The Complex

The takeaway from Verizon's cyber security report: Cybercrime is way too easy

Verizon's annual report on the latest trends in cyber-threats, one that is frequently referred to each year by cyber security experts, is out this week. Its big message? Low-tech threats pose the biggest risks by far.

Of the 621 confirmed "data breaches" (successful cyber-attacks) that Verizon's security team investigated around the world in 2012 -- in collaboration with 19 other organizations -- 99 percent were relatively unsophisticated. In fact, 78 percent of all attacks used methods requiring low or "very low" computer skills to gain entry to a target's networks. This means that "the average [computer] user could have done it" or that attackers downloaded hacking tools from the web.

It's also worth pointing out that the vast majority of devices vulnerable to attack by hackers are still traditional computing tools like ATMs (30 percent), desktop computers (25 percent), file servers (22 percent), and laptops (22 percent), while newer tech, such as web applications, constitute only 10 percent of the vulnerable computing assets, according to Verizon.

About 75 percent of attacks were motivated by financial gain on behalf of the hackers while 19 percent were espionage cases by government-backed hackers.  The vast majority -- 76 percent -- of these attacks were made possible by stolen or weak passwords. (Hmm, does this sound familiar?) As the report's executive summary states, "If you want to see how widely available hacking tools have become, do a web search for ‘password cracker.'" Click here to read more about hacking tools that are readily available on the web.

So, who were the victims that Verizon's researchers studied? Thirty-seven percent were financial firms, 24 percent were retail or restaurants, 20 percent were manufacturing, transportation and utilities firms, and 20 percent were professional services providers.

Who was doing the attacking?

"The majority of financially motivated incidents we looked at originated in the U.S. or Eastern Europe - particularly Romania, Bulgaria and the Russian Federation," reads the report's executive summary. "Espionage cases were predominantly attributable to East Asia. But the attacks that we studied happened to companies all around the world."

The report goes on to explain that three-quarters of all espionage cases targeted manufacturing, transportation and professional services industries. This makes plenty of sense. As Killer Apps has reported before, hackers are interested in stealing intellectual property from professional services providers such as law firms and learning about the business secrets and processes used by Western manufacturing firms and aerospace companies.

Of the espionage cases, 95 percent of them relied on some form of email phishing attack: "Even the most targeted and malicious attacks often reply on relatively simple techniques," the report states.

Still, phishing attacks "have become much more sophisticated, often targeting specific individuals (spear phishing) and using tactics that are harder for IT to control. For example, now that people are suspicious of email, phishers are using phone calls and social networking."

(This last line should come as no surprise to anyone with a Twitter account. Who hasn't received the "Check out this awful thing people are saying about you here" tweet?)

Meanwhile, the report's authors insist that the oft-repeated dictum that a company's employees constitute its greatest cyber-threat is not accurate. "Contrary to popular belief, 86 percent of the attacks do not involve employees or other insiders at all. Of the 14 percent that do, it's often lax internal practices that make gaining access easier than you expect."

Specifically, this means that more than half of the employees committing cyber-sabotage were taking advantage of "old accounts or backdoors that weren't disabled" after the employees left their companies. In fact, 70 percent of IP theft cases committed by employees took place within 30-days of them announcing their resignation from their companies.

The report repeats over and over again that attackers are going after targets of opportunity. Basically, cybercriminals don't need to employ highly-advanced hacking tools because the victims make it easy for the attackers to get in. 

Here's the report's executive summary:

Es Data Breach Investigations Report 2013 en Xg (1)

 

Getty Images

National Security

What does Assad's WMD arsenal look like?

Given all the news reports citing British, French, and Israeli officials saying that chemical weapons may have been used in Syria we thought we'd give you an updated version of what we know about Bashar al-Assad's stockpile of chemical agents and their delivery systems.

The United States' Intelligence Community's 2013 Worldwide Threat Assessment released last month states that Syria has a "highly active chemical weapons program" maintaining a stockpile of sarin, VX, and the longtime staple of chemical warfare, mustard gas. These weapons can be delivered a number of ways, via cluster bombs dropped from jets and helicopters to chemical warheads placed atop Scud ballistic missiles. They can even be fired via shorter-range artillery guns or missiles systems, like the Soviet-made BM-27 Uragan.

In addition to chemical weapons, the Intelligence Community's report states that it's likely the regime has biological weapons, albeit without dedicated delivery systems.

"Based on the duration of Syria's longstanding biological warfare (BW) program, we judge that some elements of the program may have advanced beyond the research and development stage and may be capable of limited agent production," reads the threat assessment. "Syria is not known to have successfully weaponized biological agents in an effective delivery system, but it possesses conventional and chemical weapon systems that could be modified for biological agent delivery."

The Assad regime may well improvise with delivery systems as its weapons stockpiles are run down by the war. Remember, we've seen Syrian air force personnel pushing "barrel bombs" lit via cigarettes from the cargo doors of helicopters onto Syrian cities. 

The recent reports about the Assad regime's possible use of chemical weapons do not provide information on the types of delivery systems used.

While we've reported that Western officials have stated that securing Syrian weapons of mass destruction (WMDs) would be an incredibly complicated operation, it's worth noting that NATO has deployed counter-WMD teams in the region for months, in an attempt to figure out how to secure Syria's stockpile in the event that the regime loses control of them.

Last week, it was revealed that the U.S. is sending about 100 soldiers to Jordan where they are establishing an Army headquarters unit there -- a possibly precursor to a larger buildup of forces that may move to secure the WMD. FP's Situation Report quoted a U.S. defense official as saying that the troops are "a well-trained, well-coordinated team that can be the nucleus of further mission planning and growth of the command and control element, should that be ordered."

But, as Charles Blair, a specialist on WMD proliferation with the Federation of American Scientists points out, there are no rock-solid public estimates of the size of Assad's arsenal.

"Any open source assessments of a Syrian BW program -- and its notional size and composition -- are purely hypothetical," Blair told Killer Apps in an email.

Last year, Chairman of the Joint Chiefs of Staff, Army Gen. Martin Dempsey, told lawmakers that the size of Assad's chemical weapons arsenal was "100 times the magnitude we experienced in Libya." (The Libyan government voluntarily destroyed most of its chemical weapons well before Muammar al-Qaddafi was overthrown in 2011.)

"I've heard that Syria has 100 to 200 missiles with nerve agents loaded and ready to go, but that seems extreme," Blair told us last summer.

However, he did point out today that Assad may have doubled down on his bio-weapons program in the wake of the 2007 Israeli airstrike that leveled one of his main nuclear research facilities at al-Kibar.

"We know that when Libya finally concluded that sophisticated chemical agents (i.e., nerve agents) were a bridge too far, they abandoned their CW pursuits and doubled down on their nuclear program (until abandoning that too in 2003)," wrote Blair. "Does this portend anything for Syria's BW program? Perhaps, if the 2007 Israeli destruction of Syria's clandestine nuclear reactor in September 2007 precipitated Damascus to double down on its BW program."

In addition to traditional chemical weapons, Blair says there are unconfirmed reports of Iranian transfers of riot control agents (RCAs) or "incapacitating agents" that have been used against the Syrian rebels.

"The Syrians have undoubtedly used RCAs and/or incapacitants but there are no open source credible estimates of the quantities Damascus might possess of these non-lethal agents," said Blair today.

As for the possibility that the weapons have fallen into rebel hands, Blair said, "to my knowledge there are no credible open source reports of any chemical agents or weaponized chemical munitions transferring hands."

Still, "no one in the open sources knows anything for certain about Syria's lethal CW arsenal and alleged offensive BW capabilities," he added. 

Wikimedia Commons