In the wake of the major cyber attack on Target Stores, Inc.—and as companies large and small continue to assess the damage and fallout caused by the Heartbleed Bug—the big question in the minds of CIO’s everywhere is what will the next big cyber threats be? In answer to that question Verizon recently published its 2014 Data Breach Investigations Report. This 60-page document is based on the compilation and analysisof 63,000 security incidents and 1,300 confirmed data breaches, as reported by some 50 companies worldwide. What follows is a summary of the 9 categories of cyber security threats faced by major businesses, as identified in the Verizon report.
- Point-of-Sale (POS) Intrusions – “Restaurants, hotels, grocery stores, and other brick and mortar retailers are all potential targets” of POS intrusions, according to Verizon. As far as the means of attack, the first step is to compromise the POS device to allow the installation of malware designed to collect magnetic strip data from credit cards as they are processed. The next step is to retrieve the data and use it for financial gain. According to Verizon, almost all POS attacks can be attributed to “organized criminal groups operating out of Eastern Europe”, their shared motive being monetary gain. Verizon claims that POS attacks have actually been trending down over the last few years. But the report cautions that although the recent POS attack on a major retailer—Target is implied but not directly mentioned—made a big splash in the media, from a frequency standpoint POS attacks are actually more of a threat for small and medium businesses.
- Web App Attacks – The Verizon report refers to web applications as “the proverbial punching bag of the Internet”, making web app attacks the most common type of data breach. As to the methods used by those with malicious intent, weaknesses in the application, such as inadequate input validation, are exploited through the use of malware, phishing techniques and just plain guessing at the user’s personal information. Stolen credentials are also used to gain access by impersonating a valid user. Speaking on the subject of protection, Verizon states that, “The writing’s on the wall for single-factor, password-based authentication on anything Internet-facing.” The report suggests that better protection starts with two-factor identification.
- Insider and Privilege Misuse – According to the Verizon report, the unapproved or malicious misuse of organizational resources—primarily valuable intellectual property—by individuals working on the inside is a very real and ongoing threat for organizations. Such breaches can be very difficult to prevent, since the majority of insider misuse “occurs within the boundaries of trust necessary to perform normal duties.” To illustrate the very real risks for organizations that must trust individuals with sensitive information, Verizon cites the case of U.S. government contractor Edward Snowden as an extreme example. Examples closer to home for most businesses would be employees using forbidden devices such as USB drives or services to transmit intellectual property to their personal accounts. Another example would be an employee posing as another user and sending inappropriate messages designed to get a colleague fired. Verizon claims that employees guilty of nefarious acts involving insider and privilege misuse are motivated by financial or personal gain and could be anyone from payment chain personnel or end users to C-suite execs.
- Physical Theft and Loss – With all of the sophisticated safeguards companies put into place to mitigate cyber threats, the theft of physical devices that store, process, or transmit information remains a very real risk for businesses. This is especially true in light of Verizon’s discovery that corporate assets such as smartphones and laptops “are stolen from corporate offices more often than personal vehicles or residences.” Surprisingly, Verizon lists employee carelessness and human nature as the root causes of device loss. “Accidents happen. People lose stuff. People steal stuff. And that’s never going to change,” the Verizon report states. While employees should be encouraged to keep better track of their gadgets, Verizon recommends that companies back up their data and make sure that all devices are encrypted.
- Miscellaneous Errors – “People screw up sometimes.” This was Verizon’s nutshell summation of the threat category called, “Miscellaneous Errors.” Unlike the Physical Theft and Loss category, this one, as Verizon points out, refers to “incidents where unintentional actions directly compromised a security attribute of an information asset.” An employee sending an email or snail mail to the wrong recipient, or posting private information to a company’s web server are all examples of miscellaneous errors that could result in a data breach. Recognizing the human factor, Verizon recommends implementing data loss prevention software (DLP) to reduce the risk of sensitive files being inadvertently sent via email. Verizon also states that companies can decrease the frequency of publishing errors by “tightening up processes around posting documents to internal and external sites” and by having a “second reviewer approve anything getting posted to company servers.”
- Crimeware – The Verizon report describes “crimeware” as “any malware incident that did not fit other patterns like espionage or POS attacks.” As such, “crimeware” covers a broad range of malware related activities, such as stealing an online user’s banking credentials, spamming, mounting DoS attacks, and other illicit actions. Web downloads and drive-by infections—wherein viruses can be inadvertently downloaded when unsuspecting users click on deceptive pop-up windows—are stated in the report as the most common ways of infecting a system. Keeping software such as browsers up to date is a recommended practice to combat “crimeware” attacks.
- Payment Card Skimmers – Primarily affecting ATM’s and pay at the pump devices at gas stations, skimming used to be relatively unsophisticated, as it required the physical attachment and later removal of a skimming device to the targeted machine. However, with the advent of Bluetooth and other wireless technologies, criminals can now collect sensitive data remotely without having to physically retrieve the skimming device. While skimming remains a concern in some foreign countries such as Bulgaria and Armenia that are behind the technology curve, most modern ATM’s remain relatively tamper-free.
- Cyber-Espionage – How’s this for a statistic? According to the Verizon report, incidents of “unauthorized network or system access linked to state-affiliated actors” have tripled over the last year. As a result, Verizon says that espionage now exhibits a wider variety of so-called “threat actions” than any other pattern. Even more disturbing is the fact that once foreign intruders gain access they can participate in all kinds of harmful activities such as scanning networks and exporting sensitive data. While China was once considered the only offender, Verizon points out that Eastern Europe has emerged as the instigator in 21 percent of reported attacks.
- Denial of Service Attacks – Defined as “any attack intended to compromise the availability of networks and systems,” Verizon included DoS attacks on the list due to the growing number of concerns by financial, retail and public corporations that their “consumer-facing” websites could be effectively shut down. Whether for protest, extortion, or to satisfy a twisted sense of humor, DoS attackers are using more sophisticated tools to wreak their own particular brand of havoc. To mediate the damage, the Verizon report emphasizes that organizations need to have a plan of action in place should a DoS attack occur.
In today’s Internet connected world, cybercrime is big business. Going forward, sophisticated efforts to steal valuable data for profit are predicted to only escalate. To keep their organizations safe, it is incumbent upon IT security pros to exercise constant vigilance, identifying current and emerging cyber threats and devising new and better ways to thwart them.  
