Report: State-Sponsored Cyberattacks Heat Up in 2012
For this year's Data Breach Report, Verizon cast its net far and wide to cover more than 47,000 incidents. It included more information sources from worldwide law enforcement organizations and found that organizations don't have to be tied to military or government affairs to suffer cyberespionage. For the most part, though, international hackers -- like real-world bank robbers -- are following the money.
Apr 23, 2013 3:18 PM PT
State-sponsored cyberespionage incidents tripled over last year, according the 2013 Verizon Data Breach Report. Ninety-six percent of those attacks were attributable to East Asia.
Verizon's study, which analyzed 47,000 security incidents, expanded its contributors this year to 19, including a wider range of worldwide law enforcement agencies.
Three key groups of cyberattackers -- activists, criminals and spies -- were identified in the report. Spies use the most sophisticated technology in their attacks and are persistent, but 75 percent of attacks are opportunistic and not targeted at a specific individual or company, the report found. Most of them are financially motivated, with the bulk emanating from Eastern Europe including Romania, Bulgaria and Russia.
A particularly worrying finding for enterprises: Verizon found that 78 percent of the techniques used by attackers were very easy and didn't require much skill. Only 1 percent of the 621 confirmed data breaches studied involved the use of techniques Verizon rated as highly difficult. However, even well-known techniques can be used to devastating effect, the report said.
Companies view social media, new online technologies and the bring your own device (BYOD) trend as ways to boost efficiency and save money, but those all come with fears about the increasing vulnerability of corporate mobile devices, laptops, desktops and servers.
For example, the 2013 DBIR found that social tactics -- using email, phone calls and social networks to get information on individuals -- contributed to 29 percent of attacks.
Who's Reporting the Breaches?
External parties spotted 69 percent of the breaches, and 62 percent of the breaches took months to discover, while another 4 percent took years. However, the initial compromise took only a few hours at most.
Fifty-six percent of breaches took one month or more to be discovered, the report said.
"The most popular attack vectors are still easy to exploit, publicly available and well-known," Tim Erlin, director of IT security and risk strategy for nCircle, told TechNewsWorld. "While it's very tempting for organizations to focus most of their security resources on complex, involved attacks, the evidence indicates we have a lot more work to do to remove the low-hanging fruit cybercriminals depend on every day."
Weak or stolen credentials were exploited in 76 percent of network intrusions. While Verizon recommends businesses implement strict policies to reduce easily preventable risk, they must conduct audits to ensure the policies are implemented as "it's not uncommon for businesses to establish policies up front but fail at consistently implementing them in practice," Erlin said.
"The commonly accepted method of entering a user ID and password was sufficient for security 10 years ago, but is woefully inadequate now," Scott Goldman, CEO of TextPower, told TechNewsWorld. "Preventing hackers from stealing, selling or maliciously using your data requires some form of two-factor authentication."
Passwords on sticky notes and stolen laptops are "emblematic of gaping holes that hackers are happy to step through to steal your data," Goldman said. While two-factor authentication may not stop the bad guys completely, "it will send them to another place that's easier to break into."
It's important to speed up detection, but companies should also take steps to slow down attackers, Erlin noted. "Slowing the propagation of an attack through the network, making data exfiltration more complicated, and generally decreasing the internal attack surface, can all increase the time it takes the attacker to achieve his goals, giving the defender a better shot at discovery and containment."
Verizon made eight recommendations to improve security. These include eliminating unnecessary data and keeping tabs on what's left, performing regular checks to ensure that essential controls are met, and evaluating the threat landscape to prioritize a treatment strategy.
"There's definitely an emphasis on the reactive measures in the recommendations," Erlin said. "Five-and-a-half of the eight fall into the reactive category, but that doesn't seem to fit the conclusions about the opportunistic nature of the majority of attacks."
Verizon did not respond to our request for further details.