Cybersecurity Report: Hackers Look for Easy Targets
Being a victim, the study found, can be avoided by not being an easy target, as most data breaches of public sector information were found to be opportunistic, not calculated attacks.
Like the old joke goes, you don't need to be as fast as a bear to outrun one; you just need to be faster than your friend.
Likewise, government organizations with limited resources that don't have the time or money to build impenetrable defenses may not need to -- on Oct. 24, an analysis of cybercrime and intellectual property theft will be available to state and local government.
The 76 page report, called the Verizon 2012 Data Breach Investigations Report, offers detailed analysis of attacks on the public sector, and explores recommendations and best practices to fight intellectual property theft and hacker attacks. Being a victim, the study found, can be avoided by not being an easy target, as most data breaches were found to be opportunistic, not calculated attacks.
Avoiding a hacker attack may be as simple as having better security than the easy targets out there, Verizon Data Security Analyst Marc Spitler suggested. “The adversaries don't want to write code and look for zero-days all the time,” he said. “They'd rather be able to compromise a device, compromise a user's identity and use legitimate credentials to breach the network.”
The report concluded that 98 percent of all data breaches stemmed from external agents, four percent implicated internal employees as assisting outside agents, less than one percent of data breeches were committed by business partners, and 58 percent of data theft was tied to activist groups. Attackers aren't usually targeting specific organizations, Spitler said; they just want easy targets.
“So you have this attack modus operandi where the first two actions is to compromise the weak credentials and then immediately install malicious code that is designed to capture and exfiltrate payment card data,” Spitler said. “A single group will scour the Internet and have all this scripted, and they can cast a very large net and wake up the next morning and see how many fish they caught and it can be tens or hundreds.”
The incidence of hacking as a means to gain access to sensitive data increased 31 percent since last year, with 81 percent of breaches resulting from hacker attacks. About 69 percent of attacks incorporated the use of malware, 10 percent of attacks employed physical breaches of access, seven percent used social engineering, and five percent involved privilege misuse.
“We see a little bit less of what we call the collusion, internally,” said Brian Costello, Verizon vice president of security and cloud solutions for the public sector.
Error and misuse is more common than collusion, Costello said, though not necessarily in the public sector. “We've seen attack vectors from our three primary adversaries, which are your cybercriminals, hactivists and then your nation state hackers trying to take advantage of individual weaknesses.”
For instance, hackers will generally check that password controls for a certain individual are missing and find an easy route into the organization, rather than searching for a weakness in the infrastructure of a specific organization that may or may not be present.
State and local governments have a lot to lose from data breaches, Costello said, and these reports help governments identify where they should be investing their limited resources by identifying the biggest risks. “Once they understand the risk, they know where to spend their money and put their technical resources,” he said.
And these are actual cases, Spitler said. "These are actual data breaches with real criminals and real victims.” And reading this report could help organizations transform their security from a hacker gateway into a wall that hackers would rather not climb.