Cyber attackers are well-funded, cunning, ruthless and otherwise mean people But they get a helping hand from their victims, according to the Verizon 2016 Data Breach Investigations Report.
Released this week, the report found after examining 64,199 incidents and 2,260 breaches in 82 countries — including Canada — that 63 per cent of confirmed data breaches involved leveraging weak, default or stolen passwords. And despite awareness training, a lot of employees still can’t recognize phishing messages.
As usual the breezily-written report provides sobering reading for CISOs, who should pass it on to their teams. Highlights include:
–We’re still suckers: Almost a third (30 per cent) of phishing messages were opened—up from 23 per cent in 2014. And 12 per cent of targets went on to open the malicious attachment or click the link—about the same as 2014 (11 per cent). Of 636,000 targeted phishing emails examined, only 3 per cent of the potential victims notified management of a possible problem.
–It would be a mistake to think the biggest risk you face is from new-to-the-world vulnerabilities. Most attacks exploit known vulnerabilities—where a patch has often been available for months, if not years;
–Don’t obsess over the risk of insiders: The overwhelming number of breaches –upwards of 80 per cent –still are made by external actors;
–Attackers are getting even quicker at compromising their victims (think of how fast a phishing exploit works);
–For all the money CISOs spend on defence, the odds are law enforcement and/or a third party will alter you of a breach, not all the dashboards you have running.
The overwhelming number of breaches and incidents are covered by the same nine patterns seen in the past few years, says the report. The biggest are:
–Miscellaneous errors (17.7 per cent), including shortage of server capacity that causes non-malicious Web traffic spikes to cause applications to crash, and sending sensitive information to the wrong person.
REMEDIES: Keep a record of common errors to increase security awareness training and measure the effectiveness of your controls; Consider using data loss prevention (DLP) software; Make sure your assets are wiped of sensitive data before they’re sold;
–Insider and privilege misuse (16.3 per cent), mainly by insiders. Contrary to what some people think, it’s rarely system admins or developers with elevated privileges that fall victim. End-users account for a third of insider misuse.
REMEDIES: Limit access to sensitive data to those who really need it — and track that access by monitoring user behaviour. Also, track USB usage.
–Physical theft and loss (15.1 per cent), including laptops, USB and other drives, printed documents.
REMEDIES: Encrypt data, train your staff in security awareness and reduce the amount of paper with data classification and printing rules.
–Denial of service (15 per cent). In addition to stopping the organization, DDoS attacks can mask other attacks. (See Web app attacks, below)
REMEDIES: Segregate key servers, chose providers that can protect their service and yours, and, if you have one, test your anti-DDoS service.
–Crimeware (12.4 per cent). Covers the use of malware that doesn’t fit a more specific pattern. Includes ransomware.
REMEDIES: Patch promptly, initiate configuration change monitoring, Examine the different types of malware you’ve fallen foul of—and, if possible, the entry point. This gives intelligence on where to prioritize your efforts. Amd backup systems regularly.
–Web app attacks (8.3 per cent) Many web app attacks are indiscriminate—the attackers found a weak target with a vulnerability they could compromise; or got a foothold through a phishing campaign. Verizon almost 20,000 incidents where compromised websites were used in distributed denial of service (DDoS) attacks or repurposed as phishing sites.
–REMEDIES: Use two-factor authentication. lock out accounts after repeated failed attempts. Consider using biometrics for authentication. Patch promptly.
This is just a small part of the 80-page report. It’s full of nuggets.