By Samuel Greengard
Few would argue that Internet-based security risks are growing, but there’s some disagreement about what type of attacks represent the biggest risk. Many have predicted that cloud exploits, mobile device attacks and all-out cyber war could occur in the not-too-distant future. However, Verizon Communications’ “Verizon Data Breach Investigations Report” (DBIR) paints a somewhat different picture.
Verizon researchers examined data that extends back eight years and involved thousands of incidents occurring across numerous organizations. As it turns out, the most likely threats involve authentication attacks and failures, continued espionage and “hacktivism” attacks, Web application exploits and social engineering.
“When we examined probabilities, we saw that there is around a 90 percent chance an organization’s tech breach will revolve around a failure in authentication,” says Wade Baker, management principal for Verizon’s RISK team. A secondary but related risk centers on lost and stolen passwords. Some breaches were due to brut-force guessing, and some were caused by weak and inadequate passwords.
In addition, researchers found that Web application exploits are more likely to affect larger organizations—especially government agencies—rather than small and medium-size businesses (SMBs). Part of the reason is that these organizations are higher profile, but they also “have a larger Web presence and they offer more surface area to attack,” Baker says.
The odds of such attacks occurring are three in four, according to the data compiled by the RISK Team. “Organizations that choose to take their chances and ignore secure application development and assessment practices in 2013 are asking for trouble,” he warns.
Meanwhile, social engineering attacks are on the rise and becoming more sophisticated. Again, larger business and government agencies are about three times more likely than SMBs to find themselves in the crosshairs for these attacks. “Hackers and thieves realize that it is often a lot easier to get past humans than a machine,” Baker says. This translates into a strong need to train and educate employees, and put strong polices and in place.
Baker says that organizations must keep an eye on a few other key areas. For instance, the Verizon RISK team does not foresee cloud technology or configuration issues becoming a root cause of breaches for organizations. However, a service provider could inadvertently boost the likelihood of a breach by failing to take appropriate actions—or by taking inappropriate ones.
Another problem area involves organizations that don’t take necessary measures to protect mobile devices. “Lost and stolen—and unencrypted—mobile devices will continue to far exceed hacks and malware,” he explains.
Finally, researchers found that when an incident does occur, it’s far more likely that the organization will discover the intrusion or attack—usually by accident—rather than any law enforcement agency. While all types of security risks should be taken seriously, limited budgets and resources mandate a somewhat selective and focused approach.
Many threats, Baker says, are “over-hyped according to our historical data. They are far less likely to factor into an organization’s next breach than is commonly thought.”