Another year and another Data Breach Investigations Report (DBIR) from Verizon.
Verizon’s DBIR has been making the rounds for 12 years now, gaining widespread industry respect with each edition. The 2019 version isn’t all that different from its predecessors (besides a shiny new bar chart), but it does give us some interesting insights on the world of data breaches over the past year.
Knowledge is power – especially in cyber security. Picking up on hackers’ trends early will invariably help an organisation stop a data breach further down the track. Here are five interesting findings that we think everyone should know about:
1. 33 percent of breaches featured social attacks
Hollywood can make cybercriminals seem like they’re geniuses at the ones and zeros, when in reality one-third of them would prefer to game and scam their targets for access to systems that hold sensitive information.
Verizon found that over the past five years, the number of breaches involving social attacks doubled to 33 percent. Within those social attacks, phishing is far and away the most popular and is used in 80 percent of all data breaches, according to the report.
While technical tools can be implemented to restrict the number of phishing emails that reach a mailbox, this tactic doesn’t address the other two points of the “people, process and technology” triangle.
Security awareness training is a key tool in educating users on how to recognise a social engineering attempt and also what actions to perform when they see something suspicious. Integrity360 can provide training to users around phishing, handling sensitive data, password creation, safe web browsing, social media best practise and many more. These help to reduce the risk of a successful social engineering attempt.
2. 56 percent of breaches took months or longer to discover
We’re not mad that more than half of the companies that suffered a data breach couldn’t detect it for months, we’re just disappointed.
With the variety of tools at organisations’ disposal, there shouldn’t be such a large segment of businesses that have difficulty in detecting when things go awry in their systems.
Integrity360 understands how difficult it is for organisations to detect suspicious activity over a wide variety of technologies and tool-sets using in-house specialists that are difficult to find and retain. Integrity360 have built a Managed Security Service to address this gap.
Using a combination of industry leading security monitoring and detection technologies alongside highly skilled and dedicated security experts, we provide clients with a full end-to-end security operation. This ensures key client data and systems are afforded maximum protection and monitoring, and that any unusual activity is detected and investigated on behalf of the organisation. The result is a reduction in the time it takes to detect an attack and the ability to limit the impact of any malicious actions.
3. System admins trending up as threat actors
Although system admins have seen a small spike in recent years as being the threat actors behind a breach, the author of the report explained that the data is slightly deceiving.
Data leaks due to misconfigured cloud servers are attributed to system administrators because, well, they’re misconfigured. These types of incidents have seen a rise in recent years as companies rush to the cloud without committing to a security-first migration or deployment strategy.
While the major cloud vendors will be the first to tell you about the tools and reporting functionalities that they have in place to highlight leaky buckets and publicly accessible shares, the buck ultimately stops with the sys-admins who are responsible for configuring the those services. S3 buckets and the like are secure by default and it is often substandard practices that lead such services to being opened up and left unsecured.
Integrity360 believe that a part of any successful cloud-first strategy is a security-first mentality. This would include the design, build and execution of supporting governance processes to assess and critically evaluate the ebb and flow of an organisation’s cyber exposure – allowing organisations to spot and correct misconfigurations before they become headlines.
Integrity360’s Cyber Security Testing Teams, Cyber Risk and Assurance Teams and Cloud Specialists are geared to helping our clients understand and manage these risks.
4. Denial of Service is the top action in incidents; phishing is the top action in breaches
What’s the difference between security incidents and security breaches? Incidents may include failed attempts to compromise a company’s network, disrupt service availability or more generally cause trouble. Breaches on the other hand refer to successful attempts to compromise systems and will often include the exfiltration of sensitive data.
It’s no surprise that Denial of Service (DoS) is the most common action in incidents. It’s relatively easy to carry out with how popular Hacking-as-a-Service has become as of late. Similarly, phishing can also provide access to systems containing sensitive information without much hacking expertise necessary. It’s easy to see why hackers love these two techniques.
It should be a given that any company providing internet-enabled services – ranging from e-commerce websites and application services through to basic functions like email – should have Denial of Service (DoS) protection mechanisms in place. There are a wide range of vendors available that offer both cloud and on-premise solutions, with multiple licensing models to suit all needs; there should be no excuses not to have these.
With regards to phishing, while we would almost always advocate user-awareness training as a first measure, there are also ways to effectively address or mitigate threats by sensible technology placement.
Content filtering services should include sandboxing and heuristics detection as a standard, to alert against possible malicious payloads. Multi-Factor Authentication should be applied to all accounts to protect against the various credential harvesting schemes and credential stuffing campaigns that are becoming all too common.
5. Ransomware is the least common action in data breaches
It was just two years ago that WannaCry was the most terrifying cyber-attack to hit the web. Ransomware has always been around but it has gained even more prestige as of late, as Bitcoin and other cryptocurrencies have given cybercriminals a way to better cover up their tracks and secure payment.
However, ransomware was the least common action used in data breaches in 2018, according to the report. This may be attributed to the fact that most ransomware attacks hold the data hostage rather than try to steal it, making tactics like a backdoor or keylogger much more useful to carry out a data breach.
In the last five years there has been an enormous increase in the use of ransomware with names such as TeslaCrypt, Wannacry and NotPetya gaining notoriety. This notoriety has forced businesses to take IT Security more seriously. Consequently, patching schedules have been tightened and investments have been made both in prevention tools but also monitoring and user awareness.
Unfortunately, this has done little to curb the success of such campaigns and they’re in fact increasing in volume and value with lesser-known ransomware strains such as SamSam, BitPaymer and GandCrab being used successfully to target governments, healthcare providers and consumers.
Ransomware creators respond quickly to security solutions that detect and prevent the spread of their tools. In response, security teams need to mimic this and become more responsive to current threats and adapt their tools to keep their IT and business safe.