Verizon has released its 10th annual Data Breach Investigations Report (DBIR), a comprehensive and multi-faceted look-back on breach trends, threat actor tactics and apparent motivations, based on analysis by the company or one of its 65 partners of 1,935 breach events occurring in 2016.
Among key findings: financial and espionage remained the top two motives combining to account for 93% of breaches. It should surprise no one that organized criminal groups continue to utilize ransomware to extort money from their victims, but because most victim organizations haven’t commented publicly on payments or data disclosure, specific financial data is not available. Verizon also cites an intriguing motivating factor it calls Fun, Ideology and Grudge – or FIG, with typical insider breach indicators.
The study notes that in absolute numbers, insider breaches have remained relatively constant, with an increase of around 12%. It finds
· 75% perpetrated by outsiders.
· 25% involved internal actors.
· 18% conducted by state-affiliated actors.
· 51% involved organized criminal groups.
· 3% featured multiple parties.
· 2% involved partners.
In terms of tactics, 81% of hacking-related breaches leveraged either stolen and/or weak passwords. “This report casts an important light on the potential risks and exposure tied to weak static passwords which are easily compromised and re-used across multiple sites to perpetrate fraud,” David Vergara, Head of Global Product Marketing with VASCO Data Security, notes. “Hackers are mastering scale, efficiency and discipline to maximize gains and the fuel for this malicious activity, personal data/credentials, is spiking up year-over-year. This is a problem that two-factor authentication solves very effectively.”
Amichai Shulman, co-founder and CTO of Imperva, offered further measures: “To prevent brute force attacks, security officers should not rely on password policies only, but should take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, treat with caution logins from unexpected countries and anonymous sources, and compare login data to popular passwords and stolen credentials.”
The DBIR also notes that some 62% of breaches employed hacking tactics, over half of breaches included malware, and 43% included social tactics such as pretexting – the use of social engineering to obtain privileged data or resources under false pretenses.
Paul Calatayud, CTO, FireMon, said: “Pre-texting is a very big threat because it takes advantage of urgency and common cultural situations where employees will set aside procedures and policies in order to make sure the boss does not get upset. Most phishing training focuses on the content - malware and links - more than the sender, and in this case the sender and what is being asked is the issue.”
In addition to hacking, malware and social engineering, the report notes that in 2016, 14% of attacks were the result of privilege misuse and another 14% were the result of error.
For the first time, Verizon’s annual look-back examined events by sector at a granular level: 24% of attacks analyzed occurred in the financial sector, 15% in the healthcare sector, 12% in the public sector, and together, retail and accommodation were another 15%.
Regardless of specific industry sector, “People rely on how they’ve always done things, and often depend on out-of-date defense,” said Pravin Kothari, Founder, Chairman & CEO, CipherCloud, despite the enormous ongoing shift of data to the cloud, but he sees the financial sector evolving its strategies. “Increasingly, applications and data are outside a financial firm’s direct control. To mitigate data breaches and ensure that attackers don’t monetize client data, firms are building ‘ethical firewalls’ to strictly authorize access to data in SaaS applications and employ encryption of sensitive data. This removes the profit incentive from stolen data, thwarting fraud and identity theft.”
Kothari warns that the healthcare sector must similarly adapt. "Millions of healthcare workers are accessing patient data in the cloud via mobile devices. Security leaders need to adopt data-centric approaches like encryption to avert unintentional and malicious threats to personally identifiable information (PII)/protected health information (PHI), ensure that sensitive data is not accidentally shared, and that data can be ‘digitally shredded’ on lost or stolen devices.”
Other common threads among the report’s findings: 66% of malware was installed via malicious email attachments, 73% of breaches were financially motivated… a somewhat obvious point, 21% of breaches were related to espionage, and 27% of breaches were discovered by affected others, such as customers whose data had been compromised.
Innovation ahead: Robert Capps, VP of Business Development for NuData Security, summarized that “Organizations that transact online, such as banks, e-commerce stores, gaming and other vendors, can take a more nuanced approach to authentication by evaluating as much contextual information about customer interactions as possible to determine if it truly is the right user presenting themselves. Passive biometrics and behavioral analytics technology can distinguish good from bad users even when new devices and correct stolen credentials are used because they rely on a different set of keys – consumer behavior, removing the value of stolen credentials.”
As broad in scope as Verizon’s analysis is, Brian Zeman, Chief Operating Officer of third-party risk management leader Prevalent, Inc. sees a gap in the data: “the industry's continued blind spot… third-party risk management. Recent Ponemon Institute industry data shows that many organizations continue to fail at effective third-party risk assessment – with just 18% of respondents saying that their company assesses the cyber risks of third parties – yet this risk vector was unaddressed. Compelling breach events and the mandates of new regulations – such as New York State’s cybersecurity requirements [Note: Opens a PDF] for financial services organizations, and the Global Data Protection Regulation (GDPR) – make clear that third party risk management must be a top-five priority for any security-driven organization."