Identity Loss is the Leading Data Breach Attack
Verizon Data Breach Investigations Report identifies financially motivated cybercrime as being the top breach of 2012, but don't underestimate China.
There are a lot of different reasons why organizations become victims of Internet breaches. There are also a lot of breaches that occur in any given year.
The 2013 Verizon Data Breach Investigations Report (DBIR) sheds light on the state of breaches in 2012 as they continue to expand. The key finding of the study is that lost or stolen user identities and credentials are the top attack vector for breaches in 2012.
The data that Verizon collected for its 2013 DBIR benefits from a wider base of contributing inputs than the 2012 report. Jay Jacobs, Managing Principal for the RISK Team at Verizon, told eSecurity Planet that the 2013 DBIR report had 18 global contributor organizations, up from five in 2012. He noted that the broader base of inputs means that year-over-year comparisons in the data set are not entirely normalized in the 2013 report.
Overall, the report authors gathered over 47,000 security incidents, which were then filtered down to 621 confirmed data breaches.
Leading the list of breaches in 2013 is financially motivated cyber-crime at 75 percent, while state-affiliated attacks held down the number two spot at 20 percent. In its 2012 report, Verizon specifically called out the risk of hacktivists as being the number source of lost data in 2011.
Jacobs noted that the number of breaches attributed to hacktivists in 2012 did not change from 2011. For both years, hacktivists accounted for only 2 percent of breaches by attack volume.
"We have seen an increase in denial of service (DoS) attacks from hacktivists," Jacobs said. "In this report, we focus specifically on data loss events, so a denial of service is not something that makes an impact on the report."
China and espionage
While the impact of hacktivists in the new report is not as large, the impact of China has grown. Nearly 20 percent of all breaches reported in the 2013 DBIR are in some way affiliated with China. That doesn't necessarily mean that the People's Republic of China is behind 20 percent of all data breached.
"When we looked at espionage, we had 96 percent attributable to sources in China and 4 percent were simply unknown," Jacobs said.
The data collected by Verizon had no other source for espionage.
"That was astonishing when I saw that figure," Jacobs said. "It could just be an availability of indicators that are attributable to actors in China."
Jacobs added, "we're not naive enough to think that China is the only country doing this kind of espionage work, but it is the only country that is showing up in our data."
Identity and authentication
Regardless of the point of origination of a data breach incident, the majority of attacks are after user identity and authentication systems. Verizon found that 76 percent of network intrusions took advantage of weak or stolen usernames and passwords.
"The identity management system is under attack here," Jacobs said. "We're seeing a targeting of credentials and that is all about being able to move around in an environment."
With a credential, the attacker can log into systems in what might appear to be legitimate access to an enterprise.
The way that attackers go after identity information can take multiple forms, including SQL injection, phishing attacks and brute force attacks against authentication systems.
"So, for example, attackers can be scanning the internet looking for an open remote administration service, and once they find one, they try to brute force the password," Jacobs said. "Once they get in, they might install a keylogger to collect information as well as additional valid credentials."
There are a number of things that enterprise IT users can do to help mitigate the risk of identity-based breaches. For one, Jacobs recommends the use of two-factor authentication schemes. In a two-factor authentication setup, users need both a password and a second token/password in order to log into a site. Google, Apple and Facebook are among some of the big-name IT vendors that already offer two-factor solutions to users.
Log monitoring solutions that track user behavior and location can also potentially be leveraged to help secure identity systems.
Mobile and cloud
Though mobility and cloud as technologies generate a tremendous amount of hype and interest among users and media, they aren't important sources of breach traffic, according to Verizon.
"Mobile devices are not prevalent in our data set," Jacobs said. "Cloud security is also a headline grabber, but we're not seeing any attacks going against the infrastructure of the cloud."
Jacobs noted that Verizon did see attacks against cloud vendors, though he said that the attacks are at the application layer and are specifically related to cloud infrastructure.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.