Verizon’s 2016 Data Breach Investigations Report was published this week. This annual report bases its findings on over 64,000 security incidents and 2,260 actual data breaches that took place over the past year across 72 countries and myriad industries. The information was shared by many of the leading cybersecurity vendors, law enforcement agencies, and the US Department of Homeland security.
This report is an important source of information and must-read by the gamut of cybersecurity professionals, CEOs and even the Board of Directors. And don’t be spooked by the size of the report. The well-done humorous writing turns the read into an informative, and dare we say entertaining, experience.
Although the importance of this report cannot be understated, to make it easier for you, we collected a few of the main highlights. So here’s a quick “Cliff Notes” version:
1. Organized Crime has moved to cyber:
Financial gain is by far the most common motivation for data breaches with espionage (commercial and nation-state) remaining a far distant second. The main insider threats are privilege abuse, data mishandling, and usage of unapproved hardware or software. The main perpetrators for phishing attacks are organized crime syndicates (89% of attacks, with the Dridex Trojan affecting the size of attacks coming from organized crime) and state-affiliated actors (9% of attacks). Ransomware increased by 16% in 2015. Together with DDoS attacks, it tops the crime-ware chart of opportunistic attacks that are financially motivated, followed by banking malware of Trojans for spyware, keyloggers and backdoors.
2. Worry about your Web Applications:
As opposed to Mobile and IoT that have yet to become vectors of attack on organizations, web app attacks increased across the board, but especially for financial services organizations (up from 31% in the 2015 DBIR), along with information and retail industries. 95% of confirmed web app breaches (which include exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms) were financially motivated. Content management systems (CMS) were found to be the vector for installation of web shells. In financially motivated attacks against ecommerce servers, web shells are used to access the payment application code, utilized for capturing user input.
3. Password protection can only take you so far:
In 63% of confirmed data breaches, legitimate user credentials, such as weak, default or stolen passwords, were exploited. The methods may not be new, but they remain popular because of their effectiveness. Additionally, sophisticated attackers don’t just bypass static passwords; they use them to advance their attack.
4. Phishing season is all year long:
Phishing continued to trend upward. The main perpetrators for phishing attacks are organized crime syndicates (89%) and state-affiliated actors (9%). The opening rates of phishing emails and their malicious attachments installing malware or keyloggers have both increased since the previous year. Consequently, the most targeted assets are: human compromises and desktops infected with malware from phishing attacks and POS terminals attacked in POS attacks.
5. Know thy enemy:
Attackers are getting even quicker at compromising their victims: In 81% of the cases, it only took minutes to infiltrate a system. The main method for attacks, for both financially motivated and nation-state attacks, is phishing that requires only seconds to download the malicious, credentials-stealing file. Exfiltration, on the other hand, can take a bit longer. In 67.8% of the cases, it took only a few days. This finding heavily represents POS attacks where malware was dropped for capturing, packaging and executing scheduled exports of the data. While “detection deficit” remains a big issue, with the time to discover the compromise getting longer, the number of breaches that remained open for months or longer continued to decline slightly. The top malware varieties installing crimeware are email attachments, websites serving up drive-by downloads with each visit, and websites, emails with links to pages with drive-by code installs.
6. Don’t dis DDos and POS:
With many retailers improving the security measures on their POS systems, hotel chains have become the big victims for POS attacks. Use of stolen credentials to access POS environments is significant. Command and control functionalities are being reported at higher rates than in the past. DDoS continued to be a popular method of attack that is growing in scope, number, and level of sophistication with script injections into browser sessions, distributed reflective DoS attacks, as well as the infancy of temporal lensing (which sends packets via different paths with a focus on time so that they arrive simultaneously in order to overwhelm the target system).
The report not only raises valuable information, but sets out practical recommendations for reducing the risks to the breaches and incidents analyzed. We hope these analyses and insights will promote the adoption of stricter cybersecurity measures across industries and sectors. Here’s to reading about less breaches and more improvements in detection and protection capabilities in next year’s report.