Verizon's Data Breach Investigations Report (DBIR) - What's new in 2015

July 2015

I have been reviewing Verizon's DBIRs since 2012 and intended to do the same this year. Apparently, I do not need to write a new post as my review from last year is still valid where majority of security incidents (96% to be exact) fall into one of the nine incident patterns defined in 2014. I would say my previous review is still applicable this year with the addition of a few points below;
  • Point of Sale (POS) Intrusions took over the top position from Web Application Attacks that is now down to 9.4% from its huge slice of 35% last year. Maturity of technical vulnerability management processes look like on the rise, though the report does not jump into simple conclusions as such.
  • Crimeware (represents generic malware infections) and Cyber-Espionage compromise other big slices; 18.8% and 18% of the total number of incidents respectively.
  • External actors are still the major player of incidents. No surprise!
  • RAM Scraper has become a significant threat action this year. This must be in relation to the big slice of POS intrusions (28.5% of data breaches) where sensitive data momentarily reside unencrypted in RAM for processing.
  • Phishing is still rising with a slowing rate of growth. In contrast, keylogger malware  has been in decline.

DBIR Team introduces new themes every year to make the report contemporary and to keep readers' interest with fundamental takeaways. We have eight outcomes this year that is presented in episodes as a result of pattern-based analysis of incidents. These outcomes are roughly listed below;
  • Incident patterns are not industry-specific. Threat intelligence initiatives should span across industries.
  • Phishing is rising and becoming more effective. Awareness and training is considered as the biggest cure.
  • Vulnerabilities are exploited quickly after their disclosure to public. Half of the vulnerabilities exploited in 2014 fell within two weeks. 97% of these exploits were due to top ten vulnerabilities (CVEs). Nevertheless CVE scoring should not be the only reference for prioritization. Other factors are discussed in the report.
  • There is no significant evidence that mobile devices are a preferred vector in data breaches (yet!). Based on the data set, the number of infected mobile devices is negligible and infections mostly fit into the adnoyance-ware category.
  • Malware events have high volume and variation, and hit some industries more than others. This is considered as a result of weak policies and controls for some industries (e.g.financial industry performs better than education).
  • There is no linear correlation between the financial cost of breaches and the number of compromised data records.Larger organisations have higher losses per breach, but they typically lose more records and have higher overall costs. Prediction tables are provided in the report for financial impact estimates.
Some sections from last year have been eliminated this year, such as density of impacted industries as per each of the nine incident patterns and corresponding recommendations for the security controls. The DBIR Team must have thought that there are other good references specialized for selection of security controls

Though, the report is still a good read for security professionals at a peaceful moment. It is available here to download and further reading.