CEIC 2015 Student Session Series: Verizon Data Breach Investigation Report 2015
Students from Champlain College and the Leahy Center for Digital Investigation (LCDI) attended multiple training sessions while at the Computer Enterprise Investigation Conference (CEIC) 2015. Students Scott Barrett, John Nicastro & Austin Traux present some highlights from the Verizon Data Breach Investigation Report 2015 (Verizon DBIR 2015) session.
Suzanne Widup, Senior Consultant for the Network and Information Security Verizon RISK Team, gave an overview of the 2015 Verizon Data Breach Investigations Report at this year’s CEIC. While there are still unreported data breaches and security incidents, Verizon continues to produce valuable reports that highlight how each industry is losing its data.
Widup began her presentation by showing us how many contributors were present at CEIC along with the amount of security incidents and confirmed data breaches. The 2015 DBIR listed 70 contributing organizations with 61 countries represented along with 79,790 security incidents and 2,122 confirmed data breaches.
To ensure a common language when describing the security incidents, Verizon created VERIS (Vocabulary for Event Recording and Incident Sharing). The four terms focused on are:
- Actor-Who did it?
- Action-How did they do it?
- Asset-What was affected?
- Attribute-How was it affected?
Verizon is sharing this data on the VERIS Community Site as well as in a GitHub repository. They also created a space for volunteers to report on data breach articles they find and add them to the DBIR.
Verizon puts a heavy emphasis on separating out the different industries in order to show the security incidents and data losses in each industry and how they occur. The separation of small, large, and unknown security incidents and data losses can be seen below:
Verizon found that most incidents and instances of data loss (around 80%) came from external entities. Compared to RAM scrapers, spyware, keyloggers, and phishing, Verizon found that credentials were most commonly used in these incidents. They also found that while companies maintain the smallest detection deficit on record, there is a huge gap that needs closing.
Widup noted the visible patterns in the reported attacks. Verizon has taken these patterns and created the “nefarious nine” attacks along with which industries were affected most by these attacks:
|Type of Attack||Industries Most Affected|
|Web Applications||Information, Finance, Administrative|
|DDoS||Public, Retail, Finance|
|Privilege Misuse (Insider attacks)||Mining, Administrative, Healthcare, Others|
|Point of Sale||Accommodation, Entertainment, Retail|
|Miscellaneous Errors (misdelivery, disposal error, publishing error, etc.)||Healthcare, Administrative, Education|
|Skimmers (i.e. ATM skimmers)||Finance, Retail|
|Crimeware (misc. malware)||Public, Finance, Manufacturing, Education|
|Espionage (including phishing)||Manufacturing, Public, Professional|
|Lost/Stolen Devices (no encryption, passwords in the open, etc.)||Public, Healthcare, Finance|
Widup then continued to elaborate on how quickly attacks spread from the original source to other victims and devices on a network. It was concluded that about 75% of attacks go from victim zero to victim one in a mere 24 hours. When it comes to phishing attacks, Verizon’s data concluded that 23% of recipients of phishing emails open them. 11% then go on to click the link set up to deceive them into giving up information. This all happens in about 82 seconds following the “first bite.” With these simple attacks happening in such short periods of time, it becomes even more evident that detection also needs to be expedited. These are some of the highlights of the session, but we would highly recommend the rest of this Guidance Software session for attendees!