The Verizon annual Data Breach Investigations Report was published last week.
The Data Breach Investigations Report (DBIR) summarises findings from the collection and analysis of almost 80,000 security incidents relating to over 2,000 confirmed data breaches, sourced from 70 contributing organisations.
A breakdown by industry sector is provided. The 2015 DBIR incident and breach information collection processes have no substantial changes from the 2014 DBIR, focusing on security events resulting in confirmed data disclosure, as well as other security incidents such as denial-of-service attacks, and compromises of systems without data loss. The report re-iterates that it only represents a sample of events — the results are only representative of the sources of information contributed.
An analysis of the threat actions illustrates that the proportion of actions involving RAM scraping is growing, spyware/keylogger is falling and both credentials and phishing are broadly similar.
There is plenty of interesting data on breach discovery, phishing, patching, malware, industry profiles and impacts.
The discussions on the problems with threat intelligence and the limited impact of mobile device compromise are insightful.
Nine common incident classification patterns are used to summarise the findings, including "web application attacks", accounting for 9.4% of incidents. Almost all the attacks in this category were opportunistic in nature, with information, financial services, and public entities being particularly affected. Use of stolen credentials are the most common action involved.
The last figure in the report (illustrated above) is a mapping from the recommended SANS Critical Security Controls to incident event chains. Although this only relates to Verizon's own source data, and not any of the other contributors, it illustrates that many basic security measures can help protect against the most common attacks. These include two-factor authentication, patching web services, verifying the need for internet-facing devices, proxying outbound traffic and web application testing.