Verizon Data Breach Study Finds Little Change in Attack Patterns

Major risks remain, but there's been little change in the threat landscape since 2014, Verizon reports. Also, mobile platforms aren't the preferred attack vector.

Verizon data breach report

Verizon's 2015 Data Breach Investigations Report (DBIR), released today, finds that little has changed in the threat landscape since the 2014 report came out.

Overall, the 2015 DBIR received data from 79,790 security events, of which 2,122 were confirmed data breaches. In contrast, the 2014 report was based on data upon 63,437 security incidents, of which 1,367 were confirmed data breaches.

As was the case in the 2014 report, Verizon has identified nine basic attack patterns into which nearly all attacks can be categorized: point-of-sale (POS) intrusions, Web application attacks, insider misuse, theft and loss, miscellaneous errors, crimeware, payment-card skimmers, denial-of-service attacks and cyber-espionage.

"What's really interesting is that not much has changed," Jay Jacobs, Verizon senior analyst and DBIR co-author, told eWEEK. "As we look at the patterns and how they break out across industries, there is no big mover and no big surprise."

For many of the sections in the 2015 DBIR, the report co-authors struggled what to write about, other than to simply point people to the 2014 report, Jacobs said. In the 2015 DBIR, Verizon provides additional details on what separates a vulnerability that is exploited from one that is not, he added.

Mobile Threats

Looking specifically at mobile devices, Jacobs said the majority of malware is what he referred to as just being a nuisance as opposed to being malware that is exploiting large volumes of users. "The big takeaway is that mobile platforms are not the preferred vectors for attacks," Jacobs said. "We're making that call this year."

The 2015 DBIR also attempts to put a dollar figure on the cost of breached data, by way of a partnership with cyber-risk vendor Net Diligence. Jacobs explained that Net Diligence works with insurance vendors to get claims information. For the 2015 DBIR, there are 191 security incidents where the report has a description of the security event and a dollar figure for what the impacted organization claimed as a loss.

"To be truly honest with the data we have, for a loss of a million records, the cost is somewhere between $57,000 and $27.5 million, which is a pretty big range," Jacobs said. "But that's what the data is telling us, and there is a lot of uncertainty in the data."

Verizon's analysis also shows that not every vulnerability is exploited. There are some 67,567 vulnerabilities with a CVE (Common Vulnerabilities and Exposures) designation, but only 792 of them were exploited in 2014.

"So only a very small percentage of CVEs are exploited; there are so many vulnerabilities out there, but you don't have to patch all of them," Jacobs said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.