Hackers can complete an entire data breach in under 15 hours, which includes exfiltrating data, according to a recent report, and 23 percent of hackers say they can complete a breach of a hospital or healthcare organization under five hours.
In its 2018 Black Report, Nuix, a cybersecurity, risk, and compliance software company, offers a glimpse inside the minds of hackers to provide a unique perspective on the security landscape. The report also reveals a significant gap between perception and reality in cybersecurity, as most organizations’ cybersecurity postures are much more vulnerable than their leaders think, according to the report authors.
The survey reflects responses from hackers and professional penetration testers from around the globe. Penetration testers are professional hackers who operate within the boundaries of a legal statement of work that grants them permission to attack their target. The survey also included incident responders to gain their insight into various types of current attacks and organization security postures, but their responses to questions focused on hacking or motivation were not included.
Among some of the alarming results is that, across all industries, most of the professional hackers surveyed said they could bypass security systems, locate critical data, and exfiltrate that data within 15 hours. Fifteen percent said they could accomplish that in under an hour, 20 percent said it would take one to five hours, 19 percent said the task would take five to 10 hours, and 46 percent said it could be accomplished in 10 to 15 hours.
About a quarter of hackers surveyed (23 percent) said they could complete an entire breach of a hospital or healthcare organization in under five hours, while the majority (61 percent) said it could be accomplished in under 15 hours (18 percent said five to 10 hours; 20 percent said 10 to 15 hours, 23 percent said 15 to 20 hours; 11 percent said 20 to 25 hours and 5 percent said more than 25 hours).
Drilling down further into the survey results, when hackers were asked how long it takes to breach the perimeter of a hospital or healthcare organization, 15 percent said under one hour, 39 percent said under five hours, 24 percent said under 10 hours, 20 percent said under 15 hours and 2 percent said it would take more than 15 hours.
The survey asked respondents how long it took them on average to identify critical value data (CVD) once they had gained access to the target environment. The survey results show that once they have breached the perimeter, attackers can move laterally with ease to map out the target environment and find what they are looking for. Averaged across all industries, most respondents (54 percent) could find their target data within five hours.
With regard to hospitals and healthcare organizations, large numbers of respondents (38 percent) could find the data they sought in less than an hour, the same with regard to the hospitality industry (33 percent), and retail industry (30 percent). Twenty-eight percent said they could identify critical healthcare data under five hours, 23 percent said it would take between five to 10 hours to identify critical data, eight percent said 10 to 15 hours and 5 percent said more than 15 hours.
Averaged across all industries, 40 percent of respondents could exfiltrate data in less than an hour and an additional 33 percent could do so within five hours. Surveyed hackers saw the hospitals and healthcare, sports and entertainment, retail, and hospitality industries as particularly soft targets, according to the report.
Asked how long it takes to exfiltrate critical value data from a hospital or healthcare organization, half of surveyed hackers (51 percent) said it would take less than one hour. Twenty-six percent said one to five hours to exfiltrate data, 13 percent said five to 10 hours, 8 percent said 10 to 15 hours and 3 percent said more than 15 hours.
While healthcare did not fall among the three industries that hackers identified as being the easiest targets—those being food and beverage, hospitality and retail—healthcare did have below-average results as far as cybersecurity, according to the report. The report notes that healthcare fell into this category of below-average results even though healthcare organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations.
“Our data makes it clear that these compliance regimes do not guarantee that a regulated entity is meeting the prescribed requirements or that the regulations are having the intended impact. I’ve said it before but it’s worth repeating: Compliance does not equal security,” the report states.
Chris Pogue, lead author of the report and Nuix’s Head of Services, Security and Partner Integration, said, “Most organizations invest heavily in perimeter defenses such as firewalls and antivirus, and these are mandatory in many compliance regimes, but most of the hackers we surveyed found these countermeasures trivially easy to bypass. If hackers can steal your data within a day but you only find out it happened months later, you’re well on the way to becoming the next big news story."
The Nuix Black Report challenges the common media narrative that data breaches are hard to prevent because cyberattacks are becoming more sophisticated. Nearly a quarter of Black Report respondents (22 percent) said they used the same attack techniques for a year or more.
“Hackers can keep using the same attack techniques because they still work—if it ain’t broke, don’t fix it,” Pogue said. “Many data breach victims believe they have suffered unprecedented and highly sophisticated cyberattacks, but they often turn out to be the result of mistakes or oversights. In the recent Equifax case, for example, it was an older system that hadn’t been patched.”
The report also dispels some common perceptions about cybersecurity and hackers, such as the perception of the teenage hacker living in a basement. Three-quarters (75 percent) of respondents are college grads and nearly one-third (32 percent) had postgraduate degrees. The majority (60 percent) had at least two security certifications, 22 percent had between three and five certifications, 8 percent had six or seven certifications and five percent had between eight and 10 certifications. The majority (57 percent) worked for medium-sized, large, or enterprise businesses.
The survey also examined hacker's motivations--86 percent said they do it, “because I like the challenge, I hack to learn.” While 35 percent said they hack for the entertainment value or to make mischief, 21 percent hack for financial gain and 6 percent hack for social or political motives. The survey also found that 1 in 4 hackers don’t actually break any laws while hacking.