Industryweek 8606 Cybersecurity

Phones, Phishing and Practical CyberSecurity: Lessons from 2015 Data Breach Investigation Report

April 15, 2015
Verizon's 2015 DBIR sheds new light on the nature and cost of cyber-attacks and identifies a few things every manufacturer can do to prevent most threats.

The Internet can be a very scary place.

Every day, we hear new horror stories of financial hacks, of lost data and information theft. We read about cyber-villains across the world stealing our secrets, prying into our devices and hijacking our digital lives.

These stories are especially troubling in the manufacturing world as we link ever more of our machines, processes and data to the Web in our unrelenting charge toward the Industrial Internet of Things.

With so much of the economy tied up in the industry and so much delicate critical infrastructure involved, manufacturing seems ripe for cyber-attack. Preventing those attacks and guarding against what feels like a global force of hackers trying to get it, can be overwhelming.  It can be paralyzing.

However, if we take a closer look at what is really happening out there in cyberspace, the picture is actually much less bleak.

This morning, Verizon released a new study that does just that.

The 2015 Data Breach Investigation Report (DBIR) breaks down information gathered from more than 2,100 confirmed data breaches and about 80,000 reported security incidents to determine precisely what cyber-threats we are really facing how to protect against them.

The result reads as a refreshingly optimistic view of our chances in this online battle.

"We hear a lot of doom and gloom about how capable these actors are and how successful they are," explained Stephen Brannon, principal, Verizon Cyber Intelligence Center.

"But when we look at the statistics of who did what to whom and how they get in, a lot of that actually clears up."

Indeed, the report finds that, while the overall sophistication of the cyber threats is certainly increasing, the primary weapons attackers rely upon are the same tricks they've been using for decades. And that means the vast majority of threats are actually easily guarded against.

That seems like awfully good news.

The DBIR found that about 96% of all attacks actually fall into just nine simple categories, most of which can be attributed to human error and misuse.

Means of Attack

One big piece of this was determining exactly how attackers are getting in.

As connected devices proliferate through the industry, we're constantly reminded of the threat our unprotected tablets and smartphones pose to the enterprise.  But it turns out mobile devices are barely on the hackers' radar.

"We worked with the wireless side of the house here at Verizon to analyze malware to get some data on how often cellphones are getting infected," Brannon explained. "The answer is very, very rarely."

According to the report, less than 0.3% of mobile devices are infected with destructive malware each year – about 96% of which target Android OS.

"Across the board, there's a real lack of security breaches there," Brannon said. "It is just very, very rare for mobile devices to get infected by malware."

That is certainly good news for mobile users, but it's not exactly good news for cyber security in general.

"You shouldn't feel too good about this number," Brannon explained. "No one is hacking mobile devices because it is still much easier to get in through phishing."

That's right.

For all of the "doom and gloom" we hear of this cyber war and all of the sophisticated tools at the hackers' disposal, a vast majority of the attacks are still coming in through phishing emails and infected attachments – the same techniques they have been using since the 1990s.

The report indicates that email attachments constituted about 40% of breaches in 2014 and an email link about 35%.

The numbers from there are astounding – about 23% of recipients of these phishing messages open the emails and about 11% click on the attachments.

The median time-to-first-click on those phishing campaigns comes in at just 1:22, and once they get in, about 75% of the attacks spread to another victim within one day.

What's worse, an insane majority of these attacks are almost completely preventable.

According to the DBIR, 97% of the exploited vulnerabilities these attacks target were compromised more than a year after remedies and patches had been created. Some of them had solved as far back as 1999.

That is a sobering statistic. But it also provides us with a roadmap for prevention.

Two Steps for Better Cyber Security

In the manufacturing industry, the 528 security incidents and 235 confirmed data loss events studied in the report fell into just four categories:

Cyber Espionage (phishing attacks aimed at trade secrets and information) was the top threat, constituting 60% of all the attacks.

Crimeware (malware, viruses, etc.) came in second at 34% of events.

Insider Misuse (known users misusing authorized material) came in at 4%.

We Applications (most often from harvesting credentials stolen from customer devices and logging into web applications with them) made up 1%

That information is critical to defining a practical defense strategy, Brannon argued.

"Across the board, we've found that you can actually block 60% of all of incidents with only two controls," Brannon explained.

The first is two-factor authentication.

"Many of these attacks relied on getting a password one way or another – phishing or keystroke logging," he explained. "If authentication had also required a second factory like security tokens, that password would have been denied and about 25% of these acts would not have occurred."

The second , of course, is rethinking your company's approach to patching web applications.

"So many of these things either rely on old vulnerabilities or vulnerabilities that just haven't been patched yet," he explained. Across the board, 24% of the attacks that rely on vulnerabilities in web applications that already have patches available."

"There are a lot of very serious threats out there and obviously we need to give some deep thought to actors trying to blow up utilities and things like that," he said. "But there are two or three things that we can do right away to prevent 60% of the attacks that we know are actually happening."

"Once you get that under control," he added, "you can move to more complicated things."

Sponsored Recommendations

Voice your opinion!

To join the conversation, and become an exclusive member of IndustryWeek, create an account today!