Canadian Underwriter
News

Cyber threats increasing in sophistication, “detection deficit” still a challenge: Verizon


April 15, 2015   by Canadian Underwriter


Print this page Share

Cyber attackers can compromise an organization within minutes in the majority of breaches, a situation made worse by the continuing “detection deficit” that exists, suggests a new report issued Wednesday by Verizon Enterprise Solutions.

In more than half of breaches, attackers were able to compromise an organization within minutes

As in prior reports, Verizon’s 2015 Data Breach Investigations Report cites the ongoing challenge of the time that elapses between a breach occurring until it is discovered. “Sadly, in 60 percent of breaches, attackers are able to compromise an organization within minutes,” notes a statement from Verizon.

Verizon reports that the longer it takes for an organization to discover a breach, the more time attackers have to penetrate its defences and cause damage. In more than one quarter of all breaches, it takes the victim organization weeks, or even months, to contain the breaches, the statement adds.

The 2015 report, now in its eighth year, is part of a series of reports based on actual caseloads. The latest report analyzes more than 2,100 confirmed data breaches and about 80,000 reported security incidents, as well as addresses 8,000-plus breaches and almost 195,000 security incidents that have occurred over more than 10 years. Verizon is among 70 global organizations that contributed data and analysis to this year’s report. [click image below to enlarge]

The defender-detection deficit

“We continue to see sizable gaps in how organizations defend themselves,” says Mike Denning, vice president of global security for Verizon Enterprise Solutions. “While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases,” Denning adds.

The report includes recommendations based on seven common themes:

• the need for increased vigilance;

• make people the first line of defence;

• only keep data on a need-to-know basis;

• patch promptly;

• encrypt sensitive data;

• use two-factor authentication; and

• do not forget physical security.

While cyber attacks are becoming increasingly sophisticated, the report notes many criminals continue to rely on decades-old techniques such as phishing and hacking. In fact, Verizon reports 70% of the cyber attacks “use a combination of these techniques and involve a secondary victim, adding complexity to a breach.”

Another troubling area is that many existing vulnerabilities remain open, primarily because available security patches were never implemented. [click image below to enlarge]

Count of all detected mobile malware infections

Although there is room for refinement, Denning says, a new assessment model for gauging the financial impact of a security breach – based on the analysis of almost 200 cyber liability insurance claims – was used.

“We now know that it’s rarely, if ever, less expensive to suffer a breach than to put the proper defence in place,” he notes in the statement.

For example, the model predicts that the cost of a breach involving 10 million records will fall between US$2.1 million and $5.2 million (95% of the time), and depending on circumstances, could range up to as much as US$73.9 million. For breaches with 100 million records, the cost will fall between US$5 million and US$15.6 million (95% of the time), and could top out at US$199 million.

The latest report – as was the case in the 2014 report – shows that nine basic patterns account for the vast majority of security incidents. In the 2015 report, 96% of the almost 80,000 security incidents relate to the following:

• miscellaneous errors, such as sending an email to the wrong person;

• crime ware (various malware aimed at gaining control of systems);

• insider/privilege misuse;

• physical theft/loss;

• web app attacks;

• denial-of-service attacks, cyber espionage;

• point-of-sale intrusions; and

• payment card skimmers. [click image below to enlarge]

Frequency of incident classification patterns across security incidents

Verizon points out “this year’s report found that 83% of security incidents by industry involve the top three threat patterns, up from 76% in 2014.”

In addition, the report found that, in general, mobile threats are overblown and the overall number of exploited security vulnerabilities across all mobile platforms is negligible.

“Mobile devices are not a preferred vector in data breaches,” the report notes. “We feel safe saying that while a major carrier is looking for and monitoring the security of mobile devices on its network, data breaches involving mobile devices should not be in any top-whatever list,” it adds.

That said, the report notes: “We are not saying that we can ignore mobile devices; far from it. Mobile devices have clearly demonstrated their ability to be vulnerable. What we are saying is that we know the threat actors are already using a variety of other methods to break into our systems, and we should prioritize our resources to focus on the methods that they’re using now.”


Print this page Share

Have your say:

Your email address will not be published. Required fields are marked *

*