10 Takeaways from Verizon’s Data Breach Report

Verizon have issued their 2015 Data Breach Investigation Report (DBIR). As usual, it provides juicy analysis of lots of data shenanigans that happened during the year. The data in the report covers the compromise of 700mn records in total, relating to 79,790 security incidents which resulted in 2,122 confirmed data breaches across 61 countries. The estimated aggregate loss was USD400mn. In short, there is a lot of well-presented data in this report, but if you do not have time to read it, here are ten takeaways you might want to remember.

1. Though the number of breaches is greatly up, the nature of threats has not changed a lot

There is no significant change to the split between internal, external and partner threat actors. Most security incidents involve familiar old techniques. Many involve old exploits of known old weaknesses. For example, most of the vulnerabilities being exploited date back to 2007. Many date back to 1999! And whilst there are millions of known vulnerabilities, just ten of them account for 97 percent of exploits observed in 2014.

2. Some countries have entered a fantasy zone where they seemingly suffer no breaches

Although the amount of data obtained for the report, the total number of breaches, and the total number of organizations supplying data have all risen compared to last year, the number of affected countries is well down. Data for last year’s report covered breaches which affected organizations in 95 different countries, 34 more than this year. The report authors obliquely hinted at one possible explanation for the dramatic fall in the number of countries featured. Being less polite than them, I will jump to the conclusion that they were unwilling to reach: in some countries, people are covering up and/or hiding from the truth.

3. Keylogging is down, RAM scraping is up

Of RAM scraping malware, the report said:

RAM scraping has grown up in a big way. This type of malware was present in some of the most high-profile retail data breaches of the year, and several new families of RAM scrapers aimed at point-of-sale (POS) systems were discovered in 2014.

In contrast, keylogging malware featured in only 5 percent of the breaches covered by this year’s sample.

4. Sharing is cyber-caring

A lot more threat intelligence is being shared, but compared to the entire universe of threats, having all the available intelligence still does not appear to be enough. Whilst a lot more intelligence is being shared, attacks spread from one organization to the next more rapidly than intelligence does. To get the best value from intelligence, organizations should focus on the quality of intelligence and its relevance to their situation rather than amassing the greatest quantity of intelligence.

5. Cyberspies love to phish

…for two years running, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing. The user interaction is not about eliciting information, but for attackers to establish persistence on user devices, set up camp, and continue their stealthy march inside the network.

One reason the spies keeping phishing is because the phish keep biting. 23 percent of recipients open phishing messages and 11 percent click on the attachments. The departments most likely to open a phishing email are Customer Services, Legal and Communications – in other words, the departments most likely to read lots of emails sent by lots of different people outside the business. However, this insight should influence how businesses train their staff.

6. So far, mobile malware has had negligible impact on the security scene

Whilst Android is much less safe than iOS…

… most of the suspicious activity logged from iOS devices was just failed Android exploits…

… data from Verizon Wireless suggested that only 0.03 percent of smartphones would be infected with “higher-grade” malicious code during an average week. So whilst nobody should ignore the risks surrounding mobile phones, businesses should continue to prioritize efforts to protect themselves from more established ways to break into systems.

7. For all the data, these scientists are not afraid to discuss bias

We would like to reiterate that we make no claim that the findings of this report are representative of all data breaches in all organizations at all times. Even though the combined records from all our partners more closely reflect reality than any of them in isolation, it is still a sample. And although we believe many of the findings presented in this report to be appropriate for generalization (and our confidence in this grows as we gather more data and compare it to that of others), bias undoubtedly exists. Unfortunately, we cannot measure exactly how much bias exists (i.e., in order to give a precise margin of error). We have no way of knowing what proportion of all data breaches are represented because we have no way of knowing the total number of data breaches across all organizations in 2014. Many breaches go unreported (though our sample does contain many of those). Many more are as yet unknown by the victim (and thereby unknown to us).

A huge round of applause for experts who are confident enough to admit to the existence of bias and the limits of their knowledge. You must recognize such weaknesses, if you want to grow stronger.

8. The success of the report depends on organizations freely sharing their knowledge

…the DBIR would not be possible without our 70 contributing organizations. We continue to have a healthy mix of service providers, IR/forensic firms, international Computer Security Information Response Teams (CSIRTs), and government agencies, but have added multiple partners from security industry verticals to take a look at a broad spectrum of realworld data. Their willingness to share data and actionable insight has made our report a hallmark of success in information sharing. For that, each of them has our respect and gratitude.

Methinks the moral of this security story also applies to other disciplines.

9. They developed a really cool way to estimate the financial loss incurred by a data breach

By analysing lots of cyber liability insurance claims, the researchers came up with a brilliant statistical model to evaluate the likely financial cost of a data breach. The technique is much better than the really dumb method we all typically use: take a monetary figure which is supposed to be the value of a single record, then multiply by the number of records compromised. However, having summarized so many of the report’s findings, I am not going to summarize this too; the model works well because it is sophisticated without being overly complicated. So if you want to know how to understand how to estimate loss, read the report!

(And whilst you are at it, reading the report will also teach you plenty about the profile of DDoS attacks, and about security for the Internet of Things, and how imposing lots of controls over system administrators does not compensate for what end users do…)

10. The cover of the report looks suspiciously like the cover of a Joy Division album

This is Verizon’s explanation of the very distinctive cover of their report (pictured above):

The visualization on the cover is based on breach impact data and analysis performed by Verizon. Each line represents an estimate of the distribution of financial loss. The amount of financial loss is represented along the x-axis (horizontal)—as the line moves to the right, it represents more financial loss. The height of the line represents the density, so taller areas represent more loss events across those points in the distribution. The financial loss is estimated using the model discussed in the impact section in this report. The lines are extended in both directions for visual effect. The industries are ordered based on distribution height for visual effect (taller distributions are toward the top). The data to estimate the loss is pulled from the past 11 years where both the industry and amount of compromised records were recorded and unique, resulting in 826 confirmed data breaches being represented in the visualization.

Sounds pretty scientific, huh? However, the white-on-black styling makes their graphs look uncannily like the iconic album cover for Unknown Pleasures, a 1979 album by Joy Division, the legendary Mancunian post-punk band. Joy Division’s album cover was based on a plot of radio waves emanating from pulsar CP 1919, as printed in The Cambridge Encyclopaedia of Astronomy. Does this mean there is a connection between data security and the stars? Or does it just mean that Verizon employed a graphic designer with a penchant for doom-laden music from the English Northwest?

You can download the full Verizon 2015 Data Breach Investigations Report from here. And you can learn more about the impact of the Unknown Pleasures album cover from the video below!

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.   Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.   Commsrisk is edited by Eric. Look here for more about Eric's history as editor.