Credential theft, social engineering attacks (including phishing and business email compromise) and human errors were involved in just over two-thirds of almost 4,000 data breaches around the world last year, according to the 13th annual Verizon Data Breach Investigations Report.
“These tactics prove effective for attackers,” say the report’s authors, so they return to them time and again. For most organizations, these three tactics should be the focus of the bulk of security efforts.”
The 130-page report released this morning aims at giving CISOs a better understanding of the varied threats they face not only generally but in regions and across several industries. This year’s report looks at 16 verticals.
Written in a slightly cheeky style and chock full of statistics, the report uses data from 81 partners (ranging from IT vendors to the U.S. Secret Service) to analyzes 32,000 incidents (events that compromise the integrity, confidentiality or availability of an information asset) and 3,950 data breaches (confirmed disclosures of data).
Among the highlights (or lowlights):
- Hacking (defined as an attack using stolen credentials, exploiting vulnerabilities or using back doors) was involved in 45 per cent of breaches; 22 per cent involved attacks through social media (including email); 22 per cent involved malware. Also, employee errors were causal events in 17 per cent of breaches, while eight per cent involve the misuse of data by authorized users.
- Ransomware accounted for 27 per cent of malware incidents (and it was higher some verticals like government and higher education);
- Web application attacks doubled from 2018 to 43 per cent of all breaches.
- Internal-error-related breaches almost doubled from 2018 (881, versus last year’s 424). However, report authors believe this increase is likely due to improved reporting requirements because of new legislation and changes in existing law rather than insiders making more frequent mistakes.
There is some good news:
- Security tools are getting better at blocking common malware. Data shows that Trojan-type malware peaked at just under half of all breaches in 2016 and has since dropped to only 6.5 per cent. Malware sampling indicates that 45 per cent of malware is either droppers, backdoors or keyloggers. “Although this kind of threat is still plentiful, much of it is being blocked successfully,” say the authors.
- Less than five per cent of breaches involved the exploitation of a vulnerability. “In our dataset, we do not see attackers attempting these kinds of attacks that often; only 2.5 per cent of security information and event management (SIEM) events involved exploiting a vulnerability. This finding suggests that most organizations are doing a good job at patching,” says the report. However, it adds, while patching does seem to be working, poor asset management can hide big problems. “Most organizations we see have internet-facing assets spread across five or more networks. It’s the forgotten assets that never get patched that can create dangerous holes in your defences.”
Finally, for those CISOs worried about insiders keep it in perspective: The report’s numbers continue a historical trend showing that insiders account for about 24 per cent of breaches — and a lot of times that’s a user error (losing laptop, misconfigurations).
“What continues to frustrate people like me is email phishing,” commented report co-author John Loveland in an interview. “We all know that it’s problematic, we all know we shouldn’t be clicking on [links in] emails, but there continue to be click-throughs.”
All that’s needed is one person to click on a malicious link for an attack to start, he noted, “but in this day and age with all the attention around phishing and the technologies that are used to intercept phishing emails it’s still a soft-side of security.”
“We as an industry have to get better and removing the human factor out of that exploit, not only from a training perspective but also from a technology perspective… because that is the primary attack vector. That’s an ongoing frustration every year for me.”
Most worthwhile security controls
Finally, the report points to eight controls the data suggests will be worthwhile for most organizations to tighten their security posture. (The numbers in brackets correspond to the Center for Internet Security Critical Security Controls):
- Continuous vulnerability management (CSC 3). Use this method to find and remediate things like code-based vulnerabilities; also great for finding misconfiguration.
- Secure configurations (CSC 5, CSC 11). Ensure and verify that systems are configured with only the services and access needed
to achieve their function.
- Email and Web Browser Protection (CSC 7). Lock down browsers and email clients to give your users a fighting chance.
- Limitation and Control of Network Ports, Protocols and Services (CSC 9). Understand what services and ports should be exposed on your systems, and limit access to those.
- Boundary Protection (CSC 12). Go beyond firewalls to consider things like network monitoring, proxies and multifactor authentication.
- Data Protection (CSC 13). Control access to sensitive information by maintaining an inventory of sensitive information.
encrypting sensitive data and limiting access to authorized cloud and email providers.
- Account Monitoring (CSC 16). Lock down user accounts across the organization to keep bad guys from using stolen credentials. Use of multifactor authentication also fits in this category.
- Implement a Security Awareness and Training Program (CSC 17).
Download the full report here. Registration required.