End users are often the weakest link in an organization’s cyber defense as cyber criminals exploit human nature to execute attack patterns such as phishing, according to Verizon Enterprise’s 2016 Data Breach Investigations Report.
Phishing attacks, where end users receive an email from a fraudulent source, continue to be alarmingly effective, as the researchers found that almost a third (30 percent) of phishing messages were opened, up from 23 percent in 2014. And, 12 percent of targets went on to open the malicious attachment or click the link.
For the Verizon Data Breach Investigations Report (DBIR), researchers analyzed 2,260 breaches and more than 100,000 reported security incidents.
According to report authors, phishing’s popularity has risen because it is an amazingly effective technique and offers attackers “a number of advantages such as a very quick time to compromise and the ability to target specific individuals and organizations.”
Adding to the list of human error are those caused by end users of an organization. “Miscellaneous errors” take the No. 1 spot for security incidents in this year’s report. These can include improper disposal of company information, misconfiguration of IT systems, and lost and stolen assets such as laptops and smartphones. Twenty-six percent of these errors involve people mistakenly sending sensitive information to the wrong person.
The report found that 63 percent of confirmed data breaches in 2015 involved leveraging weak, default or stolen passwords.
“You might say our findings boil down to one common theme—the human element,” Bryan Sartin, executive director of global security services, Verizon Enterprise Solutions, said in a statement. “Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now. How do you reconcile that?”
Cyber criminals are increasingly using a new three-pronged attack that is being repeated over and over again, and many organizations are falling prey to this type of attack, according to report authors. The three-prongs are:
Sending a phishing email with a link pointing to the malicious website, or a malicious attachment.
Malware is downloaded onto an individual’s PC that establishes the initial foothold, and additional malware can be used to look for secrets and internal information to steal (cyberespionage) or encrypt files for ransom. Many times the malware steals credentials to multiple applications through key logging.
Use of the credentials for further attacks, for example, to log into third-party websites like banking or retail sites.
“The goal is to understand how the cybercriminals operate,” Sartin said. “By knowing their patterns, we can best prevent, detect and respond to attacks.”
The report authors point out there is increasing pressure on organizations to become more digital, which means there are more devices to protect, more people with access to data and more partners to integrate with, and new technologies like mobile and the Internet of Things (IoT) give attackers new opportunities.
According to the report authors, organizations need to spend smarter on data security the report identifies nine incident classification (breach) patterns that account for the vast majority of both incidents and confirmed breaches. “Studying these patterns will help you understand how to best deploy your limited headcount and budget to achieve the best results,” the report authors stated.
In fact, according to Verizon Enterprises analysis, 95 percent of breaches and 86 percent of incidents are covered by these nine incident patterns. The nine patterns are—miscellaneous errors (17.7 percent); insider and privilege misuse (16.3 percent); physical theft and loss (15.1 percent); denial of service (15 percent); crimeware (12.4 percent); web app attacks (8.3 percent); point-of-sale intrusions (0.8 percent); cyber-espionage (0.4 percent), payment card skimmers (0.2 percent) and “everything else” (13.8 percent).
And, specifically within healthcare, three patterns—miscellaneous errors, insider privilege and misuse and physical theft and loss account for 73 percent of incidents. Among healthcare organizations, there were 166 security incidents in 2015, with 115 security incidents with confirmed data loss. Among those data breaches in healthcare, 32 percent were due to privilege misuse, 19 percent were due to stolen assets and 22 percent were caused by miscellaneous errors.
With regard to the loss or theft of laptops, USB devices, printed papers or other information assets within all industries, 39 percent of theft is from victims’ own work areas and 34 percent from employees’ personal vehicles.
The report also found that cyber attackers are quick and can break in and exfiltrate data in a matter of minutes. In 93 percent of cases where data was stolen, systems were compromised in minutes or less. And exfiltration happened within minutes in 28 percent of cases. But even where exfiltration took days, the criminals didn’t need to worry. In 83 percent of cases, victims didn’t find out they’d been breached for weeks or more.
Researchers also found that, not surprisingly, that ransomware is on the rise with 39 percent of crimeware incidents in 2015 involving ransomware.
The report authors note that this highlights the need not only for protection, but also effective detection and remediation systems and processes to thwart attacks and reduce the possible damage.
The report also offers recommendations for effective patching. Data provided by Kenna Security included in the report suggests that vulnerabilities in Adobe products were exploited quickest, ones in Mozilla products were slowest.
Most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years. In fact, the top 10 known vulnerabilities accounted for 85 percent of successful exploits.
The researchers note that basic, well-executed measures continue to be more important than complex systems. According to the report, organizations should check to make sure they are taking care of these things:
Know what attack patterns are most common within the industry.
Utilize two-factor authentication for systems and other applications, such as popular social networking sites.
Monitor all inputs: Review all logs to help identify malicious activity.
Encrypt data: If stolen devices are encrypted, it’s much harder for attackers to access the data.
Train staff: Developing security awareness within the organization is critical especially with the rise in phishing attacks.
Know the organization’s data and protect it accordingly. Also limit who has access to it.
“This year’s report once again demonstrates that there is no such thing as an impenetrable system, but often times even a basic defense will deter cybercriminals who will move on to look for an easier target,” Sartin said.