New cyber-threats that go bump in the night

April 22, 2014: 11:20 AM ET

App attacks, crimeware, skimmers, and other cybersecurity concerns for enterprise executives, per Verizon's latest data breach report.


FORTUNE -- It's that time of year again: Spring is in the air, Monarch butterflies are traveling north, and Verizon's (VZ) data breach report is making the rounds, freaking out already freaked-out chief information security officers around the globe.

The annual report compiles and analyzes more than 63,000 security incidents (as well as 1,300 confirmed data breaches) from about 50 companies worldwide. This year's 60-page document identified nine main patterns of attack, including point-of-sale intrusions, denial-of-service attacks and acts of cyberespionage. According to Verizon, 94% of all security incidents in 2013 can be traced to these nine basic categories.

(As for the other 6% of threats facing corporate America, well, ignorance is bliss, right?)

Here, our summary of the most pressing security threats for major companies:

1. Web app attacks

Hands down, this is the most common type of data breach. According to Verizon's report, web applications remain the "proverbial punching bag of the Internet." How do the bad guys do it? Phishing techniques, installing malware, and, yes, correctly guessing the name of your first stuffed animal, your oldest cousin's eye color and your nickname in sixth grade. There are ways to better protect Internet-facing applications, Verizon insists, and it starts with two-factor authentication.

2. Cyberespionage

Incidents of unauthorized network or system access linked to state-affiliated actors have tripled -- that's right, tripled -- over the last year. Espionage exhibits a wider variety of "threat actions" than any other attack pattern, Verizon says, which means that once intruders gain access, they're making themselves comfortable and partaking in all sorts of activities, from scanning networks to exporting data. Verizon warns that we can't keep blaming China, though -- at least not just China. About 21% of reported incidents are now being instigated from Eastern Europe.

3. Point-of-sale intrusions

Given the recent high-profile Target (TGT) breach, in which hackers gained access to the credit card numbers of some 40 million customers, this may seem like the attack pattern du jour. But Verizon claims point-of-sale intrusions have actually been trending down over the last several years. "Recent highly publicized breaches of several large retailers have brought POS compromises to the forefront," the report's authors write. "But at the risk of getting all security-hipster on you -- we've been talking about this for years." Still, retailers and hotel companies in particular need to be concerned about this kind of attack. It only takes one massive point-of-sale intrusion to scare away customers and investors -- just ask Target.

4. Payment card skimmers

Skimming mainly affects ATMs and gas pumps, and is a relatively crude form of attack that requires a skimming device to be physically added to a machine. It's hardly a new tactic, but what's different today is the way that the data from "skimmed" payment cards is collected. Before, a criminal had to retrieve the skimming device; now, a thief can remotely collect the data using Bluetooth or other wireless technologies. More modern ATMs are designed to be relatively tamper-free, but this is still a big problem in some parts of the world, such as Bulgaria and Armenia.

5. Insider misuse

Not sure what falls under this category? Imagine someone akin to the rebel NSA defense contractor Edward Snowden, or pretty much any unapproved or malicious use of organizational resources. The most common examples of this are employees using forbidden devices (e.g. USB drives) or services to send intellectual property to their personal accounts -- or, more deliberately, posing as another user and sending messages aimed at getting a colleague fired. According to Verizon, many of the people committing these crimes are payment chain personnel and end users, but C-suite managers were more to blame in prior years. Bottom line: Trust no one.

6. Crimeware

This category includes any malware incident that doesn't fit into the espionage or point-of-sale buckets. The goal is always some kind of illicit activity, such as stealing users' online banking credentials. Most forms of crimeware start with web activity such as downloads or so-called drive-by infections, where a virus can be downloaded when a user unknowingly clicks on a deceptive pop-up window. What can corporations do to combat these types of attacks? Keep software such as browsers up to date.

7. Miscellaneous errors

Oops, I did it again -- as in, I sent an email containing sensitive information to the wrong recipient. That's the most common example of this kind of unintentional data disclosure. Others include accidentally posting non-public information to a company's web server or even snail-mailing documents to the wrong physical address. There's no cure for human error (other than replacing them with computers, of course), but Verizon says corporations can implement data loss prevention software to reduce instances of sensitive files sent by email and tighten processes around posting documents to internal and external websites.

8. Physical theft/loss 

Here's a fun fact: It turns out that corporate assets like phones and laptops are stolen from corporate offices more often than from homes or vehicles. The primary cause of this type of incident? Carelessness. According to the Verizon report: "Accidents happen. People lose stuff. People steal stuff. And that's never going to change." The only thing you can change, advises the company, is to encrypt devices, back up data, and encourage employees to keep their gadgets close.

