The report is a useful way for IT and security managers to identify the main types of attacks their organizations are likely to face, Jacobs notes. The report also seeks to identify where mistakes often happen — sometimes systems administrators and code developers take the blame — and recommendations for breach response and stronger controls.
Cyber-espionage linked to state-affiliated actors is hard to come by, the Verizon report acknowledges. But of the 505 incidents from last year analyzed in the report, the public sector, professional, scientific and technical services, manufacturing and information industry were the most hit, with the U.S. being the most victimized country at over half of the known cases. The attackers are going after a wide range of intellectual property, Jacobs notes.
Attackers seem to originate mostly from eastern Asia, such as China or North Korea, but last year's data indicates much more activity originating with Russian-speaking cyber-espionage. The notorious malicious e-mail attachment is the main vector for the commencement of a cyber-espionage campaign against an organization, with 78% of the cases starting that way. Twenty percent of cyber-espionage cases appeared to originate with a Web drive-by malicious download.
The Verizon report asks the question how the victimized organization in each instance found out about a data breach — whether it was from an "internal" source within, or an "external" source, such as a third-party vendor or law enforcement. Interestingly, most of the time the discovery of the data breach is made by an external source that contacts the victim organization.
In cyber-espionage, 67% of the time it was an "unrelated party," such as security and forensics firm analyzing one breach and finding evidence to indicate attackers had gone after other companies as well. Sixteen percent of the time is was law enforcement that came upon the evidence of the breach while conducting its own investigation related to a separate case. Jacobs says Verizon itself has seen this happen several times with its own professional investigations, too.
Externally, the customers of victimized companies made the discovery 1% of the time as well. However, internal assets still helped somewhat. Antivirus products were seen as identifying cyber-espionage attacks 8% of the time, and network intrusion systems 2% of the time, with the internal user reporting 2% as well. Log reviews and other means accounted for the remaining 2% of internal detections.
In point-of-sale breach cases — where it's noted that RAM scraping has usurped keyloggers as the most common malware associated with POS compromises — the discovery of this type of crime was made 99% of the time through sources external to the victimized organization. Seventy-five percent of the time it was law enforcement, with the remainder attributed to discoveries by external fraud-detection methods and customers. "Long story short, we're still discovering payment card breaches only after the criminals begin using their ill-gotten gains for fraud and other illicit purposes," the Verizon report points out.
Sign up for Computerworld eNewsletters.