Attackers are becoming more sophisticated in their capabilities, but are aided by a failure to deploy patches for flaws which are left open for years.
According to the 2015 Verizon Data Breach Investigation Report, which this year contains information from 70 contributing organisations, 79,790 security incidents and 2,122 confirmed breaches across 61 countries, found that 23 per cent of recipients open phishing messages and 11 per cent of recipients click on attachments, The report also found that it takes just 82 seconds from the start of a campaign to its first bite of a victim.
According to this year’s report, 70 per cent of attacks use a combination of older techniques such as phishing, hacking or malware and involve a secondary victim, but many existing vulnerabilities remain open, even though security patches have long been available but never implemented. In fact, many of the vulnerabilities are traced to 2007.
Robert Parker, head of security strategy and solutions, Asia Pacific at Verizon, told IT Security Guru in an email that cyber criminals and attacks are definitely becoming more sophisticated and well-funded, however, this is exacerbated by a target rich environment. “This is illustrated in the DBIR whereby ten commonly known CVE’s account for 97 per cent of the exploits seen in 2014,” he said.
Asked if there are vulnerabilities (with patches available) still being exploited, does this suggest that there is a need for better patch management rather than blaming people?
He said: “71 per cent of known vulnerabilities had a patch available for more than a year prior to being breached. The real decision is whether a given vulnerability should be patched more quickly than your normal cycle or if it can just be pushed with the rest.
“The data set from the 2015 DBIR suggests a robust patching policy is an essential component of any risk mitigation framework, however, the need for education of users is also critical. Patching alone will not protect from user involved data breaches, such as phishing.”
As in prior reports, the time which elapses between a breach occurring until it’s discovered is still wide, as in 60 per cent of breaches, attackers are able to compromise an organisation within minutes.
Mike Denning, vice president of global security for Verizon Enterprise Solutions, said: “While there is no guarantee against being breached, organisations can greatly manage their risk by becoming more vigilant in covering their bases.”
The report also prices the cost-per-record in a breach, which in a breach involving 1,000 records will be between $3,000 and $1.5 million. Verizon found that in 95 per cent of cases, the average cost of a breach is between $52,000 and $87,000. In comparison, breaches with 10 million records are predicted to cost between $392,000 and $73.9 million with the average cost (in 95 per cent of cases) of a breach ranging from $2.1million to $5.2 million.
“We believe this new model for calculating the cost of a breach is groundbreaking, although there is definitely still room for refinement,” said Denning. “Too often, organisations think it is less expensive to suffer a breach than put the proper defense in place. But we now know that just isn’t true.”
Download the full report here