In 93% of the cases, it took the attackers less than minutes to compromise systems. Organizations on the other hand took weeks or more than that to discover that a breach had even occurred and it was the customers or law enforcement agencies that had raised the alarm, not their own security measures.
Data is the major power behind innovation. It helps in accelerating supply chains and redefining the customer experiences. But companies and customers are concerned about security. It’s critical that you should address risk, both to assure your customers and to give organization the confidence to embrace digital acceleration completely.
Every organization relies on digital communication, to transact, to compete. Today, gaining competitive advantage is all about being able to do the digital communication better. But in order to do that, you need systems that are both reliable and secure. And that means data security is something we need to care about.
Data attacks are very expensive. It’s not just about the restitution and fines; fees for legal and remediation services can be substantial too. Breaches can also cost you in terms of the brand reputation. That’s particularly very important because having the trust of your customers and partners has never been more important. A breach probably will put you out of business immediately, but can seriously damage the future.
Most breaches are about money
Most cyberattacks are indiscriminate and motived by only greed not revenge or public service. Most attackers steal your data because of its worth, not who you are. Anything that can be useful to them to be converted to money will do. As the value of payment card information falls as banks improve fraud detection attackers probably increasingly turning to things like intellectual property and protected health information.
Attackers take the easiest route available. It would be a mistake to think the biggest risk you face is always from new-to-the-world vulnerabilities. Most attacks exploit mostly known vulnerabilities where a patch had often been available for months, if not years.
63% of the confirmed data breaches involved use of weak, default or stolen passwords. Often the reason why criminals were so quick at hacking in was that they already had the key. Social engineering remains worryingly effective on the fraud emails such as “click here to reset your Password”. It was found that almost 30% of phishing messages were opened, which was up from 23% in 2014. And 12% of targets went on to open the malicious attachment or click the link which is about the same as in 2014 (11%).
There is no such thing as an impenetrable system, but often even having a decent defence will deter many cybercriminals away and they’ll move on and look for an easier target. Sadly, many organizations fail to achieve even that modest ambition of defence. 95% of breaches fit into the given nine patterns. This year’s DBIR again focuses on the nine incident patterns that were identified. Understanding them will help to focus our security efforts on the right areas.
Credentials in hand make an easy in
When analysing the 2,260 confirmed data breaches, it was determined that 63 percent involved the usage of a weak, default or stolen password.
The use of stolen, weak or default passwords in security breaches is not new. These kind of static authentication mechanisms have been attacked for as long as we can remember. Password guessing from the perspective of an Infosec has been there since the Morris worm was discovered, and it had evolved into the famous malware families like Dyre and Zeus which are designed to capture the keystrokes from a compromised device.
Zero-Days: While advanced attacks make usage of zero-day exploits make for an interesting headlines, Verizon found that most of the attacks exploit known vulnerabilities that were never been patched in spite of patches being available for months and even for years. According to the 2016 DBIR report, top 10 already existing vulnerabilities responsible for the 85 percent of successful exploits.
Web Application Attacks were accounted for a total of 5,334 total incidents (19,389 additional with secondary motivation) and 908 were responsible for confirmed data disclosure. According to Verizon, 95 percent of the confirmed web app attacks were financially motivated. The greater complexity, including the code for the web application and underlying logic, and their potential to keep more valuable data in storage, or in their process, makes the web application servers an obvious target for the attackers.
Phishing: Its popularity has risen among attackers because it is most effective technique and offers attackers a number of advantages such as a very quick time to compromise and the ability to target specific individuals and organizations.
The rise of the three-pronged attack – Verizon has highlighted the rise of a “new three-pronged attack” that they say is being repeated again and again by the cybercriminals. Verizon explained the three-prongs as:
• Send a phishing email with a link that points to the malicious website, or to a malicious attachment.
• Malware is downloaded onto a targeted person’s PC that establishes an initial compromise and allow for additional malware to be used to target sensitive information
• Use of these credentials for further attacks, for example, to log into the third-party websites like banking or retail sites.
The pressure on organizations to become more digital is growing by the day. There are more devices to protect, more people with access to data and ever more partners to integrate with. New technologies like mobile and the Internet of Things threaten to give the attackers new opportunities. We have not seen a high number of incidents involving mobile or IoT devices yet. But the threat is certainly approaching. Proof of number of concept exploits have been demonstrated and it is only a matter of time before there is a largescale attack. To increase their income, attackers must hack more data or find new data, more profitable forms of information to sell like the protected health information and intellectual property information.
