A spike in point-of-sale (POS) intrusions and the plethora of online identities have led to another year of data breaches.
Featuring data from 50 global organisations from 1,367 confirmed data breaches and 63,447 incidents, the seventh annual Data Breach Investigation Report (DBIR) from Verizon found that three threat patterns cover 72 percent of the security incidents in any industry: web application attacks; distributed denial of service (DDoS); and card skimming.
Speaking to IT Security Guru, Wade Baker, principal author of the DBIR, said that the patterns are changing over time but that POS intrusions spiked in 2011 and 2013 after a dip in 2012. “There is a certain portion of the criminal population who want the easiest and most speedy way to achieve their objective and when we have a ton of web applications out there that are poorly secured and are valuable, that may be owned by a consumer or small business and not looking at its security, it is pretty weak victim and a high payoff.”
In terms of POS intrusions, the report found that of the 198 incidents reported, 53 per cent were achieved via brute force intrusions and 38 per cent used stolen credentials. Also, 55 per cent relied on a third party desktop, and 35 per cent desktop sharing. All but one per cent of the breaches were detected externally, by a third party or user, than internally. The majority (88 per cent) of exfiltrations occurred within minutes, and 85 per cent were discovered in weeks.
Asked if this has been a rising problem, Baker said: “It has been a problem for some time and in 2009 we started seeing POS intrusions but there was an increase in the smaller franchise space, where there is not expected to be a mature security team. There were high numbers of automated attacks where scans were done on POS for admin rights, and an error that lasted to 2011-2012 and what we have seen recently are not picking the smaller franchises, but bigger organisations and this may be a strategy shift.
“I think there are fewer POS intrusions but they seem to be bigger in nature. Who pays attention to a small restaurant when they get attacked?”
He claimed that few companies manage their POS infrastructure and it almost always outsourced and it requires a remote access port and that third party is paid to look after it, but often the password is a default and an attacker will know that. “You can brute force that and it is easy, and it lends itself to an automated attack with common passwords,” he said. “Also take a franchise; it may have the same provider with same passwords across all store locations.”
In terms of the analysis done on web applications, 65 per cent of attacks were attributed to “ideology/fun” reasons, Baker said that different types of attackers have different reasons and often the attacks are very basic, but malware is dropped on the application. The report found that 12 per cent of detections were done internally, which Baker said was one of the higher rates, but 74 per cent of external detections were done by customers.
Baker said that Verizon opted not to include overall statistics for detection and exfiltration times, as it is hard to have meaning; “if we pushed it all together we would mix quick and long term attacks, which all goes to the middle”. With ten years of data, it does show that compromises are getting faster while time to discover was much slower.
“I think this is indicative of how criminals are faster than we are and that is a serious problem, and think about how much money we have poured into d
etection technology and it is depressing on one hand, but on the other if this is what it is we need to change something and figure out how to turn it around,” he said.
The DBIR identified nine threat patterns as: miscellaneous errors such as sending an email to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; web app attacks; denial-of-service attacks; cyber-espionage; point-of-sale intrusions; and payment card skimmers.
The report also found that cyber espionage is represented in 511 incidents and increased on 2013, when it was a prominent part of that year’s report.
With the report finding that stolen identities were the main form of entry, Baker said that these are the main way to access systems and identity is perhaps the biggest problem across the internet and he saw this growing at a faster rate than software vulnerabilities.
The 2014 report can be downloaded in full at: http://www.verizonenterprise.com/DBIR/2014/