing messages/links within the first hour
We can spend all day pointing fingers. Are corporations not providing sufficient training to help employees recognize potential threats, or are phishing campaigns just becoming more sophisticated? From a web application security perspective, the spot light shines on vulnerabilities that can lead to possible phishing attacks. HTML/Link injections, account harvesting, and email spoofing are just a few possible vulnerabilities that can lead to a very well targeted, effective phishing campaign.
Incident Classification Patterns
There were some very interesting patterns while comparing the incident classifications from 2013 to 2014. The graphs below show the frequency of incident classification patterns across security incidents:
One interesting thing to take away from the 2013 statistics is the common denominator across the top 4 patterns. Accounting for %90 of all incidents is, you guessed it, people. I’ll quote the authors of the report:
At this point, take your index finger, place it on your chest, and repeat “I am the problem,” as long as it takes to believe it. Good—the first step to recovery is admitting the problem.
First, the obvious one. POS intrusion spiked from 0.7% to 28.5%. This wasn’t entirely surprising considering every other article I read about a data breach pointed to malware infected POS terminals. Web application attacks also more than doubled from 4.1% to 9.4% (nice to know I have job security). And denial of service attacks almost didn’t even make the list, coming in at 0.1%. Verizon does a very good job of breaking down each pattern by industry, definitely go take a look (page 34 of the report).
Web App Attacks
And we have arrived at my favorite little section of the report, web application security attacks. If you’re like me and work in web app security, this section (although small) has plenty of data that can really help set a direction for your team in the upcoming year. A couple of facts:
- Information, Financial Services, and Public were the industries most affected by web application attacks.
- Organized crime was the most frequent threat actor for web application attacks.
- 98% of attacks were opportunistic in nature.
When looking at the variety of attack actions, it’s rather surprising to see what is at the top:
With cross site scripting used in 6.3% of breaches and SQL injections used in 19%, it’s easy to see that attackers no longer want to earn their keep through injections when a simple login will do the trick. Of course, “Use of Stolen Credentials” is a relatively broad category, and as penetration testers we can test for every vulnerability that would lead to a compromise of user credentials., but these categories also vary by industry. For example, in the financial services industry, 82% of incidents involved an end-user device and nearly 10% of them involved phishing/social engineering. Verizon unfortunately doesn’t go into much deeper detail than that, but they do mention one very important point. Multi-factor authentication is becoming necessary for web applications. It is even more apparent when looking at the statistics above.
That’s all the time I have tonight. Feel free to leave your comments and questions below. Thanks for reading!