The Verizon Data Breach Digest, Scenarios from the Field summarizes over 500 cybersecurity investigations. The Digest informs organizations about security attacks, the methods used and victims. It shows a limited number of techniques describe most incidents. In fact, twelve scenarios represent over 60% of all investigations.
The report groups the data breach scenarios into the following categories:
- The Human Element— human threats or targets.
- Conduit Devices— Device misuse or tampering.
- Configuration Exploitation— Reconfigured or misconfigured settings.
- Malicious Software—Sophisticated special-purpose illicit software.
Identity Management and The Human Element
Generally, humans are considered the weakest link in an information security strategy. Exploiting professionals for access enabled almost 30% of data breaches last year. For The Human Element, phishing (72%) represent a majority of attacks. Scenarios 1 to 6 identify people and trusted roles as the threat.
The report points out the top two methods take advantage of weak authentication. All total, 80% of breaches result from stolen, weak, default or guessable passwords. Weak authentication, passwords, and unsafe password protection also allow foster greater damage. To mitigate human risks, Verizon recommends user education, audits checks, and strong authentication combined with identity and access management.
In thirteen scenarios, multi-factor authentication would limit or prevent the breach altogether. Multi-factor authentication makes using stolen credentials more difficult. It also should be implemented for financial system access and combat credentials.
Top Cybersecurity Incidents, Frequency and Industries
The Verizon Data Breach Scenarios prescribe prevention, mitigation, and response controls. The following lists the Scenarios, their Frequency, and Industry focus.
| SCENARIOS | FREQUENCY | INDUSTRY CONCENTRATION |
| 1. Social Engineering | 16% | Manufacturing, professional services, public,information, utilities |
| 2. Financial Pretexting | 7% | Financial services, accommodation, retail |
| 3. Digital Extortion | 9% | Financial services, public |
| 4. Insider Threat | 12% | Financial services, accommodation, healthcare, public |
| 5. Partner Misuse | 4% | Financial services, accommodation, healthcare, public |
| 6. USB Infection | 33% | Manufacturing, professional services, public |
| 7. Peripheral Tampering | <1% | Financial services, retail |
| 8. Hacktivist Attack | 3% | Information, public, financial services |
| 9. Rogue Connection | 4% | All |
| 10. Logic Switch | 53% | Financial services, information, healthcare, public, education, retail |
| 11. SQL Injection | 23% | Utilities, manufacturing, public, education, retail, financial services |
| 12. CMS Compromise | 46% | Financial services, public, retail |
| 13. Backdoor Access | 51% | Accommodation, financial services, public, professional |
| 14. DNS Tunneling | <1% | Retail |
| 15. Data Ransomware | 4% | All |
| 16. Sophisticated Malware | 32% | All |
| 17. RAM Scraping | 55% | Accommodation, retail |
| 18. Credential Theft | 42% | Financial services, public, retail, professionalservices, information |
*NOTE: Frequency total exceeds 100%, because typically two or more methods are used. For instance, Social Engineering (16%) sets up Backdoor Access (51%) to launch Sophisticated Malware (32%).
Verizon Cybersecurity Scenario Descriptions
1. Social Engineering—the Hyper Click: Phishing and scams tricking people to disclose information, click hyperlinks, or open attachments.
2. Financial Pretexting—the Slick Willie: Social engineering duping victims into performing financial transactions or provide privileged data.
3. Digital Extortion—the Boss Hogg: Personal information, company secrets, and customer data targeted to damage reputation or steal identities.
4. Insider Threat—the Rotten Apple: Financially motivated users with Personally Identifiable Information (PII) and privileges commit most insider breaches.
5. Partner Misuse—the Busted Chain: Trusted relationships with partners and vendors leverage logical or physical access for unauthorized access.
6. USB Infection—the Porta Bella: USB drives spoof company letterhead and branding to deliver malware to specific targets.
7. Peripheral Tampering—the Bad Tuna: Physically manipulating Personal Identification Number (PIN) and Personal Entry Devices (PEDs).
8. Hacktivist Attack—the Dark Shadow: Attacks motivated by ideology disrupt and embarrass specific corporations, organizations, and governments.
9. Rogue Connection—the Imperfect Stranger: Unmanaged devices, wireless access points and personal laptops connected to corporate networks.
10. Logic Switch—the Soup Sammich: Manipulation of account balances and withdrawals often referred to as the "pump and dump".
11. SQL Injection—the Snake Bite: Targets application and database interaction by using non-validated inputs to modify queries for unintended results.
12. CMS Compromise—the Roman Holiday: Content management systems (CMS) add security vulnerabilities for backdoor malware.
13. Backdoor Access—the Alley Cat: Enables footholds into internal networks for post-compromise propagation, malware, and intelligence gathering.
14. DNS Tunneling—the Rabbit Hole: Domain Name System (DNS) allows miscreants an opportunity to siphon sought-after data.
15. Data Ransomware—the Catch 22: Malware that prevents users from accessing their system, file shares or files and holds the data for “ransom”.
16. Sophisticated Malware—the Flea Flicker: Custom malware that challenges the most mature organizations and security controls.
17. RAM Scraping—the Leaky Boot: Malware that extracts data from physical memory used in 95% of POS server breaches.
18. Credential Theft—the Poached Egg: Keylogger attacks introduce unauthorized software or hardware to record user and system information.
Get the Free KuppingerCole Identity Management Analyst White Paper
Learn the role IT automation and business driven self-service administration play in creating lean operations. KuppingerCole’s Assignment Management — Think Beyond Access describes the shift in IT operations from tightly controlled identity management processes to workflow enabled administration.
