This article is more than 1 year old

Verizon to world: STOP opening dodgy phishing emails, FOOLS

Phishing and web app security problems behind most breaches

Mobile menace overstated

This year’s report looked at mobile threats for the first time. The vast majority of infections featured adware or click fraud scams, rather than anything that threatened corporate security.

"We didn't see mobile devices in breach data," Jacobs told El Reg. "This is not a preferred vector of attack. Mobile devices are vulnerable they're just not being attacked."

Jacobs reckoned that cyber-criminals are having no particular problem achieving their objectives – which often involved using an initial breach on a worker's PC or similar as a launchpad for attacks on more sensitive corporate systems – there's no reasons for black hats to change their tactics. "Things are working, so there's no motive to shift," Jacobs explained.

Enterprises can best defend against hackers by focusing on key defensive technologies such as ID management. "Practically all breaches involved some attempt at credential theft," Jacobs said, adding that businesses also needed to focus on technologies that increased visibility about what's happening on their networks.

Verizon's post-mortems of attacks revealed that applying two-factor authentication would have prevented one in four (24 per cent) of attacks happening. Patching web services offered a similar 24 per cent return. Other much touted measures seem to be less effective in practice, with anti-virus, for example, offering an easy win in just 2 per cent of cases.

Verizon's latest report, which covers the 12 months up to November 2014, is the latest in an 11-year series of dossiers that set the benchmarks for reviews of the threat landscape. The study collates data from police, government agencies, vendors and CERTs across many countries, as well as data obtained from Verizon's managed security services business. About 70 organisations contributed intelligence to the latest study.

Number crunchers at the US telco's security arm have expanded the report to include an analysis of the financial impact of data breaches for the first time this year. The analysis is based around actual breach claims to insurance firms, among other data. Jacobs, whose background is in statistics, said that these figures showed that the true costs of a breach is not simply a multiple of how many records were pinched.

He admitted that the analysis didn't take into account factors like customer churn and adverse share price movement following a breach. Verizon seemed to be taking a more rigorous approach than most, but the whole area of breach cost analysis remains (at best) an inexact science, even if we may be moving past the guesstimates and over-inflated figures of the past. ®

More about

More about

More about

TIP US OFF

Send us news


Other stories you might like