Every year Verizon, in conjunction with many other organizations such as the United States Secret Service, releases a report that analyzes trends from reported security incidents and verified data breaches over the last year. The report covers many different kinds of data breaches, including everything from ATM skimming to malware to hacking.
The authors note the presence of a sample bias. In particular, several of the organizations that contributed data to the report are national cyber/computer crime agencies who may handle a disproportionate number of espionage-related cases. Perhaps more importantly, several application security vulnerabilities affect a single user at a time (e.g. reflected cross-site scripting) and may not appear at all in an analysis of data breaches.
Still, the report has some important data for software development teams, particularly when for considering the likelihood of certain threats to your system.
- 76% of network intrusions exploited weak or stolen credentials . Basic controls around authentication, and more broadly identity management, are incredibly important.
- 92% of confirmed data breaches were perpetuated by outsiders (i.e. not employees / contractors / other stakeholders who work within an organization). This highlights the need to first secure yourself against external-facing threats.
- However, a majority of incidents — potential security events where a data breach was not confirmed — were led by insiders. This is an important point to keep in mind if your organization ignores high risk vulnerabilities in internal applications.
- 75% of breaches were driven by financial motives. When analyzing attacker motivations (like we do in threat modeling express), it makes sense to focus a disproportionate amount of your time on attack vectors that enable financial gain.
- 75% of breaches were opportunistic, while 25% were targeted. It makes sense to prioritize high impact domain-agnostic vulnerabilities over high impact domain-specific ones. However, ignoring targeted attacks altogether is unwise as they represented 1 in 4 of all breaches in the report.
- 22% of hacking incidents used web applications as a vector. While this number may seem low, the total number of web incidents continued to increase this year. The report also states that the finance and insurance industry saw a much higher proportion of attacks in web applications than all other sectors.
- 80% of vulnerabilities involved user interaction, where the user was deceived (e.g. visited a malicious website) but did not have intent to run an exploit. We often see people dismiss or downgrade the risk of threats that require user interaction, but in fact the vast majority of incidents in this report did require user interaction.
One of the report’s conclusions is very telling:
“The most common threat actions have realized some shifts over the years, but we have failed to see any cutting-edge methods introduced.”
Attackers don’t to need introduce cutting-edge methods because 78% of initial intrusions were rated as low difficulty. They’re succeeding with the basics. Despite the hype around Advanced Persistent Threats, organizations still struggle with getting the basics right. For software development teams, remember that relying exclusively on scanners to find security vulnerabilities is ill-advised. Know your security requirements, prioritize them appropriately, know how to verify them, and apply them consistently.