The 2011 Verizon Data Breach Investigations Report examined breaches
that Verizon, the U.S. Secret Service, and the Dutch National High
Tech Crime Unit investigated in 2010. This report classified and
tallied the types of cyber threats that contributed to breaches.
Hacking and malware were utilized in the majority of the breaches,
at 50 percent and 49 percent, respectively. Social engineering was
involved in 11 percent of the breaches.1
Many times, these three types of cyber threats from the report and
related terms are used but not defined.
This article provides definitions of and statistics from the
report about hacking, malware, and social engineering as well as
the related terms pretexting, phishing, and spear phishing.
Hacking
Hacking is a broad term that describes all attempts to intentionally
access or harm information assets without or in excess of authorization
by thwarting logical security mechanisms. The three methods of hacking
utilized most commonly in hacking breaches were exploitation of
back doors or command/control functionality, exploitation of default
or guessable credentials, and brute force and dictionary attacks,
at 73 percent, 67 percent, and 52 percent, respectively. With a
back door installed, an attacker can bypass security mechanisms
and obtain access without using legitimate channels. Regarding the
other two methods, an attacker tries a few well-known combinations
of default credentials used on various types of systems and, if
necessary, then runs a brute force attack to crack the system.
Malware
Malware is short for malicious software and means any software
or code developed or used for compromising or harming information
assets without the owner's informed consent. Malware enables or
prolongs access, captures data, and/or furthers the attack. The
most common means of infection for malware is installation or injection
by a remote attacker, constituting 81 percent of malware infections.
One example is an attacker breaching a system and then deploying
malware or injecting code via SQL injection or other Web application
input functionality. Web-based malware, the second most common means
of infection, comprises code that is auto-executed (also known as
drive-by downloads) and code that requires additional user interaction
beyond the page visit (e.g., fake audiovisuals scaring users to
"click here to scan and clean your infected system").
Sending data to an external site/entity, back door, and keylogger/form-grabber/spyware
were the three most common functions found in malware breaches,
at 79 percent, 78 percent, and 66 percent, respectively. A back
door allows an attacker unauthorized access to infected devices,
and an attacker can install additional malware, use the device as
a launch point for further attacks, or retrieve captured data. A
keylogger allows an attacker to build a preconfigured remote installation
package that will be deployed on a target system that can capture
data from user activity.
When malware captures sensitive information, it must be taken
out of the organization's environment: Either the malware sends
it out of the organization (in almost 8 out of 10 incidents involving
malware) or the attacker reenters the network to retrieve it. The
general rule is that smaller packets are sent out (i.e., credentials
captured by keyloggers) while larger amounts of data are retrieved
(i.e., the contents of a network file share transmitted through
a back door's file transfer capabilities).1
Social Engineering
In a social engineering attack, an attacker uses human interaction
(i.e., social skills) to obtain or compromise information about
an organization or its computer systems. Social engineering tactics
include deception, manipulation, and intimidation to exploit the
human element or users of information assets. An attacker may be
able to put together enough information to infiltrate an organization's
network. If an attacker is not able to gather enough information
from one source, the attacker may contact a source within the same
organization and rely on the information from the first source to
add to his or her credibility.2 Often,
these actions are used together with other types of cyber threats
and can be conducted through both technical and nontechnical means.
Solicitation and bribery were the most common type of social
engineering tactic, used in 74 percent of social engineering breaches.
Solicitation and bribery frequently entail collusion between an
external agent and an insider. One party uses petitions, promises,
and payments to get another to participate in the crime.1
Pretexting
Pretexting was used in 44 percent of social engineering breaches.
Pretexting is the practice of getting an individual's personal information
under false pretenses using a variety of tactics. The pretexter
may be able to obtain personal information including a Social Security
number, bank and credit card account numbers, information in a credit
report, and the existence and size of savings and investment portfolios.
However, some information about an individual may be a matter of
public record, including whether they own a house, pay their real
estate taxes, or have ever filed for bankruptcy. It is not pretexting
for another person to collect this kind of information.3
Counterfeiting and forgery were used in 16 percent of social
engineering breaches and can involve everything from websites to
documents (e.g., the use of fake credentials (driver's licenses,
birth certificates, etc.)).1
Phishing
Phishing attacks were used in 11 percent of social engineering
breaches. Phishing attacks use email or malicious websites to solicit
personal information by posing as a trustworthy organization. For
instance, an attacker may send email appearing to be from a reputable
credit card company or financial institution that requests account
information, often suggesting that there is a problem. When users
respond with the requested information, an attacker can use it to
gain access to the accounts. Phishing attacks may also appear to
come from other types of organizations, like charities. Attackers
often take advantage of current events and certain times of the
year, including: (1) natural disasters (e.g., Hurricane Katrina),
(2) epidemics and health scares (e.g., H1N1), (3) economic concerns
(e.g., Internal Revenue Service scams), (4) major political elections,
and (5) holidays.2 Interestingly, phishing
attacks are being used more often to gain a toehold in the victim's
environment through attached malware.
Spear Phishing
Spear phishing involves targeted emails that typically are used
as a catalyst for individuals to click on hyperlinks or open attachments,
allowing the downloading of malicious content to the user's device
and the unauthorized entry into an organization's network. Business
activities and products that could be leveraged by an attacker to
develop targeted emails addressed to individuals within an organization
include the following.
- media releases,
- business mergers and acquisitions,
- business reports/stock reports/financial statements,
- competing for contracts,
- awarded contracts,
- technological breakthroughs,
- international dealings,
- other public information of interest to malicious
actors,
- natural disasters,
- referred to by other parties in their public
release statements,
- government/industry events,
- government or industry work stoppages,
- and international
or political events.4