This pattern consists of “Misuse” actions, which are intentional actions undertaken by internal employees that result in some form of security incident.
Notable findings: Misuse is down as a percentage of incidents, as the other patterns increase by association. However, that could be attributed to lower granularity data this year and may rise back to previous levels in 2021. On the other hand, breaches are showing a legitimate drop, which appears to be associated with less misuse of databases to access and compromise data.
Life is full of accidents and not to disappoint Bob Ross, but not all of them are happy little trees. This pattern captures exactly that, the unintentional (as far as we know) events that result in a cybersecurity incident or data breach.
Notable findings: The majority of these errors are associated with either misconfigured storage or misdelivered emails, committed by either system admins or end users. We’ll let you figure out which actor is associated with which action. In terms of discovery, these are often found by trawling security researchers and unrelated third parties who may have been on the receiving end of those stray emails. The Results and Analysis Error section goes into even more detail for those of you with this unique predilection.
Payment Card Skimmers
This pattern is pretty self-explanatory: These are the incidents in which a skimmer was used to collect payment data from a terminal, such as an ATM or a gas pump.
Notable findings: Our data has shown a continuous downward trend of incidents involving Point of Sale (PoS) Card Skimmers, which are now down to 0.7% of our breach data. At approximately 30 incidents, it is showing a relatively marked decline from its peak of 206 back in 2013. This decrease could be attributed to a variety of different causes, such as less reporting to our federal contributors or shifts in the attacker methodology.
Point of Sale (PoS)
This pattern includes the hacking and remote intrusions into PoS servers and PoS terminals environments for the purpose of stealing payment cards.
Notable findings: Much like the Payment Card Skimmers, this pattern has received a notable decrease in the last few years, making up only 0.8% of total data breaches this year. The majority of these incidents include the use of RAM scrapers, which allow the adversaries to scrape the payment cards directly from the memory of the servers and endpoints that run our payment systems. However, the majority of payment card crime has moved to online retail.
Lost and Stolen Assets
These incidents include any time where an asset and/or data might have mysteriously disappeared. Sometimes we will have confirmation of theft and other times it may be accidental.
Notable findings: This pattern tends to be relatively consistent over the years with approximately 4% of breaches this year (the previous two years fluctuating from 3% to 6% of breaches). These types of incidents occur in various different locations, but primarily occur from personal vehicles and victim-owned areas. Don’t forget to lock your doors.
Incidents in this pattern include anything that has a web application as the target. This includes attacks against the code of the actual web application, such as exploiting code-based vulnerabilities (Hacking—Exploit Vuln) to attacks against authentication such as Hacking—Use of Stolen Creds.
Notable findings: In the data provided by contributors who monitor attacks against web applications (Figure 49), SQL injection vulnerabilities and PHP injection vulnerabilities are the most commonly exploited. This makes sense since these types of attacks provide a quick and easy way of turning an exposed system into a profit maker for the attacker. However, in vulnerability data, cross-site scripting (XSS), the infamous ding popup vulnerability, is the most commonly detected vulnerability and SQLi attacks are only half as common as XSS.