9. Distributed denial-of-service attacks

Last but not least, so-called DDoS threats include any attack aimed at compromising the availability of networks and systems. These are primarily directed at the financial, retail and public sectors. And while the motives behind shutting down corporate, consumer-facing websites remains the same -- extortion, protest, or perverse fun -- the tools at attackers' disposal have become more sophisticated and more thoughtfully named, such as "Brobot" and "itsoknoproblembro."

More on cybersecurity from Fortune:

  • The bug that rocked the foundations of the web

    It's called Heartbleed, and it leaves much of the Internet at risk of exploitation. Here's how.

    By David Nield

    FORTUNE -- Late on Monday afternoon, the details of one of the most serious security problems to ever affect the modern web were posted online. Dubbed Heartbleed, the vulnerability has major companies scrambling this week to patch their systems and could have been exploited to harvest data from millions of users. The MORE

    Apr 9, 2014 10:23 AM ET
  • IT security is heating up. Are universities prepared for it?

    The relatively new business of cybersecurity is booming. As it turns out, so is the business of training the next crop of engineers for it.

    By Melanie D.G. Kaplan

    FORTUNE -- Whether it's news of yet another retailer hacking or Edward Snowden -- via videoconference at the South by Southwest conference in Austin, Texas -- calling for developers and cryptographers to improve privacy tools, we've all been through an ad hoc course in MORE

    Mar 26, 2014 3:37 PM ET
  • You've already been hacked. Here's why it's okay

    Newly appointed AVG chief executive Gary Kovacs on simplicity, Mark Twain, and what to do in a world where you've already been hacked.

    FORTUNE -- One of the first decisions Gary Kovacs had to make after he was appointed CEO of the cybersecurity firm AVG was whether to keep a $100 million toolbar business that most people hated. The former Mozilla CEO bit the bullet and jettisoned the longstanding project -- MORE

    - Mar 11, 2014 1:10 PM ET
  • The one good thing about cyberattacks

    ... is that they cause more investment in cybersecurity.

    FORTUNE -- The normally humdrum world of IT security is heating up, and not just because of comedian Stephen Colbert's controversial closing keynote at last week's RSA Conference.

    Why? As the number of large-scale cyberattacks grows, so does the number of innovative startups developing new solutions to thwart those attacks. Venture capitalists are taking notice: In 2013, they made a total 123 investments in MORE

    - Mar 3, 2014 2:35 PM ET
  • Juniper SVP to Silicon Valley: Get ready for WWIII

    At a newly controversial industry conference, an exec sounds the alarm on looming cyber threats and government surveillance.

    FORTUNE -- Right now, hundreds of the nation's top security executives are at the RSA Conference in San Francisco holding forth on 2014's looming cyber threats and it's, well, awkward.

    After Reuters reported last year that conference-sponsor RSA was working with (and being paid by) the National Security Agency, more than a dozen experts MORE

    - Feb 25, 2014 8:04 PM ET
  • Kevin Mandia: Why selling Mandiant made sense

    The cybersecurity pioneer explains why merging the two top security firms was in everyone's best interest.

    FORTUNE -- Nearly one-and-a-half months ago, security software provider FireEye (FEYE) acquired Kevin Mandia's company Mandiant in a deal estimated at well over $1 billion. But already, Mandia says integration of the two businesses is nearly complete.

    Mandia became a national figure last year after his firm Mandiant, which specializes in responding to computer network breaches, MORE

    - Feb 13, 2014 3:28 PM ET
  • Shape Security's bid to battle botnets

    A young company's new approach to cybersecurity promises to protect websites that, by their nature, expose their underlying code.

    FORTUNE -- There's a reason why you don't hear much about security startups -- there aren't that many out there. Unlike social media tools or mobile apps, developing cybercrime-fighting software can take lots of time. And most investors, not to mention customers, don't want to put their money and trust in a twentysomething, MORE

    - Feb 6, 2014 1:13 PM ET
  • Cybersecurity is for the C-suite, 'not just the IT crowd'

    Author Peter W. Singer on the cybersecurity issues threatening the American economy.

    By Clay Dillow

    FORTUNE -- "Ninety-seven percent of Fortune 500 companies have been hacked," says Peter W. Singer, "and likely the other 3% have too, they just don't know it." Such is the less-than-rosy picture painted by Singer -- director of the Center for 21st Century Security and Intelligence at D.C. think tank Brookings Institution and bestselling author of MORE

    Jan 6, 2014 12:13 PM ET
  • Target security breach likely to be 'highly sophisticated organized crime'

    Worse: if you think your company is safe, think again.

    FORTUNE -- It took a group of cyber criminals 19 days to steal the personal information of 40 million people from Target's database, but it will take the retailer much longer to recover from the massive theft.

    On Wednesday, security blogger Brian Krebs reported that Target (TGT) was investigating a security breach involving stolen credit and debit card information. The retailer confirmed MORE

    - Dec 19, 2013 3:43 PM ET
Current Issue
  • Give the gift of Fortune
  • Get the Fortune app
  • Subscribe
Powered by VIP.