Verizon today issued its annual data-breach investigations report, a study of what happened in 1,367 known cases across dozens of industries in 95 countries last year, and the most common form of attack was breaking in through Web applications.
"Web applications remain the proverbial punching bag of the Internet," as Verizon puts it in its "2014 Data Breach Investigations Report." Thirty-five percent of the more than 1,300 data breaches examined fell into this category, as opposed to other categories, such as the 14% assigned to point-of-sale intrusions or the 8% attributed to "insider misuse" of data, for example. Over half of the time, the attackers breaking in through Web applications were doing it for ideological reasons, or just for the "lulz," the fun of disruption. About a third of the time, attackers did it for financial gain, but only seldom for cyber-espionage to steal important information.
"It's about strategic Web compromise," says Jay Jacobs, senior analyst at Verizon and co-author of the report. Most of the time, attackers took advantage of weaknesses in code, such as unvalidated inputs, and a prime attraction for them was going after large-scale content management systems, including Joomla, Drupal and WordPress.
Among other security recommendations for CMS, the Verizon report says companies need to "re-think" CMS to ensure there's an automated patch system for platforms used, or develop a manual process and stay with it.
Verizon, in addition to what it could glean from its own investigations into data breaches, received information contributed from about 50 partners on the project, including McAfee, Kaspersky, Akamai, and various national CERTS as well as groups such as the Financial Services Information Sharing and Analysis Center.
This year, the Verizon report not only examined the modus operandi for each confirmed breach, but also took a look at a wider category of more than 63,000 security incidents where the integrity or availability of a system was affected but it wasn't confirmed whether data was actually taken.
Because of rules governing the public sector, government agencies tended to report every single incident the most frequently, Jacobs pointed out. This skewed results toward the public sector, which ranked first with 47,479 security incidents, but the information industry and financial services appear to be the most targeted victim industries beyond government.
The Verizon report shows that there are patterns of attack against specific industries in distinct ways. For instance, the real estate industry saw a high level of "insider misuse," at 37% of incidents, but only 7% of attacks assigned to "crimeware,"such as a malicious e-mail attachment or Web downloads that could be associated with a command-and-control botnet operation.
The construction industry, however, saw 33% of its security incidents related to "crimeware," but only 13% due to "insider misuse." Not surprisingly, the accommodation industry — hotels and the like — had a full 75% of their incidents traced to "point-of-sale intrusion."
Sign up for Computerworld eNewsletters.