The 2009 Verizon Business Supplemental Data Breach Report identified and ranked by frequency the following top 15 types of attacks:

1. Keylogging and spyware: Malware specifically designed to covertly collect, monitor and log the actions of a system user.
2. Backdoor or command/control: Tools that provide remote access to or control of infected systems, or both, and are designed to run covertly.
3. SQL injection: An attack technique used to exploit how Web pages communicate with back-end databases.
4. Abuse of system access/privileges: Deliberate and malicious abuse of resources, access or privileges granted to an individual by an organization.
5. Unauthorized access via default credentials: Instances in which an attacker gains access to a system or device protected by standard preset (widely known) user names and passwords.
6. Violation of acceptable use and other policies: Accidental or purposeful disregard of acceptable use policies.
7. Unauthorized access via weak or misconfigured access control lists (ACLs): When ACLs are weak or misconfigured, attackers can access resources and perform actions not intended by the victim.
8. Packet Sniffer: Monitors and captures data traversing a network.
9. Unauthorized access via stolen credentials: Instances in which an attacker gains access to a protected system or device using valid but stolen credentials.
10. Pretexting or social engineering: A social engineering technique in which the attacker invents a scenario to persuade, manipulate, or trick the target into performing an action or divulging information.
11. Authentication bypass: Circumvention of normal authentication mechanisms to gain unauthorized access to a system
12. Physical theft of asset: Physically stealing an asset.
13. Brute-force attack: An automated process of iterating through possible username/password combinations until one is successful.
14. RAM scraper: A fairly new form of malware designed to capture data from volatile memory (RAM) within a system.
15. Phishing (and endless "ishing" variations): A social engineering technique in which an attacker uses fraudulent electronic communications (usually e-mail) to lure the recipient into divulging information.