A sober reflection on the facts delivered by Verizon with their annual “2016 Data Breach Investigations Report (DBIR)”
For the last few years, we read and hear the often quoted buzzword “Cyber-Threat” by the InfoSec professionals out there. Nearly every day we are educated by the media about exploits and data breaches at governmental institutions and organizations. Is it just a subjective perception, or is the risk for an organization to become victim of a cyber-attack exponentially increasing, or just phony commercial buzzing by the IT-Security industry?
Let’s take a sober look at the facts delivered by Verizon in their annual “2016 Data Breach Investigations Report (DBIR)”, published last April 26th. The Verizon DBIR is the most anticipated reference for understanding attacks and breach patterns from incidents that have happened within the last year. It lifts the cover on what’s really happening in the cybersecurity world. With data provided by 67 contributors, including security service providers, law enforcement and government agencies, and more than 100,000 incidents and analysis of 2,260 breaches across 82 countries, this year’s report offers an unparalleled comprehension into the cybersecurity threats we all face.
In my opinion, the report should be a ‘must read lecture’, not only by every IT professional, but also by every senior executive to understand the threats and be aware of the risks their organizations are facing. If you didn’t already, I recommend you to download the “Verizon 2016 DBIR” and take a look through the list of published data breaches.
One thing will immediately strike you: no location, industry or organization is invulnerable from cyber threats. Even with the toughest defenses, no organization can bank on not being breached. Knowing, understanding and identifying what the most likely attack types are for your industry, and what techniques one can adopt to reduce the risk, is the first step in building a defense strategy. The Verizon report evidences that ‘Cyber threat’ is a real risk for all organizations. It is not just a buzzword.
Verizon classified all incidents into 9 patterns of characteristics with recurring combinations. Guys, this is really worth a read! Here few of my takeaways and … some spoilers to rise your curiosity:
Again and again, the human factor
Verizon classifies these incidents simply as ‘Miscellaneous Errors’. The one area that has increased intensely over the last year are phishing attacks, e.g users receiving emails from falsified sources. Disturbingly, 30 percent of phishing messages were opened, and 13 percent of those clicked and opened a malicious attachment or evil link. 63 percent of the analyzed data breaches involved leveraging a weak, default or stolen password.
This shows that the majority of data breaches begin with a phishing campaign. Very often, it is a humble mistake by one of the workforces that starts an incident.
The conclusion: make people the first line of defense. Train the staff to spot the warnings.
Patch promptly
Attacks taking advantage of zero-day exploits are cool headlines. However, the report showed that the top 10 known vulnerabilities accounted for 85 percent of successful exploits. This means that most attacks are exploiting known vulnerabilities that have never been patched despite patches released for months, or even more.
Consistent patching, regular backups and the implementation of a configuration change monitoring can block many attacks, keep business running if any systems are compromised by ransomware and attack methods can be easily sensed by observing key indicators.
Not a really new recommendation. But, honestly, are we all consistently applying these simple tactics in our organizational processes?
Web Application as attack vector
“Web App Attacks” were the cause of most confirmed breaches. Organizations today have more and more business critical websites promoting their operations, conducting e-commerce and hooking into backend databases. Last year, 5’334 incidents (19,389 additional with secondary motivation) were attacks to Web Applications. Of those incidents, 908 were responsible for confirmed data disclosure. The report explained: “The greater complexity, including the web application code and underlying business logic, and their potential as a vector to sensitive data in storage, or in process, makes web application servers an obvious target for attackers.”
Thus we can reach following conclusion: No business critical Web Application should go live without a Secure Code Review. Every Web App should undergo regular Assessments and Penetration Testing. All this helps to better understand the risks and possibilities that the vulnerabilities expose, before the attacker does.
No more single pattern attacks
The report underlined the intensification of a “new three-pronged attack”. Verizon described the three-prongs as:
- Directing a phishing email with a link pointing to the malicious website or with a malicious attachment.
- Malware is downloaded onto a targeted individual’s computer which establishes an initial compromise and allow for other malware to be used to target sensitive information
- Use of the credentials for further exploits, e.g. authenticating to third-party websites like banking or retail sites.
Verizon calls it the ‘birth and rebirth of a data breach’. This means, that having a clear understanding of how patterns can complement each other and share portions of event chains can help direct our efforts as to what to prioritize having only limited resources.
To protect yourselves, try to think like an attacker.
In summary, human misconduct and slipups are responsible for a major portion of what pains the cybersecurity community. Tom Brennan, Founder of ProactiveRISK, said it very well in his recent blog: “SEC_RITY requires ‘U’ to be vigilant in all aspects of its operations from creation, deployment, and use of technology”.
And now? What’s next?
The Verizon Data Breach Investigations Report is an outstanding orientation to understanding attacks and breach patterns from effective incidents last year. All IT responsible managers should do a similar analysis within their own organization. The better that one can map their own attack paths, the better that one can understand the risks and identify the most effective remediation.
The DBIR advises: “…if you are not addressing, to an appropriate level, your entire attack surface, you may be adding locks to a door while a window is left open.”
And now, allow me some advertising: Do you want to understand your security posture from the perspective of hacker? If yes, request today a Penetration Test & Ethical Hack from our wizlynx Security Assessment Portfolio
Andreas Crisante
Senior Cyber Threat Intelligence Advisor @ wizlynx group
