As a college student, I took a number of literature classes, as well as a couple of courses on writing fiction. One of the points that was repeated frequently in those classes is that there are only about 20 plot lines, and the trick for writers is to repurpose those plots into something fresh.
It apparently works that way with cyber threats, as well. Verizon has released its 2014 Data Breach Investigations Report and, as always, it provided an interesting snapshot of the cybersecurity landscape over the past year. One of the most important findings is this: 92 percent of the 100,000 incidents analyzed over the past decade follow nine basic patterns.
Cybercriminals have become very good at repurposing those patterns into something fresh and increasingly dangerous to our bank accounts and identities. They’ve gotten so good that enterprise is often at a loss on how to deal with these threats. As Wade Baker, principal author of the Data Breach Investigations Report series, said in a release about the report:
After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime – and the bad guys are winning.
The nine patterns are as follows: miscellaneous errors such as sending an email to the wrong person, crimeware (various malware aimed at gaining control of systems), insider/privilege misuse, physical theft/loss, Web app attacks, denial of service attacks, cyberespionage, point-of-sale intrusions, and payment card skimmers. Not surprisingly, the patterns aren’t equal. The report pointed out that different industries will see the bulk of threats coming in varied ways, and that on average, nearly three quarters of attacks come from three specific patterns. For instance, the retail industry will have more threats through point-of-sale intrusions and DDoS attacks, but in industries that are focused on research and development and intellectual property, there are greater concerns of cyberespionage.
I plan to talk more about some of these patterns in greater depth in the coming week, as there are some interesting findings on point-of-sale intrusions, insider threats, and the continuing concern about passwords.
However, there is some pattern to cyber threats, and just because one type of threat seems to have fallen off the radar doesn’t mean that it is gone. As Joe Schumacher, security consultant at Neohapsis, a security and risk management consulting company specializing in mobile and cloud computing services, told me in an email:
One key takeaway from this report is that organizations should not simply forget about an old threat, because just like with fashion, it could come back to be a pain. For example, RAM scraping malware was barely on the list over the last three years but shot to number four in 2013.