According to the latest Verizon 2015 Data Breach Investigations Report all but four per cent of the security incidents analyzed by researchers could be accounted for by just nine basic attack types. That's pretty useful information for enterprise looking to prioritize their approach to security in terms of establishing a stronger security posture. So, as far as the nearly 80,000 incidents that were analyzed to form the basis of the report, what were these nine basic patterns then? Verizon states that the nine threat patterns are:
Miscellaneous errors (such as sending an email to the wrong person for example)
Crimeware (various malware aimed at gaining control of systems)
Insider/privilege misuse
Physical theft/loss
Web app attacks
Denial-of-service attacks
Cyberespionage
Point-of-sale intrusions
Payment card skimmers
Truth be told, these are exactly the same as identified in the 2014 report which is kind of worrying on the one hand as it suggests that mitigation measures are not being that effective or the bad guys would have moved on. Which also means it has, perhaps, a foot in the good news camp as well simply because they have not moved on to new attack modes in earnest. The new report reveals that 70 per cent of attacks relied upon a combination of these basic patterns, usually involving a secondary victim which adds complexity to the breach. It also reveals that many existing vulnerabilities remain open, with available patches not being applied, and those vulnerabilities can stretch back to as far as 2007.
What else has the report revealed? How about that 23 per cent of recipients open phishing messages, and 11 per cent click on attachments? Still far too many when you consider it now takes, on average, just 82 seconds from the start of a phishing campaign to snagging the first victim. Better news on the mobile device front though, with only 100 of these getting compromised each week. Yeah, I know, sounds a lot but it's a drop in the ocean compared to what you might think given the number of devices out there and the increased targeting of them by cybercriminals. Indeed, Verizon describes the real world mobile threat as being 'overblown'.
Then there's the cost of a breach calculations for which Verizon has developed a new estimation model. This accounts for the fact that the cost-per-record stolen is directly affected by the type of data and total number of records compromised. As an example, the model predicts that the cost of a breach involving 10 million records falls somewhere between $2.1 million and $5.2 million most of the time but could range as high as $73.9 million depending upon the circumstances. Mike Denning, vice president of global security for Verizon Enterprise Solutions, says "we believe this new model for estimating the cost of a breach is ground breaking, although there is definitely still room for refinement. We now know that it’s rarely, if ever, less expensive to suffer a breach than put the proper defense in place."