To protect against hacks, security researchers need to peer into the wily minds of cybercriminals and glimpse the ever-changing motivations and techniques they use to go where they’re not invited. So every year, Verizon surveys law enforcement, private security firms, and other technology organizations about hacks they have tracked at companies, the government, and other groups. This year’s report grew to include 50 organizations disclosing a collective 63,000 “security incidents” and 1,367 actual data breaches. All told, they show how the hacks that get the most attention aren’t necessarily a harbinger of what’s on the horizon.
The epic Target hack, the biggest retail breach in U.S. history, involved an attack at what’s called the “Point of Sale,” (POS) the device customers use to swipe their cards when they check out at a store. While the Target breach has dominated the conversation recently, Verizon said point-of-sale attacks are old news. “At the risk of getting all security-hipster on you—we’ve been talking about this for years,” Verizon wrote. It said that because the breaches got so much attention, they’re generally far less frequent than they were even just two years ago. Instead, there’s a growth in attacks on websites, the “proverbial punching bag of the Internet.”
Verizon said about two-thirds of the 1,126 Web app attacks it studied were motivated by “ideology/fun,” and use the compromised servers for two ends: “defacements to send a message or hijacking the server to attack … other victims.” Most of the remaining third of the Web app attacks are by hackers on the hunt for money. These assailants, largely based in Eastern Europe, use relatively simple methods when they break into banks, including tricking users to inadvertently give up their passwords or “the old stand-by of brute force password guessing,” according to the report. When they attack retailers, they tend to exploit security flaws in the websites themselves.
Spying is also on the rise. More than half of the documented espionage attacks were on U.S. targets, and 87 percent were perpetrated by state-affiliated actors. While many appeared to be from China, more than a fifth of the espionage attacks in Verizon’s dataset came form Eastern Europe.
So how is the security industry doing in tracking these and other hacks? Verizon prescribes “a deep, calming breath before diving into this last one.”
The red line shows that hackers have gotten faster at breaking in doing their deeds, while the blue line shows defenders aren’t keeping up. “This doesn’t scale well, people,” Verizon warned. As Bloomberg Businessweek’s recent cover story on the Target hack showed, just discovering a breach is part of the battle. What companies do with that intel, is a whole other question.
