Main sources of data breaches: Phishing, RAM scrapers, web app insecurity

US telecom giant Verizon has published its 2015 Data Breach Investigations Report, which is based on an analysis of nearly 80,000 security incidents, including more than 2,100 confirmed data breaches, that affected organizations in 60 countries.

The incident information was compiled and contributed by 70 organizations: IR/forensic firms, international CSiRTs, government agencies and infosec companies.

According to the statistics, the top three industries affected are the same as previous years: Public, Information, and Financial Services. But, as they noted, the fact public sector organizations are on top of this list is likely just because many government CSiRTs participated in the report, and because most of these organizations are required to report breaches.

But no industry is immune to security failures, they pointed out. “Don’t let a ‘that won’t happen to me because i’m too X’ attitude catch you napping.”

The most prominent threats in 2014 are RAM-scraping malware and phishing, while the use of spyware and keyloggers has declined considerably over the years:

When it comes to phishing, the really bad news is that the effectiveness of phishing messages seems to be rising instead of falling.

Nearly 25% of recipients open phishing messages and 11% click on attachments. Nearly 50% of users open e-mails and click on phishing links within the first hour.

“How long do you suppose you have until the first message in the campaign is clicked? Not long at all, with the median time-to-first-click coming in at one minute, 22 seconds across all campaigns,” Verizon reported. “With users taking the bait this quickly, the hard reality is that you don’t have time on your side when it comes to detecting and reacting to phishing events.”

Employees is the Communications, Legal, and Customer Service departments are more likely to fall for a phishing email – after all, opening emails is a big part of what they do every day. Infosec experts advise improving email filtering, security awareness, and detection and response capabilities in order to minimize this danger.

When it comes to vulnerability exploitation, 10 CVEs account for almost 97% of the exploits observed in 2014 (click on the screenshot to enlarge it):

Exploits for new vulnerabilities are in use mere weeks after their existence is made public.

Once again, the collected information proved that mobile devices are not a preferred vector in data breaches.

“An average of 0.03% of smartphones per week—out of tens of millions of mobile devices on the Verizon network— were infected with ‘higher-grade’ malicious code,” they found. The rest of the device compromises fall in the “adnoyance-ware” category.

Mobile devices can be and are vulnerable, but for now threat actors are focusing on other methods to break into systems.

“While the threats against us may ‘seem’ innumerable, infinitely varied, and ever-changing, the reality is they aren’t,” the researchers noted. Confirmed data breaches can be classified in the following 9 categories (according to methods used and popularity):

Ultimately, when it comes to mitigation techniques that would have prevented the analyzed attacks from happening, the two most important are 2-factor authentication and patching of Web services – both of which would have prevented attacks in nearly one-fourth of cases:

“The results of this process actually reinforce things we’ve said in the past: Don’t sleep on basic, boring security practices. Stop rolling your eyes. if you feel you have met minimum-security standards and continue to validate this level of information, then bully for you! it is, however, still apparent that not all organizations are getting the essentials right,” they noted.

“The majority of the attacks are targeting random public websites to distribute malware. According to the report 70% of the attacks included a secondary victim. This is an important lesson that shows that even if your website does not store any important and sensitive data, there is someone out there trying to use your website to distribute malware or use your servers to carry out DDoS attacks, hence a secure website, server and infrastructure are a must,” Ferruh Mavituna, Netsparker CEO, told Help Net Security.

Don't miss