When it comes to cybersecurity and securing our sensitive data, high-speed technological change has conditioned us to think the biggest risks come from some new-to-the-world vulnerability. For instance, we hear warnings that mobile attacks will be the next scourge or that the Internet of Things (IoT) is the emerging danger zone.
But, let’s not jump to conclusions. The 2016 edition of the time-tested and respected Verizon Data Breach Investigations Report (DBIR) indicates our significant digital security worries are still variations on cyberattacks that were last year’s, or even older, headaches.
Most attacks exploit known vulnerabilities—where a patch has often been available for a long time. And the most mundane and well-known vulnerabilities and perpetrators remain among the most problematic. Here are the results:
- Many attacks—63% of confirmed data breaches in the report’s data set—involved leveraging weak, default, or stolen passwords.
- Phishing schemes remain a powerful tool for criminals, with the 2016 study data showing that 30% of phishing messages were opened—up from 23% in 2014. And 12% of targets opened the dangerous attachment or clicked the bait link.
- Today’s cyber enemies are not new-age activists intent on espionage, revenge, or social action, which seemed to be the trend two years ago. This year’s DBIR concludes that most cyberattacks are motivated by greed and carried out by crooks intent on stealing data that they can sell and convert to cash.
The Bad Guys Are Improving
Market forces make cyber crooks ambitious, according to the new report, which compiles and analyzes data from 2015. These evildoers have to innovate new scams because the market value of some kinds of data, particularly payment card information, is falling. To maintain their illegal revenue streams, attackers must steal more data or find new forms of information to sell—like protected health information and intellectual property.
Their dark ambition appears to be paying off. The executive summary of the 2016 DBIR opens with this sobering statement: “In 93% of cases, it took attackers minutes or less to compromise systems. Organizations, meanwhile, took weeks or more to discover that a breach had even occurred—and it was typically customers or law enforcement that sounded the alarm, not their own security measures.”
The evidence shows cybercriminals are fast and efficient, and security systems aren’t working well enough. Break-ins are quick, and actual theft of data, known as exfiltration, occurs within minutes in 28% of cases. Even worse, the DBIR analysis shows that when exfiltration took longer—days, for example—victims didn’t find out about the breach for weeks or longer.
Obviously, the longer it takes to discover a breach, the more time criminals have to mine valuable data and disrupt your business. Here’s the essential case built in the 2016 DBIR: “Protection isn’t enough—you need to have effective detection and remediation systems and processes in place to thwart attacks and reduce the possible damage.”
The 2016 DBIR, the ninth annual edition, benefits from the long experience and the size of its data set— information on more than 100,000 incidents, including 2,260 confirmed data breaches across 82 countries—provided by a collection of 67 security service providers, law enforcement, and government agencies.
Fighting Back with Threat Intelligence
Today’s booming digital marketplace means there are more devices to protect, more users with access to data, and more potential partners seeking integrative solutions.
DBIR data reveals that 95% of breaches fit into nine incident classification patterns first published in the annual report in 2014. The patterns allow a detailed analysis by industry, revealing that when you look at a specific segment, the majority of threats fall into just three patterns.
That’s powerful knowledge. The patterns and their percent of the total are:
Herein lies the beauty of the DBIR: Studying these patterns provides a level of threat intelligence that gives decision makers insight into how to deploy resources to hit cybercriminals where it hurts the most.
Using an industry example, the report shows that in Retail, three patterns—denial of service, point-of-sale intrusions, and web app attacks—account for 90% of incidents. The report gives detailed suggestions about steps to take to defeat attackers using those specific patterns. To battle web app attacks, retailers should use two-factor authentication and lock out accounts after repeated access failures and establish a robust process for patching CMS platforms, third-party plug-ins, and other e-commerce systems.
Overall, the deep, thorough analysis in the 2016 DBIR is delivered with some wit, an ample dose of reality, and a healthy respect for the size of our cybersecurity challenges. It acknowledges that businesses simply can’t get an impenetrable system, no matter the cost. But it shows in practical detail the value of efficient defense, with well-placed roadblocks, to deter cybercriminals and keep hackers moving past your door in search of easier targets.
Additional Resources on This Topic: