In one case pirates – actual pirates – boarded cargo ships armed with a list of which shipping containers contained jewelry and went straight to them, stole the gems and left.
In another, attackers took control of the mainframe at a water district, mixed sewage with the drinking water, boosted the chlorine to dangerous levels and stole customer information.
These are two of 18 representative case studies in Verizon’s new Data Breach Digest, a compendium of anonymized customer investigations performed by the company’s Research, Investigations, Solutions and Knowledge (RISK) Team and released at RSA Conference 2016.
The Data Breach Digest, new this year, is a companion to Verizon’s well established annual Data Breach Investigations Report (DBIR), which is heavy on metrics, graphs and statistics about cyber-threat trends, how to predict them and how to prevent them.
The Data Breach Digest tells the stories behind the metrics that give readers a trench-level view of what it’s like to investigate these breaches and a sense of what it feels like to be the victim.
The goal of the report is to give a trench-level view of the predicaments breach victims find themselves in, and the stories serve as object lessons readers can use to defend their own networks, says Bryan Sartin, director of the RISK Team. “The DBD is a great big book of monsters,” he says.
For the digest, Verizon looked at three years of data breach investigations – about 1,200 customer cases. “What we found completely shocked us,” he says. “Almost 65% of the investigations can be explained in 12 breach categories.” These are the same bad stories that play out in somebody’s back office, one enterprise after another,” Sartin says.
To that dozen, Verizon added six more categories because they were the most lethal, not because they were common. That brings the total to 18, which Verizon then broke down into four types:
- Human exploitation, social engineering;
- Compromising devices that lead to attacks on valuable assets;
- Exploiting configuration and patching errors;
- And malicious software.
In its war against breaches, Verizon took a page from the U.S. Army’s combat-engagement model that has troops study the most lethal and common methods of engagement they are most likely to face in actual combat. “That’s exactly what we’ve done here,” he says.
The value is that it can help teach smart security by learning from others’ mistakes, he says. It’s organized so, for example, a security pro in retail can look up cases that were carried out against retailers. Just three or four attack scenarios might account for 50% or 60% of all breaches in their sector, helping to focus their defenses.
Sign up for CIO Asia eNewsletters.