The 2014 Verizon Data Breach Investigations Report (DBIR) was released on April 22, providing the deep empirical analysis of cybersecurity incidents we’ve come to expect from this annual report. The primary messages of this year’s DBIR are the targeting of Web applications, continued weaknesses in payment systems, and nine categories of attack patterns that cover almost all recorded incidents. Further, despite the attention paid to last year's enormous data breach at Target, this year’s data shows that attacks against point-of-sale (POS) systems are actually decreasing somewhat. Perhaps most importantly, the underlying thread that is found throughout this year’s DBIR is the need for increased education and application of digital hygiene.
Each year’s DBIR is compiled based on data from breaches and incidents investigated by Verizon, law enforcement organizations, and other private-sector contributors. This year, Verizon condensed their analysis to nine attack patterns common to all observed breaches. Within each of these patterns, Verizon cites the software and vectors attackers are exploiting, as well as other important statistics, such as time to discovery and remediation. The nine attack patterns listed in the DBIR are POS intrusions, Web application attacks, insider misuse, physical theft/loss, miscellaneous errors, crimeware, card skimmers, denial-of-service (DoS) attacks, and cyber-espionage. Within industry verticals, most attacks can be characterized by only three of the nine categories.
Attacks on Web applications attacks were by far the most common threat type observed last year, with 35 percent of all confirmed incidents linked to Web application security problems. These numbers represent a significant increase over the three-year average of 21 percent of data breaches from Web application attacks. The DBIR states that nearly two-thirds of attackers targeting Web applications are motivated by ideology, while financial incentives drive another third. Attacks for financial reasons are most likely to target organizations from the financial and retail industries. These attacks tend to focus on user interfaces like those at online banking or payment sites, either by exploiting some underlying weakness in the application itself or by using stolen user credentials. To avoid the use of stolen credentials, the DBIR advised companies to consider implementing some form of two-factor authentication, a recommendation that is made to combat several attack types in this year’s report. As Web applications continue to grow in popularity, and are used in substantive areas such as health care and finance, we expect attacks against these Web applications to continue to be prevalent.
The 2014 DBIR contains a wide array of detailed advice for companies who wish to do a better job of mitigating these threats. The bulk of this advice can be condensed into the following categories:
These recommendations are further broken down by industry in the DBIR, but they largely come down to “elbow grease” on the part of companies and organizations. An important lesson in this report is the fact that sloppy security practices may be subject to regulatory audit and enforcement actions.1 Executing on cybersecurity plans requires diligence and a determination to keep abreast of continual changes to the threat landscape. Pepper’s Privacy, Security, and Data Protection Practice Group attorneys are well-versed in the law and technology involved in these issues, and are ready to help find solutions that fit your business information security needs.
1 See Jeffrey L. Vagle and Sharon R. Klein, New Jersey Federal Court Upholds the FTC’s Authority to Regulate Data Security (Apr. 9, 2014), available at http://www.pepperlaw.com/publications_update.aspx?ArticleKey=2909.
Jeffrey L. Vagle and Sharon R. Klein
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.