Documente Academic
Documente Profesional
Documente Cultură
INVESTIGATIONS REPORT
$400 MILLION
The financial loss from 700 million
compromised records shows the
true impact of data breaches and
the importance to manage risk.
HOSPITALITY
EDUCATION
PUBLIC SECTOR
ACCOMMODATION
FINANCIAL SERVICES
RETAIL
ENTERTAINMENT
PROFESSIONAL
MANUFACTURING
TECHNOLOGY
ADMINISTRATIVE
TRANSPORTATION
79,790
may be looking for payment card data with which attackers can breach your
or sensitive commercial information, or defenses — it can take just seconds.
simply to disrupt your business. And the But while attackers don’t take long to
methods of attack are becoming increasingly compromise a system, in many cases it
sophisticated — often involving a takes organizations months or even years security incidents
combination of phishing, hacking, or malware. to discover that they’re a victim. classified
96
Campaigns have evolved to include the DBIR shows you what costs you can expect
%
installation of malware as the second stage to incur if you fail to protect your data.
of an attack. Our data suggests that such
attacks could be becoming more effective, Other models tend to over-simplify the
with 23% of recipients now opening phishing cost of a breach. We used actual cyber-
messages and 11% clicking on attachments. liability insurance claims data to develop
It gets worse. On average, it’s just 82 a more robust model that accounts for the
seconds before a phishing campaign gets its uncertainty of costs as the number of records Last year we reported
first click. involved increases. that 92% of the
Across the 20,000 organizations we looked Using this model we can say, with 95% incidents that we’d
at, there were 170 million malware events confidence, that the average loss for a breach seen over 10 years
intercepted. 70−90% of those were unique of 1,000 records will be between $52,000 fitted into just nine
to a single organization. We’re not talking and $87,000 — $52–$87 per record. In
contrast, the average loss caused by a breach
patterns. While we saw
about malware that is written to target a
particular victim — although we’ve seen that affecting 10 million records will be between many changes in the
too. We’re referring to hackers introducing $2.1 million and $5.2 million — $0.21 to threat landscape in the
simple modifications to the code each time $0.52 per record. last 12 months, these
they use it. This changes the identifying
patterns still covered
signature that traditional anti-virus products
look for, enabling the malicious code to get the vast majority of
through and compromise systems. incidents (96%).
FIGURE 2
ESTIMATED RANGE
OF THE COST OF
A DATA BREACH
$5M
The expected cost per We’ve analyzed data on almost 200 cyber- The cost of breach does not follow a linear
record for breaches liability insurance claims where there was model. In reality, the cost per record falls
a data breach. This has enabled us to bring as the number of records lost increases.
involving 100 records
you what we believe is the most accurate This means that when using an average, the
is $254. picture of the financial risk of a data breach variance grows greater as the number of
currently available. records grows — and we wanted our model to
9¢
cover a wide range of incidents, including those
where more than 100,000 records were stolen.
Beyond the average
Following the model used by other analysts, So instead of using a simple average, we
For breaches involving we started by working out an average cost modeled how the actual cost varies with
100 million records, that per record. This was just $0.58 — a lot less the number of records. We believe that
than other estimates based on survey data. this provides a much more accurate and
figure drops to just $0.09
But when we applied this to our examples reliable indicator.
— though of course the of actual costs, it was clear that it didn’t
total cost is much higher. provide a very accurate estimate.
28.5%
POS
18.8%
Crimeware
18.0%
Cyber-espionage
10.6%
Insider and privilege misuse
9.4%
Web applications
8.1%
Miscellaneous errors
3.3%
Physical theft and loss
3.1%
Payment card skimmers
0.1%
DOS
HOW ATTACKERS STRIKE
FIGURE 4 Last year we identified nine incident patterns that covered
FREQUENCY OF INCIDENT
CLASSIFICATION PATTERNS
most of the security incidents that you’re likely to face.
These patterns cover 96% of the breaches in this year’s
dataset. And the majority of the threats you face are likely
to fall into just three of these patterns.
