By: Steven Bowcut, CPP, PSP
Verizon announced and released their 2018 Data Breach Investigations Report (DBIR) today and it really is kind of a big deal. A highly respected report in the industry, the DBIR provides the most comprehensive view of global cybersecurity based on actual cyberattacks from malware to insider threats to cyber espionage, including recommendations for businesses and government agencies on how to combat attacks.
Here are some of the key findings that surfaced from their look at more than 53,000 cybersecurity incidents and over 2,300 data breaches from 65 countries.
- Ransomware is the most prevalent variety of malicious software: It was found in 39% of malware-related cases examined this year, moving up from 4th place in the 2017 DBIR (and 22nd in 2014). Most importantly, based on Verizon’s dataset it has started to impact business critical systems rather than just desktops. This is leading to bigger ransom demands, making the life of a cybercriminal more profitable with less work.
- The human factor continues to be a key weakness: Employees are still falling victim to social attacks. Financial pretexting and phishing represent 98% of social incidents and 93% of all breaches investigated – with email continuing to be the main entry point (96% of cases). Companies are nearly 3X more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education.
- Phishing attacks cannot be ignored: While on average 78% of people did not fail a phishing test last year, 4% of people do for any given phishing campaign. A cybercriminal only needs one victim to get access into an organization.
- Distributed Denial of Service (DDoS) attacks are everywhere: DDoS attacks can impact anyone and are often used as camouflage, often being started, stopped and restarted to hide other breaches in progress. They are powerful, but also manageable if the correct DDoS mitigation strategy is in place.
- Most attackers are outsiders: One breach can have multiple attackers and we found the following: 72% of attacks were perpetrated by outsiders, 27% involved internal actors, 2% involved partners and 2% feature multiple partners. Organized crime groups still account for 50 percent of the attacks analyzed.
Below we hear from seven security experts representing four different organizations. Each has a little different take on the comparative weight of the various key findings and have focused their comments toward their respective areas of expertise.
Michael Magrath, Director, Global Regulations & Standards, VASCO Data Security:
With over 53,000 incidents and 2,216 confirmed data breaches last year, the challenges of securing cyberspace remain wide open.
Botnets aren’t going away anytime soon. With over 43,000 breaches involving use of customer credentials stolen from botnet infected clients, bots are proven static login credential thieves and open organizations and their executives up to severe cyberattacks, litigation, reputational impact and and sever fines. Many bots can be overcome via advanced, frictionless multifactor authentication to thwart cybercriminals and if organizations are still relying on password authentication for their employees and customers.
In financial services, payment card skimmers installed on ATMs by organized criminal groups are widely known and difficult to notice by laypersons. To bypass cards and eliminate card skimmers as the attack vector we may see increased adoption of biometric ATMs. Moreover, banks may consider alternative authentication mechanisms for ATMs including leveraging registered mobile device geolocation used in conjuction with biometrics and/or PIN or a graphical cryptogram on the ATM screen that could be scanned with a mobile device for many users.
With GDPR coming into effect on May 25, it is critical for organizations holding data on European Union citizens to address these ever present vectors or risk facing severe financial penalties.
David Vergara, Director of Security Product Marketing, VASCO Data Security:
One of the key takeaways from the 2018 Verizon DBIR is that employees are falling victim to more sophisticated social engineering and phishing attacks. These findings are not surprising, as attacks, especially those based on advanced phishing techniques, are evolving quickly, and the community is constantly striving to find better tools, training and technology to mitigate exposure. When it comes to security, we should all begin with the basics and take full advantage of multi-factor authentication security when available and businesses should prioritize efforts to deploy this strong security.
Christian Vezina, CISO, VASCO Data Security:
The DBIR report looks at the events and breaches of the past year, and ransomware was an important issue in 2017, but rogue cryptocurrency mining will probably surpass ransomware in terms of revenues for cybercriminals this year.
According to Rod Schultz, Chief Product Officer at Rubicon Labs, a leading supplier of IoT security:
Ransomware, DDoS attacks, and external attackers rely on weak human or device endpoints to infiltrate a network and extract sensitive and confidential information or inflict serious financial damage. Strong authentication and data encryption tools are needed to combat these attacks, but, sadly, the evidence suggests the potential to generate traffic and revenue outweighs the potential for serious security risks when we connect weakly fortified devices or when uninformed humans join an unsecured network.
Nick Bilogorskiy, cybersecurity strategist at Juniper Networks:
These days, attackers are increasingly focused on cryptocurrencies – stealing them, mining them via cryptojacking or obtaining them as ransom.
As companies do not usually have crypto wallets to steal, attackers turn to ransomware because it provides the best bang for the buck and is the logical choice for attackers to monetize business breaches.
Verizon DBIR confirms this trend with ransomware incidents doubling from last year. Ironically, businesses can thwart ransomware attacks completely by backing up their data every day, but many still fail to do so.
Crypto mining has also hit businesses hard with a 27 percent increase in Q1 2018 over Q4 2017.
I believe we are still in the “mania phase” of the crypto attack bubble and have not reached “peak crypto” yet. That said, I expect ransomware and other cryptocurrency malware attacks to grow in popularity this year.
96 percent of attacks on businesses continue to come via email. In addition to educating employees on the high-risks of email and safe behaviors, I recommend that businesses onboard their employees into other communication systems like Slack or Hipchat that are far less exploited.
Ransomware has taken center stage from a malware perspective, and for good reason. It provides criminal groups with a good return on their investment in an industry that has matured quite a bit.
But we are likely to see a reprieve before the next storm of ransomware attacks. Some threat actors are dipping their toes into the cryptocurrency pond to see if they can make a decent return on what is perceived as a lesser crime, namely cryptocurrency mining. Other threat actors will probably get pulled into the market of hacking for political actors, be it nation states or groups with political interests. This will lead to an increase in attacks like DDoS or destructors disguised as ransomware, and the targeting critical infrastructure.
Mind your own industry’ is a key takeaway from this report. Even though malware is used in 30 percent of all attacks, if you’re in the accommodation and food services, that number jumps to 75 percent. But it’s also a highly cyclical pattern that has seen prior highs and lows, so don’t count malware out just yet. And, since email is absolutely an initial vector of compromise, there is almost always a secondary payload delivered via web downloads.
Everyone who owns valuable data gets breached eventually. The question is: how fast can you detect the breach and limit the damage? Many people think of securing their network as securing the perimeter. This is the wrong perspective. Securing the network means being able to see lateral movement, exfiltration staging, internal email propagation and isolating network devices that belong to a chain of compromise in order to disrupt attackers.
Last, but certainly not least, according to Anthony James, Chief Marketing Officer at CipherCloud, a leader in cloud security and data protection:
The Verizon cybersecurity report brings us back to basics. We know from US-cert that about 85% of breaches are related to the exploit of missing updates and patches. Current reality today is that most organizations cannot apply these updates and patches as quickly as attackers can catalog and use them as exploits. It’s a race that large enterprises can almost never win. What should be done? You must develop and deploy the new best practices to protect your data, assuming that at some point an attacker will penetrate your network. As Verizon suggests, encryption is a key part of the solution. Locking up the data makes it useless to the attacker. This moves the cost of the attack back to the attacker. They will leave your network alone and look for greener pastures.
Our suggestion: download the report, read it for yourself, and determine how Verizon’s findings stack up against your practical industry experience.