What a week. If you are like me these are reports that you have been waiting on since the beginning of the year and with some spare time on a flight, it filled up my time. Especially with 2016 being a major year for cyber-crime and disruption with many major significant data breaches from presidential elections, the Distributed Denial of Service (DDoS) attacks using a botnet of Internet of Things (IoT) and the biggest data disclosure to date twice with yahoo.
This is now the tenth version of the Data Breach Investigations Report and one thing that has been a common trend is data breaches are growing with cyber-crime and are now part of everyday life. A big question being, has cyber-crime been influenced by the divide of opinion or has the divide of opinion been influenced by cyber-crime? Only time will tell.
For years, it was hard to determine the real-world metrics in cyber-crime with many of them going unreported or not disclosed. If you are not measuring anything, of course, it always looks good, but the report tears away the covers to the truth. It highlights the ugly of cyber security, the trends, and lack of proactive actions. It is not all doom and gloom but these are lessons learned from the transparency of real cyber breaches to help the world change our mindset and act from these lessons.
What did we learn from this report? Well, the actors remained the same with external attackers representing 75% of breaches, 25% from internal actors, 18% by nation states, and 51% from organized crime. I guess the surprise for me was the amount of attacked attributed to nation-states. This means offensive cyber-attacks and espionage is becoming the new political playground. Another surprise was that only 2% involved partners, which I honestly thought would be higher due to the risks in the supply chain.
A major highlight in the report are the techniques used being a whopping 81% of breaches used stolen/weak passwords, 43% used social techniques, and 51% using malware. It appears social networks are a major weakness in security ultimately leading to exposures in stolen/weak passwords finally dropping malware payloads. To me, these techniques are typically combined or part of multiple stages.
The victims continued to be the same with financial, healthcare, public, government, retail, and accommodation being the most targeted by cyber-crime. Education appears to have got off a bit lightly this time around. Email continues to be the weapon of choice and financial motivation continues to be the main reason for cyber-crime. The surprise for me was only 27% of the breaches were discovered by 3rd parties, meaning companies are getting better at detecting breaches.
Privileged abuse was a huge topic in the report with the motives for privilege abuse being either for fungrudges or financial motivation. A large increase was the number of credentials being stolen in 2016 compared to previous years keep in line with my prediction that credentials are now the most targeted by cyber criminals who use those credentials to blend in with normal authorized traffic, carry out malicious activity and remain hidden with valid credentials. This was highlighted and for me is as area that needs more attention in cyber security. Personal information also kept with the trend and was consistent.
A common quote from the report was, “Privilege misuse represents 96% of all data breaches within Accommodation”. This was again echoed In healthcare, manufacturing, and the public sector and is a major industry problem that needs to be addressed. Privileged misuse was 3rd in breaches, just behind Web App attacks and Cyber Espionage; 2nd in Incidents just behind Denial of Service.
We have always talked about the concern related to breach dwell time usually being months and sometimes years. The biggest factor contributing to breach dwell time is usually a result of privileged account abuse with external attackers masquerading as privileged users. This means that breach dwell time can be directly related to privileged accounts.
Now with passwords, “Again, if you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned.” Another great quote in the report is, “Don’t use default passwords as doing so makes criminals’ lives much easier.”
Yes, our job in cyber security is to make the life of cyber criminals more difficult and to protect the employees and business from cyber threats. A nice quote is, “If a username and password is the only barrier to escalating privilege or compromising the next device, you have not done enough to stop these actors.”
This report brings another great visibility into the ugly truth of the state of cyber security. The threat landscape is changing; cybercriminal’s techniques are evolving and becoming more effective. We continue to see many cyber breaches. If we look at why many of the cyber breaches in the past year have occurred, it comes down to three major factors that can be categorized into human factor, identities and credentials, and vulnerabilities. We need to do a better job at protecting and securing privileged accounts both from external attackers and privileged insiders.
With the digital social society, we are sharing more information, ultimately causing ourselves to be much more exposed to social engineering and targeted spear phishing attacks with the ultimate goal to compromise our systems for financial fraud or steal our identities in order to access the company we are entrusted with protecting. The perimeter has moved and we need to move with it.
Read the full Verizon 2017 Data Breach Investigations Report here. And if you want to learn how to protect and secure privileged accounts download our Privileged Account Management for Dummies free eBook.