96
The threats facing your data are becoming three patterns is people — be it sending
% ever more complex and diverse. But by using an email to the wrong person, failing to
statistical methods to identify clusters of shred confidential information, or taking
similar incidents and breaches, we have advantage of their position to harvest
developed a framework that will help you confidential data.
identify the biggest threats and prioritize
your security investments. Looking at just confirmed data breaches
(see Figure 4 above) provides an insight into
These nine patterns Looking at all incidents, including those where companies have the biggest gaps in
cover the vast majority of where there wasn’t a confirmed loss of data, their existing defenses: point-of-sale (POS)
incidents that we’ve seen. the common denominator across the top incidents, crimeware, and cyber-espionage.
Crimeware
PATTERNS
When attackers compromise the computers When state-affiliated actors breach an
and servers that run POS applications, with organization, often via targeted phishing
the intention of capturing payment data. attacks, and after intellectual property.
FIGURE 6
PERPETRATORS OF INSIDER MISUSE
The use of stolen credentials or exploit The loss or theft of laptops, USB drives,
BACKDOOR/C2 40.5%
vulnerabilities in web applications — such printed papers and other information
as content management systems (CMS) or assets, mostly from offices and vehicles.
e-commerce platforms. SQLi 19.0%
Most affected industries: Public,
Most affected industries: Information, Healthcare, and Finance
Finance, and Public RFI
Almost all theft in 2014 was opportunistic,
Nearly all the web app attacks in 2014 were with 55% of incidents occurring within the
ABUSE OF FUNCTIONALITY
opportunistic and aimed at easy marks. work area and 22% from vehicles.
Most attacks made use of stolen credentials
(see Figure 7), usually harvested from What can we do? 15% of incidents in this BRUTE FORCE
customers’ devices. category take days to discover. Encrypt your
devices to protect the data they store and
XSS
What can we do? Review load balancer, web run regular backups to prevent the loss of
application, and database transaction logs valuable data and reduce downtime.
to help identify malicious activity. Use two- PATH TRAVERSAL
factor authentication and lock out accounts
after repeated failed login attempts. Payment card skimmers
FORCED BROWSING
The physical installation of a “skimmer” on
Miscellaneous errors an ATM, gas pump, or POS terminal, to read OS COMMANDING
your card data as you pay.
Any mistake that compromises security.
Most affected industries: Finance and Retail FIGURE 7
Most affected industries: Public, TECHNIQUES USED IN
Attackers are now using thin and translucent WEB APP ATTACKS
Information, and Healthcare
card skimmers that fit inside the card reader
As in previous years, employees were the slot itself.
prime actors in most incidents. There are
three main, traditional categories of error What can we do? Monitor your pay terminals
incidents: sending sensitive information to and train employees to spot skimmers and
unintended recipients (30% of incidents), suspicious behavior.
publishing non-public data to public web
servers (17%), and disposing of personal
and medical data insecurely (12%).
Denial of service attacks
Use of “botnets” to overwhelm an
What can we do? To protect your data,
organization with malicious traffic, bringing
consider implementing data loss prevention
normal business operations to a halt.
(DLP) software that blocks users from
sending out sensitive information. And Most affected industries: Public, Retail,
re-educate your employees about data and Finance
security and how to dispose of
sensitive material. The number of distributed DoS attacks
doubled in 2014. Increasingly, attackers are
using the infrastructure of the internet itself
to amplify their attacks.
How big is the problem on Android? Data So as you’re thinking about IoT initiatives,
from Verizon Wireless showed that around we recommend that you perform threat-
100 smartphones are compromised by high- modeling exercises to identify your most
5bn
impact malware each week, out of tens of likely adversaries and their motives, and
millions of devices on the Verizon network. what aspects of your M2M services are
most vulnerable.
We recommend that you prioritize your
resources on the known methods that are To ensure data is secure within your IoT
being used to compromise your networks, application, you should:
and which are highlighted by our nine
We predict that by 2020 there • Only gather data you really need.
incident patterns. In terms of mobile
will be five billion enterprise security, seek to achieve visibility and • Have robust consent and access controls.
