(Post 4 of the 12-week Information Security Management blog series)
If you are following along, last week I wrote about threats, risks, and vulnerabilities. I discussed the importance of identifying threats and vulnerabilities that apply to you and your organization. If you spent any time considering that, you may have quickly realized that you have very little idea how to accurately determine what threats you should be concerned with and how to find your vulnerabilities. We will discuss vulnerabilities later, but this week I am going to help in the threat department.
Fortunately, you do not have to conduct your own research on the cyber incidents because there are organization that do the work for you. Verizon, for example, publishes their annual Data Breach Investigations Report that details information relating to cyber incidents derived from tens of thousands of reported incidents that occurred the year preceding each report’s publication. These reports discuss motivating factors, most common types of attacks, the most successful types of attacks for accessing sensitive data, and what types of attacks target various sizes of companies and various industries, among other things.
In their 2014 Data Breach Investigations Report, Verizon’s analysts recognized that the among the 63,437 incidents included in their report from the year 2013, all incidents fell into nine categories or attack patterns: point-of-sale intrusions, web attacks, insider misuse, physical theft or loss, crimeware (malware), card skimmers, denial-of-service, cyber-espionage, and everything else. These same categories are consistent in their reports prior to this finding in 2014 and persist even in the 2015 and 2016 reports. Additionally, they identified six primary motivating factors driving attacks: financial gain, espionage, fun, ideology, grudges, and everything else. Keeping these categories of attack patterns and motivations in mind, we can look at what the primary motivations and attack patterns are for various industries and in different sizes of business.
Let’s discuss motivations first. Across all industries and all business sizes, financial gain reigns supreme as the primary motivating factor for the vast majority of cyber attacks. For the past seven years, this has accounted for more than 75% of all incidents. The next most common motivation, accounting for less than 20% (and falling in recent years), is espionage. The other four motivating factors hardly register on a chart. The point here is that malicious actors are looking to make money from their plunders therefore, they are generally looking for something valuable or exploitable.
So who’s at risk for what? The following table shows the number of incidents that affected small businesses of various industries in 2016 as well as the most frequent attack patterns for each industry.
Industry | Total Incidents | Most Common Category |
---|---|---|
Accommodation | 140 | Point-of-Sale |
Administrative | 6 | Denial of Service |
Education | 16 | Denial of Service |
Entertainment | 18 | Denial of Service |
Finance | 29 | Web Apps |
Healthcare | 21 | Stolen Assets |
Information | 18 | Denial of Service |
Manufacturing | 7 | Denial of Service |
Professional | 24 | Denial of Service |
Public | 6 | Misc. Errors and Privilege Misuse |
Retail | 109 | Denial of Service and Point of Sale |
Transportation | 1 | Web Apps |
As you can see, organizations in the accommodations and retail industries experience the largest number incidents and denial of service attacks against companies internet-connected resources are quite common. What this chart does not show is that miscellaneous errors and privilege misuse are the most common incident categories across all industries and that web app attacks and point-of-sale intrusions collectively account for nearly 65% of all successful data breaches.
These attack patterns, which I have also called categories, represent threats. Knowing which of these threats are most likely to affect you allows you to more smartly analyze risk in your organization and plan countermeasures.