FMSEs and Other Findings from the Verizon 2019 Data Breach Investigations Report
When working to keep your organization secure, it’s important to know where the threats are coming from – and Verizon’s Data Breach Investigations Report (DBIR) is a great resource in understanding the current threat environment.
Verizon has been publishing the DBIR on an annual basis since 2008. The latest edition is the most comprehensive yet, with 73 contributors providing data on 41,686 security incidents and 2,013 confirmed breaches.
There’s a French saying, “plus ça change, plus c'est la même chose,” the more things change, the more they stay the same. Technology is evolving rapidly, but the changes in cyber threats are incremental from year to year. The biggest motivation for cybercrime continues to be financial – credit card theft and ransomware are as popular among cyberthieves as they ever were (as opposed, for example, to cyber-espionage: crime targeting theft of company secrets for competitive advantage). As companies respond to cyberattacks with enhanced security measures, the bad guys respond by seeking easier targets.
A prime example is the rise in financially-motivated social engineering (FMSE) attacks noted in the report. These are defined as incidents that featured a “social” element but did not involve malware installation or employee misuse – with a significant increase in business email compromise being the main impetus for naming this as a new and separate subset in the report. Bottom line: humans are far easier to “hack” than a properly configured firewall or a comprehensive endpoint protection tool set.
That said, let’s dive into the numbers:
29% of all data breaches were accomplished using stolen credentials. This highlights the need for maintaining good password hygiene throughout the organization: change passwords regularly, require strong passwords, encourage users not to reuse passwords, and enable multifactor authentication where possible.
Exploitation of Vulnerabilities
Even though only 6% of all breaches involved exploitation of vulnerabilities, it’s still worthwhile to keep all software up-to-date with updates and patches to prevent becoming a part of that 6% statistic.
Malware is as popular as ever, with 28% of all breaches involving malware. About one fourth of the malware-related incidents were accompanied by ransom demands, falling squarely into the category of ransomware. Educating employees and establishing clear best practices and protocols can assist in keeping malware clickthrough rates low, but that’s not really enough if a single erroneous click is all it takes to expose your entire network to a debilitating attack. Analysts increasingly recommend isolating web browsing activity off-network to ensure that malware cannot gain access to network devices via the web, regardless of what links your users click. In addition, downloaded files should be cleansed thoroughly before they are permitted onto the network device
The Human Factor
The better we get at improving our technology, the more significant the human factor becomes in data breaches. The only threat actions in data breaches that have grown in the past few years are both user based: human error and social engineering attacks. 21% of data breaches involved human error, which can include sending an email with company data to the wrong recipient or accidentally publishing sensitive data on a public website (oops!). The report also indicates that users are significantly more susceptible to social attacks they receive on mobile devices.
Last but not least, phishing remains a favorite technique for cybercriminals. 32% of all breaches involved phishing. The good news is users are wising up to phishing attacks: clickthrough rates on phishing emails is down to 3%, down substantially from 25% a few years ago. The bad news is “phishermen” are getting more sophisticated: spear phishing attacks specifically targeting senior executives, including CEOs, are up. The report also indicated an increase in business email compromise (BEC) attacks. As Alex Pinto, head of Verizon security research, said in an interview with Security Week, “why bother hacking companies when we can just email the CFO and get him to send us money?”
One way to help combat phishing attacks of all kinds is by implementing zero-trust browsing across your organization. A zero-trust approach dictates that all unknown web code must be executed off-network, in an isolated ‘single-use’ environment, while users receive only a clean interactive media stream to their local device. In addition, untrusted web pages should open in read-only mode, to prevent unsuspecting users from entering credentials on phishing sites.
Although specific attack vectors may shift over time, many of the basic techniques used by cybercriminals remain the same. Phishing, malware, stolen credentials are perennially popular. Human error continues to drive many data breaches. Keeping your data secure requires effort and vigilance. Some things you can do to secure your data include:
- Train your users to be careful – social engineering, spear phishing attacks, and accidental clicks are all major causes of breaches
- Protect user credentials and enforce good password hygiene
- Keep software patched and up to date – after all, an ounce of cyber prevention could be worth $143 million in cure
- Consider adopting virtual client computing to help keep sensitive data off of vulnerable endpoint devices – especially in the context of remote and/or mobile devices
- Lock down vulnerable attack surfaces such as email and web browsers using a “zero trust” approach to ensure that, even when users make an all-too human lapse in judgment and click on the “wrong” links, your networks remain uncompromised