What is the Verizon DBIR?

Verizon’s Data Breach Investigations Report (DBIR) is an annual publication by Verizon that provides analysis of security breaches that occur each year, and it gives insight into the trends, methods and tactics of attackers and information security based on real-world data from incidents and breaches from across the world. It was first published in 2008 and is often called the must-read source for anyone involved in information security in any manner, and it maintains a great balance of technical and non-technical writing that can be read by analysis and executives alike to extract relevant information. The full report, executive summary and past reports can be found here.

Security threats and attackers constantly evolve; once tactics and techniques are discovered and detectable, attackers pivot to new methods to avoid being caught. The DBIR plays an essential role in providing up-to-date information to help organizations make the right decisions surrounding security. A successful defense is often dependent on how well network administrators can adapt their defense to potential vulnerabilities.

By the Numbers: Key Statistics

This year’s report includes data from 41,686 security incidents and 2,013 data breaches from public and private organizations around the world and across all verticals from agriculture and charities to government and financial services.

  • 69% of attacks involved an external actor
  • 34% of attacks involved an internal actor
  • 43% of breaches involved small businesses
  • 39% of breaches were backed by organized crime
  • 23% of all breaches were identified as a nation-state or state-affiliated

Attackers Follow the Money

Analyzing the motivations behind the incidents and breaches, 71% of breaches were strictly financially motivated, and 25% were strategic or political such as nation-state attacks involving espionage. This year’s report featured a new addition to primary attack patterns, financially-motivated social engineering (FMSE) attacks, that focus on duping people into transferring money in a legitimate context, but to an attacker-controlled account.

Data Breaches can be very expensive; the costliest breach in this year’s report is at the USD 100 million mark, the median breach of a single computer was $7,611, and the median breach of a single business email compromise was $24,439. While these figures seem low, the bad news is that the scale ranges from $0 to $100 million, accounting for all breaches worldwide. The true cost of a data breach for a Canadian organization last year was USD 4.74 million.

Timelines
The initial compromise in successful breaches often occurs within a brief timeframe. In roughly 50% of all breaches the initial compromise occurred on a timescale measured in minutes, the exfiltration of data is measured in minutes and hours, lingering into days. 56% of breaches took months or longer to discover; discovery is typically measured in months, indicating there are significant issues surrounding the identification of when a breach occurs and finding adversaries within environments.

Industries

No person or entity, no matter the size is immune to cybersecurity incidents, the same goes for all sectors. Below is a list of the industries that experienced the highest number of incidents in this year’s report.

Industry Number of Incidents Number of Breaches
Public23,399330
Healthcare466304
Unknown7350289
Financial927207
Professional670157

Key Takeaways

Attackers are financially motivated. The targeting of executives and C-level personnel has trended upwards in recent years; they are twelve times more likely to be the target of social incidents such as email phishing and social engineering, and nine times more likely to be the target in a breach.

Physical attacks were down in all areas; payment card web application attacks are on the rise compared to physical terminal attacks in payment card-related breaches.

Security awareness training is paying off, the past several years phishing click-through rates have dropped from 25% to 3%. An interesting side note is that of the users that clicked through 18% were on mobile devices.

Web applications remain the top attack vector for breaches, with roughly 70% of breaches involving a web application, followed by Backdoor or Command-and-Control (C2) near 30%, other vectors were reported as under 10%.

“Webserver and/or webpage hacking has been a highly successful primary attack vector, as there are various potential avenues for exploitation. These include the main website of an institution or a less protected linked website, which in turn can provide access to the main network”

United States Secret Service Deputy Assistant Director Michael D’Ambrosio

If you’re looking to read more about web application security here are a few more resources:

At Packetlabs, our mission to continually stay on top of current threats and vulnerabilities has helped distinguish our testing from our competitors. Often, firms will try to commoditize security testing by performing automated testing (VA scans) with little benefit to the client. Our methodology only begins with automated testing. After that, our extensive experience allows us to manually uncover high-risk vulnerabilities which are often missed by conventional testing methodologies.

Our slogan, Ready for more than a VA scan?® proves our commitment to the industry to provide only expert-level penetration testing. Our team of consultants think outside the box to find weaknesses others overlook, and continuously learn new ways to evade controls in modern networks.

For information on Choosing a Penetration Testing Company, or to learn more about the services that would best suit your organization, please review our website and contact us for in-depth information on how to prepare your organization.