Misconfigured servers accounted for 86 per cent of the record 8.5 billion records compromised around the world last year, according to an analysis by IBM Security released today.
That was one of the conclusions reached by the unit in its annual Threat Intelligence Index, which peers into customer sensor and other data. (Registration required)
What IBM calls the “inadvertent insider,” also know as misconfigured servers across a wide range of vectors including publicly accessible cloud storage, unsecured cloud databases, and improperly secured sync backups, or open internet-connected network area storage devices.
“This is a stark departure from what we reported in 2018 when we observed a 52 per cent decrease from 2017 in records exposed due to misconfigurations, and these records made up less than half of total records,” the report said.
It’s not that the total number of misconfiguration incidents increased. Quite the contrary, the number of such incidents actually dropped 14 per cent year over year. The report says this implies that when a misconfiguration breach did occur, the number of records affected was significantly higher in 2019.
Nearly three-quarters of the breaches where there were more than 100 million records breached were misconfiguration incidents. Two of those misconfiguration incidents alone, which occurred in what IBM calls the professional services sector, accounted for billions of records for each incident.
IBM doesn’t name the companies those incidents. But one might have been the discovery of an unsecured ElasticSearch server with data that appeared to come from a U.S. data processing company or one of its subscribers.
Misconfiguration errors will only decrease if companies take security more seriously, Ray Boisvert, an associate partner in IBM Canada’s security services who used to be a special security adviser to the Ontario government, said in an interview.
“It comes down to for all organizations that security needs to be woven into the fabric. The business processes, the launch of new services, the intranet for employees, web-facing content, needs to be linked to a philosophy that security is the enabler.”
Tighter identity and access management — including the addition of two-factor authentication — is also imperative, he added.
The report also found:
- A 2,000 per cent increase in attacks on operational technology (OT) in 2019, suggesting industrial networks will be targeted more this year;
- The top three initial infection points last year were almost equal: Phishing (31 per cent), scan for vulnerabilities and then exploit them (30 per cent) and using stolen credentials (29 per cent).
- Phishing went from making up nearly half of the total incidents in 2018 to less than a third in 2019. By contrast, the scanning and exploitation of vulnerabilities increased to nearly one-third of the incidents from only making up eight percent in 2018;
- Spam email usually focused on two exploits: CVE 2017-0199 (for Microsoft Office/Wordpad) and 2017-11882 (an Office memory corruption bug). Both of these have been patched;
- Destructive malware attacks — those that either delete or overwrite files — are becoming more frequent. These attacks can be combined with ransomware. Note that devastating attacks are estimated to cost an average of US$239 million, over 60 times more than the average cost of a data breach.
Of the OT attacks, most were centred around using a combination of known vulnerabilities within SCADA (supervisory control and data acquisition) and ICS (industrial control system) hardware components, as well as password-spraying attacks using brute force login tactics against ICS targets.
“The overlap between IT infrastructure and OT, such as Programmable Logic Controllers (PLCs) and ICS, continued to present a risk to organizations that relied on such hybrid infrastructures in 2019,” says the report.
Meanwhile the huge number of devices clumped under the Internet of Things – internet-connected devices ranging from surveillance cameras to toys – “has been gradually shaping up to be one of the threat vectors that can affect both consumers and enterprise-level operations by using relatively simplistic malware and automated, often scripted, attacks,” says the report.
The report urges organizations to take the following steps to better prepare for cyber threats this year:
- Leverage threat intelligence to better understand attackers and prioritize security resources;
- Build and train an incident response team;
- Stress test the organization’s incident response plan;
- Implement multifactor authentication;
- Find a way to detect and block spoofed domains;
- Have and test backups, and store them offline