The following are the nine incident patterns that were identified.
1. Miscellaneous errors:
40% of incidents in this pattern were caused by a shortage of server capacity, where non-malicious spikes in web traffic overwhelm systems and causes the key applications to crash. But it’s often a simple mistake by one of the employees in the organization that triggers an incident.
2. Insider and Privilege misuse
This mainly consists of incidents involving misuse by the insiders. But outsiders and the partners that were given privileged access to systems also show up. Contrary to what some people think, it is rare that only system admins or developers with elevated privileges that fall victims. End users are accounted for a third of insider misuse. Attacks are mostly motivated by money 34% of breaches involving the misuse were motivated by the financial gain although a quarter (25%) can be linked with espionage, for example the theft of intellectual property.
3. Physical Theft and loss
It is usually a case of a laptop or mobile being lost by an employee that triggers a security incident. But the biggest threat of a data breach is from lost or stolen documents, which cannot be encrypted. 39% of the theft is from employs’ own work areas, and 34% from employ’s personal vehicle.
4. Denial of Service
These are the fourth most common pattern in our data for all the security incidents. And a large-scale attack could take a website or mission-critical systems offline for weeks.
These attacks are always opportunistic and motivated by financial gain. The malware gets into the system when someone clicks on a malicious email link or visits an infected website. Ransomware is on rise. It involves attackers encrypting the contents of a device, making it useless. They then demand a ransom to unlock that encrypted data.
6. Web app attacks
Many web app attacks are indiscriminate and occur when the attackers found a weak target with a vulnerability that they could compromise; or got a hold through a phishing campaign. Cybercriminals gained a lot of success using CMS plugins for deployment of malicious software. Once in a while, many attacks defaced the target’s website. But there were almost 20,000 incidents where the compromised websites were used in distributed denial of service (DDoS) attacks or repurposed as phishing sites.
7. Point of Scale Intrusions
These attacks occur when attackers attack the computers and servers that run POS applications, with the aim of capturing the payment data. In 2015, many hotel chains made the headlines for remote payment cards breaches. In 2014, it was large retailers which were attacked. Successful breaches occur often via a POS vendor, rather than the result of poorly configured systems, internet-facing POS devices. 95% of the confirmed attacks in hospitality involves POS intrusions.
8. Cyber espionage
These attacks begin with the same tools and techniques that were used successfully elsewhere, before moving on to more sophisticated methods. That means that basic security measures are always effective in protecting against cyber espionage and should not be forgotten that it should be in favour of specialized protection. 47% of all the confirmed breaches in manufacturing could be classified as cyber-espionage.
9. Payment card skimmers
Most of these attacks always happen at ATMs, but also on gas pumps and other devices too. These Skimmers can be almost impossible to detect, even for the trained eye. 94% of the breaches that involves payment card skimmers occurred at an ATM.
Cybercriminals can break in and steal the data in just a matter of minutes. In 93% of the cases where data was taken, systems were compromised in minutes or less. And exfiltration happened within seconds in 28% of the cases. But even where exfiltration took days, the criminals didn’t need to worry. In 83% of the cases, organizations didn’t find out they’d been attacked for weeks or more. The longer it takes for an organization to discover the breach, the more time hackers have to find the valuable data they’re looking for and attack our business. This is why protection isn’t enough you need to have effective detection and remediation systems and processes in place to respond to attacks and to reduce the possible damage.
Effective patching can stop the attackers
The top 10 vulnerabilities mentioned are responsible for 85% of successful exploit traffic. The other 15% comprises over 900 CVEs. Patching promptly is very important, but with so many new vulnerabilities being discovered, it is often hard to know where to begin. Security Data which was provided by the Kenna Security says that vulnerabilities in Adobe products were exploited the quickest; the vulnerabilities in Mozilla products are the slowest to be exploited. Studying this information will help to move away from conducting fire drills and focus on the patching efforts.
The cybercriminals are not content with the status quo. As the value of some forms of data falls, they have increased the scope of data that can be hacked and improving their tactics to capture new data. It is true that no system is 100% secure, but too many organizations are making it easy for them. The organizations are leaving very prominent vulnerabilities open by letting their employees use easy to guess passwords and credentials which often include even the default passwords that devices come with. This means that most of the breaches we have seen were avoidable, if organizations had put into use some basic security measures. But IT team should have a thorough understanding of the type of threats their organization may face. Cybercriminals are using all the information they can to capture more profitable data. So we also should expand our strategies.
...(download the rest of the essay above)