IoT devices, and many billions control over how your devices are being
• Transfer data in an encrypted and
used. This means you’ll be aware of any
more consumer ones. anonymized form.
suspicious activity and able to react quickly
Source: Verizon State of the Market: The as the threat landscape changes. • Separate data, except where you
Internet of Things 2015 intend to perform trend analysis.
the system
system
the breach
incident
The longer it takes you to discover a breach, The 2015 DBIR is packed with detailed • Patch promptly. You could guard against
the more time attackers have to cause information and recommendations. But many attacks just by ensuring that your IT
damage. But 56% of the time it takes seven common themes are clear: environment is well-configured and
organizations hours or more to discover an • Be vigilant. Organizations often only find anti-virus software is up to date.
attack — in 25% of cases it takes days or out about security breaches when they • Encrypt sensitive data. It won’t stop
longer. And this “detection deficit” is growing. get a call from the police or a customer. sensitive data being stolen, but it will
Log files and change management make it much harder for a criminal to do
systems can give you early warning. anything with it.
In 60% of cases, attackers
• Make people your first line of defense.
are able to compromise an • Use two-factor authentication. This won’t
Teach your staff about the importance of reduce the risk of passwords being stolen,
organization within minutes. security, how to spot the signs of an but it can limit the damage that can be
attack, and what to do if they spot done with lost or stolen credentials.
When we took a closer look at the common something suspicious.
• Don’t forget physical security. Not all
causes of breaches, we found that nearly
• Only keep data on a “need to know basis”. data thefts happen online. Criminals will
25% could have been prevented by using
Limit access to the systems staff need to tamper with computers or payment
multi-factor authentication and patching
do their jobs. And make sure that you have terminals, or steal boxes of printouts.
internet-accessible web services. In total,
processes in place to revoke access when
40% of the missing controls that we
people change role or leave. ABOU
incide
T THE
The “unive COVE
rse” of R
colore
2015
D
INVES ATA BREA
TIGATI CH
ONS R
EPOR
T
$400
MIL LION
The fina
The Verizon Data Breach Investigations Report helps you understand the threats
compromncial loss
from
true imp ised reco 700
rds show million
the imp act of data s the
ortance brea
to man ches and
age risk
Cond
from
ucted
by .
70 organ Verizon
izatio with contr
ns from ibutio
aroun ns
d the
world
.
to your organization and improve your defenses against them. To find out more, HOS PITA
LITY
RETA
IL
ENTE
RTAI
NME
NT
PRO FESS
IONA
L
MAN
UFAC
TUR ING
TECH
NOL OGY
ADM
INIS TRAT
IVE
TRA NSP
ORTA
TION
ABOUT THE COVER Malevolence, lower the tech cog!
If you are reading this, you are most likely looking for the cover challenge, which begins
The “universe” of colored dots on the cover represents 4,596 Now. We hope you have heaps of fun this year toiling with our humble little puzzle. However,
incidents from the DBIR dataset, including all confirmed data Do keep in mind, while we may inject red herrings to waste time, your paying job, health and
Family are still important, please do not neglect such things. Our goal is to present a
breaches over the past three years and a sample of 400 Denial of Unique and challenging challenge to the challengers and to make friends, not foes. May
Service attacks from last year. We calculated the distance between Luck be your friend in your hunting and gathering.
dots using a multi-dimensional scaling technique (with the Manhattan
distance algorithm) with 65 VERIS fields for each incident. This
required over 6 million comparisons, and the resulting distances were
projected on a two-dimensional plane. The closer the dots, the more
similar the incidents, meaning they share many VERIS characteristics
like threat actors, actions, assets, etc. The colors represent the
nine incident classification patterns discussed throughout this
report (see the Table of Contents for a section detailing how these
patterns were derived). Patterns in close proximity (e.g., Misuse
and Error) share many VERIS characteristics, while those that are
far apart (e.g., Espionage and POS Intrusions) have little in common.
The tightness or looseness of dots within each pattern shows the
amount of variation among incidents in that pattern. The sub-pattern
clusters (overlayed points and lines) were created using 10 years
of incident data (over 100,000 incidents). We generated a forcedirected
network graph from the frequency of VERIS fields and the
relationships between them for each individual cluster.
verizonenterprise.com
© 2015 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of
Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. ES16371 03/15
12 VERIZON ENTERPRISE SOLUTIONS