Verizon has released its annual Data Breach Investigations Report, and its primary finding is no surprise. 2011 was the year of the hacktivist, with 58 percent of all data breached being attributed to hacktivism. As the report pointed out, the rise in hacktivism accompanied a year filled with civil and cultural uprising.
Of course, there were still another 42 percent of data breaches that weren't a result of hacktivism, although hacking was still the primary point of entry in a breach. As the Verizon report stated:
Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets. Much less frequent, but arguably more damaging, were continued attacks targeting trade secrets, classified information, and other intellectual property.
Seventy-nine percent of attacks represented in the report were opportunistic. Of all the attacks, 96 percent were not highly difficult, meaning they did not require advanced skills or extensive resources. Additionally, 97 percent of the attacks were avoidable, without the need for organizations to resort to difficult or expensive countermeasures.
That last statistic is a bit of good news to be taken from the report, according to Marcus Carey, security researcher at Rapid7. He told me in an email:
There is a low barrier for entry to pull off the majority of these breaches, with 96% of attacks not particularly difficult to execute. In fact, I have yet to see any credible reports linking more than single digit percentages to advanced attacks and the report shows that 79% of victims were targets of opportunity, indicating that organizations don't really have to be a big target, or even on an attacker's radar, to be hit. Bottom line: if you are vulnerable you can expect to be exploited. The good news though is that this also means organizations can significantly reduce their risk through proper vulnerability management, educating users, and implementing network-based access controls lists.
With some controls in place, Carey added, organizations should improve on the statistic that 85 percent of breaches took weeks or more to discover and 92 percent of incidents were discovered by a third party. He said:
The truth is there are organizations who have been compromised for over a year and don't realize it. At least the hacktivists let people know when an organization had been breached by them! Many organizations are breached and customers are never aware that their data has been compromised.