Hacktivism was responsible for more 'breaches' than financially-motivated cybercrime last year, accounting for more than 100 million of the total 174 million records stolen and tracked in the 2012 Verizon Data Breach Investigation Report released today.
The report said hacktivist groups like Anonymous had stepped up attacks to steal and publish sensitive records like mail records rather than launch comparatively harmless denial of service attacks.
“That’s almost twice the amount pinched by all those ﬁnancially-motivated professionals. Although ideological attacks were less frequent, they sure took a heavy toll,” the report said.
“This re-imagined and re-invigorated spectre of hacktivism rose to haunt organisations around the world … Doubly concerning for many organisations and executives was that target selection by these groups didn’t follow the logical lines of who has money or valuable information.
“Enemies are even scarier when you can’t predict their behaviour.”
The report (pdf) logged a total of 855 incidents and 174 million compromised records using information supplied by Verizon's RISK team, the Australian Federal Police, the Dutch National High Tech Crime Unit, Ireland's Computer Emergency Response Team (CERT), Police Central e-Crime Unit, and the United States Secret Service.
The number of compromised records logged in the report had exploded compared to the four million stolen records crunched in Verizon's 2011 research.
The "surprising" increase in the number of records stolen from large organisations was "mainly the result of a few very large breaches that hit organisations in these industries in 2011".
"We suspect the attacks affecting these organisations were directed against their brand and for their data rather than towards their industry," the report stated.
Cybercriminals, however, were automating attacks against easy targets, namely small businesses within the hospitality and retail sectors, notably by targeting point of sale (PoS) systems.
Some 79 percent of recorded attacks against organisations with fewer than 1000 employees were opportunistic, Verizon said, while only 16 percent were targeted.
Last year, Visa revealed to SC Magazine it had identified some 40,000 small businesses which were at high risk of fraud. Those businesses could process up to 20,000 e-commerce transations a year, yet lacked the resources or knowledge to adequately protect their systems.
Visa said integrated PoS systems owned by those higher risk businesses were the most insecure because they often ran older wi-fi and Bluetooth networks with little or no security. Many were also found to have outdated firewalls in place for up to a decade and multiple unpatched systems.
Nearly three quarters of the opportunistic attacks hit the combined retail and trade, and accommodation and restaurant sectors.
Attacks against restaurants and a small number of hotels accounted for 54 percent of all breaches noted in the report.
Attacks against larger organisations with more than 1000 employees were far less opportunistic with only 35 percent of attacks labelled opportunistic, and half considered targeted.
The ratio of targeted to opportunistic attacks were similar to the 2011 report, however, authors noted that opportunistic attacks generally hit small businesses while targeted attacks hit large financial and IT firms.
“These observations would seem to support the conclusion we’ve drawn … that large-scale automated attacks are opportunistically attacking small-to-medium businesses and PoS systems frequently provide the opportunity,” the report stated.
Attacks against the financial and insurance industry dropped from 22 percent in 2010 to about 10 percent last year. The report authors said it was “suffice to say” that the cybercrime industrialisation trend had continued to worsen.
Keeping it clean
Verizon had received criticism in recent years for combining data from small and large businesses that had been breached.
There were far more small businesses breached than large organisations, and it was argued this harmed the relevance of the report to enterprises.
The report authors acknowledged the criticism and have this year included distinctions between sectors.
“One of the problems with looking at a large amount of data for a diverse range of organisations was that averages across the whole are just so 'average',” it read.
“We’ve made the conscious decision to study all types of data breaches as they affect all types of organisations, and if small businesses are dropping like flies, we’re not going to exclude them because they infest our data.”
Results from the report were based on “first-hand evidence collected during paid external forensic investigations conducted by Verizon from 2004 to 2011” of which last year was the “primary analytical focus”.
Of the 250 “engagements” conducted by Verizon's RISK team last year, 90 involved confirmed data compromise and were included in the report.
Some contributors supplied data using the Verizon Enterprise Risk and Incident Sharing (VERIS) framework which has been made public.
Authors said they had “no way of knowing what proportion of all data breaches are represented” because many were unreported and unknown to victims.
“What we do know is that our knowledge grows along with what we are able to study and that grew more than ever in 2011 . At the end of the day, all we as researchers can do is pass our findings on to you to evaluate and use as you see fit.”
Threat grids produced by the VERIS framework provided insight into the types of breaches that affected large and small firms.
Many more threats were recorded on grids for small - rather than large - organisations. But the report authors said this was likely because there were fewer breaches against big business, and not less threats per se.
External hacking of servers was a major threat to both large and small organisations. Social engineering was ranked the third most pressing threat for big business, and user device confidentiality took third spot for small organisations.
"Malware and hacking against servers and user devices are burning brighter than ever," the authors wrote.
The report encouraged security professionals to use the VERIS framework to provide clarity into their own threats.
"Over time, a historical dataset is created, giving you detailed information on what’s happened, how often it’s happened, and what hasn’t happened within your organisation.
"Unknowns and uncertainties begin to recede . You give it to your data visualization guy who cranks out a grid for your various business groups.Hotspots on the grid focus your attention on critical problem areas and help to properly diagnose underlying ailments . "From there, treatment strategies to deter, prevent, detect, or help recover from recurring (or damaging) threat events can be identified and prioritised."
The framework would allow the effectiveness of mitigation efforts to be measured.