Return on investment for hackers

Declan O’Riordan, head of security testing, T&VS
You’re a criminal. You want a good return on your investments. Actually I hope the former statement is false but expect the latter is probably true. When it comes to cyber-attacks there appear to be some methods that are far more likely to succeed than others. Let’s take a look at some figures revealed by Verizon.

In their sample of 63,437 incidents (i.e. events that adversely affects the information assets), physical theft and loss of IT assets such as laptops accounted for 14% of all incidents. You might expect a corresponding 14% of breaches (i.e. confirmed data compromise) to be caused by physical theft and loss. Actually, the number of associated breaches is less than 1% due to effective security measures such as user authentication and data encryption. Insider misuse is a common problem at 18% of all incidents, but again the number of successful breaches is considerably lower at 8% . The lesson here for attackers is that some malicious actions provide a poor rate of return and are best left to opportunists.

TVS-SB002-Threat_incident_v_breach_Verizon

Which types of attack offer a good chance of success? It’s difficult to analyse how much preparation goes into a typical web application attack, since some are far more crafted than others and successful criminals tend to keep their trade secrets secret. One thing we can see is that while web application attacks amounted to a mere 6% of incidents, they led to a whopping 35% of all effective security breaches in the sample. That is by far the largest percentage for any type of threat. Is is unsurprisingly a strong growth area for attacks.

Are there any threats that provide a better chance of breaching security? Yes, several. Both Point of Sale (POS) intrusions and card skimmers featured in less than 1% of incidents each but led to 14% and 9% of breaches. The greatest probability of success of all threat types comes from the most organized of malicious parties: cyber-espionage. Whereas amateurs and hacktivists might mess about with Denial of Service attacks (3% of intrusions, 0% of breaches), the hard-core cyber criminals work in well-organised project teams with clear objectives. Cyber-espionage accounts for 1% of incidents but 22% of breaches!

What lessons can honest parties learn from this? I would suggest we target our defence spending according to the current most serious threats. Clearly web applications need to be designed, developed and tested to be more secure. The security of POS and card payment systems leaves much to do, especially in securing devices, locking down hub-and-spoke retail domains, and reducing trust in systems with external access. As for cyber-espionage, the spies will be looking for weaknesses in every area, and that means a wholesale improvement in making people more aware, putting secure processes in place, and configuring the technology to do what the customer wants and not what the spy wants it to do!

 

Free white papers on how to start building and testing secure web applications.

The purpose of these documents is to set out good practice for avoiding security vulnerabilities on any Web Application project and they include:

            – An explanation of Web Application Security Development and Testing

            – Guidelines for developers and testers to reduce the top ten application security risks

Download your free white papers now.

 

Free Executive Briefing / Webinar on Internet Security (20 January 2015).

If your company writes or uses software connected to the Internet this briefing will inform you of the security threats you face, your responsibilities in respect of those threats and practical suggestions on how to discharge those responsibilities.

Register for the Executive Briefing here.

2017-05-17T10:31:52+00:00 6th January, 2015|Blog, Security, Thought Leadership|
T&VS NEWSLETTER SIGN-UP
The T&VS newsletters inform you about industry news, events and information from T&VS. No spam, we promise and it is always easy to unsubscribe.
We never share your information. Read our Privacy Statement
Interested in Formal Verification?
Then why not attend the TVS Formal
Verification Bootcamp training?
The 2-day Formal Verification Bootcamp is for design and verification engineers looking to enhance their knowledge of formal verification and to learn how to write effective assertions to find and fix bugs. The course is a mix of presentations and hands-on development exercises.
Bootcamp Enquiry Form
If you are interested in receiving additional information on the course then simply email Mike Bartley (TVS CEO and Course Leader) by entering your details below.
Interested in SystemC?
FREE SystemC UVM Library Now Available
The TVS SystemC UVM library closely mimics UVM but gives users a license free UVM-based verification environment.
Have your product requirements been successfully tested and implemented?
Find out how asureSIGN can help you implement a successful Requirements Driven Verification and Test Strategy by visiting asureSIGN or enter your details and we will be in touch.
Course Dates and Pricing
To receive additional information, including course dates and pricing, please contact our training team who will be happy to help.
Download Request
Please complete the following form then click 'submit' to access the download.
Presentation Request
Please complete the following form then click 'submit' to gain access to the presentations.
DOWNLOAD REQUEST
Please complete the following form and then click 'submit' to gain access to the download.
FREE QA ASSESSMENTS
Did you get what you were looking?

Let the testing experts help. We will run a FREE QA assessment which will include our top 5 recommendations to help maximise your testing.