Verizon's annual report on the latest trends in cyber-threats, one that is frequently referred to each year by cyber security experts, is out this week. Its big message? Low-tech threats pose the biggest risks by far.
Of the 621 confirmed "data breaches" (successful cyber-attacks) that Verizon's security team investigated around the world in 2012 -- in collaboration with 19 other organizations -- 99 percent were relatively unsophisticated. In fact, 78 percent of all attacks used methods requiring low or "very low" computer skills to gain entry to a target's networks. This means that "the average [computer] user could have done it" or that attackers downloaded hacking tools from the web.
It's also worth pointing out that the vast majority of devices vulnerable to attack by hackers are still traditional computing tools like ATMs (30 percent), desktop computers (25 percent), file servers (22 percent), and laptops (22 percent), while newer tech, such as web applications, constitute only 10 percent of the vulnerable computing assets, according to Verizon.
About 75 percent of attacks were motivated by financial gain on behalf of the hackers while 19 percent were espionage cases by government-backed hackers. The vast majority -- 76 percent -- of these attacks were made possible by stolen or weak passwords. (Hmm, does this sound familiar?) As the report's executive summary states, "If you want to see how widely available hacking tools have become, do a web search for ‘password cracker.'" Click here to read more about hacking tools that are readily available on the web.
So, who were the victims that Verizon's researchers studied? Thirty-seven percent were financial firms, 24 percent were retail or restaurants, 20 percent were manufacturing, transportation and utilities firms, and 20 percent were professional services providers.
Who was doing the attacking?
"The majority of financially motivated incidents we looked at originated in the U.S. or Eastern Europe - particularly Romania, Bulgaria and the Russian Federation," reads the report's executive summary. "Espionage cases were predominantly attributable to East Asia. But the attacks that we studied happened to companies all around the world."
The report goes on to explain that three-quarters of all espionage cases targeted manufacturing, transportation and professional services industries. This makes plenty of sense. As Killer Apps has reported before, hackers are interested in stealing intellectual property from professional services providers such as law firms and learning about the business secrets and processes used by Western manufacturing firms and aerospace companies.
Of the espionage cases, 95 percent of them relied on some form of email phishing attack: "Even the most targeted and malicious attacks often reply on relatively simple techniques," the report states.
Still, phishing attacks "have become much more sophisticated, often targeting specific individuals (spear phishing) and using tactics that are harder for IT to control. For example, now that people are suspicious of email, phishers are using phone calls and social networking."
(This last line should come as no surprise to anyone with a Twitter account. Who hasn't received the "Check out this awful thing people are saying about you here" tweet?)
Meanwhile, the report's authors insist that the oft-repeated dictum that a company's employees constitute its greatest cyber-threat is not accurate. "Contrary to popular belief, 86 percent of the attacks do not involve employees or other insiders at all. Of the 14 percent that do, it's often lax internal practices that make gaining access easier than you expect."
Specifically, this means that more than half of the employees committing cyber-sabotage were taking advantage of "old accounts or backdoors that weren't disabled" after the employees left their companies. In fact, 70 percent of IP theft cases committed by employees took place within 30-days of them announcing their resignation from their companies.
The report repeats over and over again that attackers are going after targets of opportunity. Basically, cybercriminals don't need to employ highly-advanced hacking tools because the victims make it easy for the attackers to get in.
Here's the report's executive summary: