Annual Verizon security report says sloppiness causes most data breaches

Phishing, malware, ransomware, hacking, cyberespionage: The latest Verizon Data Breach Investigations Report shows the best prevention is basic security hygiene

Annual Verizon security report says sloppiness causes most data breaches
Thinkstock

Security threats are constantly evolving, but as Verizon's latest DBIR (Data Breach Investigations Report) shows, the more things change in information security, the more they stay the same.

More than half (51 percent) of the data breaches analyzed in the report involved malware, 73 percent of the breaches were financially motivated, and 75 percent of security incidents were tracked back to outside actors. This year's report found that email was the No. 1 malware delivery vector, compared to last year, when it was web drive-by-download attacks.

The DBIR data set, which includes 1,935 confirmed data breaches and 42,068 security incidents across 84 countries, is compiled from 65 sources, including Verizon's own investigation team as well as the U.S. Secret Service and other law enforcement groups. The report distinguishes between data breaches, where data is confirmed to have been exposed to an unauthorized party, and security incidents, which are security events that compromised "the integrity, confidentiality, or availability" of data.

Ransomware is the hot new trend

Ransomware has been dominating headlines, for good reason: It was the fifth-most common malware variety in Verizon's data set, which is a huge jump from three years ago, when it was the 22nd most common. Ransomware attacks are still opportunistic, relying on infected websites and traditional malware delivery mechanisms to find victims, and they're more likely to target vulnerable organizations than individual consumers, the report found.

"While ransomware dates back to 1989, in the past year we have seen more technical and process innovation in ransomware than we have seen since the invention of Bitcoin-enabled anonymous payments," the researchers wrote in the report.

Along with ransomware, cyberespionage popped up a lot in the report, which found that 21 percent of breaches were related to espionage. In fact, it was the most common attack across multiple industries, including education, manufacturing, and the public sector. These industries tend to have higher amounts of proprietary research, prototypes, and confidential personal data, making them attractive espionage targets. More than 90 percent of the confirmed espionage breaches were linked to state-affiliated groups, with competitors and former employees accounting for the remaining 10 percent.

What's old is still relevant

Phishing remains a big problem, as it was present in 21 percent of all security incidents and 43 percent of data breaches, and it was the most popular cyberespionage method. Attackers are increasingly incorporating phishing into their campaigns because they work so well: one in 14 phishing attacks were successful, in that the victim clicked on the link in the email or opened the malicious attachment. While attackers still used spoof websites to harvest credentials in their phishing attempts, documents embedded with malicious macros were far more common, the report found, yet another example of how old tricks continue to pay off for attackers.

Every year, Verizon's researchers point out that password insecurity is the biggest problem, and that hasn't changed. Verizon found that 81 percent of hacking-related breaches succeeded through stolen passwords or weak passwords. That's an 18 percent increase from last year's report, suggesting that rather than getting better, password security is getting worse.

Don't try to solve all problems

While the depressing figures about the number of breaches and the most common attack methods are helpful, the most valuable part of the report is deeper inside, where Verizon's researchers break down the threats by industry. The data for each industry varies dramatically, and IT and security teams should pay the most attention to the relevant industry sections to understand which areas they need to focus on.

Manufacturing is most exposed to espionage, but food and hospitality sectors likely don't have to worry so much about it, said Marc Spitler, senior risk analyst for Verizon and a co-author of the report. By that token, point-of-sale attacks are big in hospitality and retail, but not so important for manufacturing and education.

The top three industries for data breaches were financial services (24 percent), health care (15 percent), and the public sector (12 percent). For financial services, the top two motives were financial gain (72 percent) and espionage (21 percent). The motives were flipped for the public sector, with espionage (64 percent) followed by financial gain (20 percent). Knowing the difference helps IT teams channel their energies more constructively.

Health care is different

If it felt like there was a ransomware attack against a health care organization every few days in 2016, that perception is not so far from reality. Ransomware accounted for 72 percent of malware-related incidents in health care companies. Last year, officials at Hollywood Presbyterian Medical Center paid $17,000 ransom to restore its data after its network was knocked offline for several days, impacting patient care. Spitler said ransomware was counted as incidents and not breaches because an infection doesn't necessarily mean data was exposed.

Health care was also different from other sectors because the primary cause of breaches was by insiders (68 percent), and it wasn't always about the money. While 64 percent of breaches were financially motivated, 23 percent fell under the category of "fun," which could mean anything from being curious about someone they know (or a celebrity) to merely poking around and see what they can get.

The number of records compromised at a time tended to be smaller than the wide-scale smash-and-grab breaches of personal data we've gotten used to. That may be because the perpetrators don't want to get caught by taking too many at once, Spitler said.

A lot of the problems in health care could have been prevented, Spitler noted. Routinely checking on employee activity to make sure they are not viewing, downloading, or printing information they have no business need for will stop a lot of the information disclosures. Ransomware can be foiled by improving the backup strategy, and having a policy in place to make sure data is disposed of correctly would prevent accidental exposure of personally identifiable information. Mobile devices should be encrypted so that data remains protected when devices are lost or stolen.

Information is a treasure trove

Verizon defined the information industry as "everything from software publishers to telecommunication carriers; from cloud providers to social media sites, and even online gambling." These are non-e-commerce and non-retail sites where users sign up for accounts and provide some personal information.

The biggest problem in this industry was denial-of-service attacks, at 71 percent, indicating that "most of the incidents are based on disruption of access to web-based sites/applications," the report said. In fact, denial-of-service, web application attacks, and crimeware represent 90 percent of all security incidents for this sector.

The top six threats include using stolen credentials, keyloggers or other spyware, data-stealing malware, phishing, backdoor malware, and malware communicating with command-and-control servers. Hacking, malware, and phishing are the trifecta of attacks this industry has to worry about. Data breaches here tend to be credentials and personal data, and they affect millions of users at a time.

While password security is important across all industries, it's critical for the information industry when so many of the breaches are taking advantage of weak passwords. Two-factor authentication has been shown to make it harder for attackers to break in, yet a distressingly large number of sites still don't offer the option. If nothing else, two-factor authentication should be required for administrative access to web applications and other devices that hold sensitive data. Password reuse across sites remains a problem, but stolen credentials become less dangerous if there's another authentication barrier the attackers have to get around.

If the user's device is compromised with a keylogger, the attacker will get into the online account no matter how strong the password was, Spitler said. Two-factor authentication would stop those attacks because the attacker will likely not have that second factor.

Basic security hygiene is still lacking

The Verizon DBIR beats the same security drum each year: Many of these attacks could have been prevented with basic security hygiene. System administrators need to update server software, including operating systems, web applications, and plugins. IT needs to be aware of when security vulnerabilities are disclosed and updates are available.

With phishing used in majority of attacks, staff needs to be trained to spot warning signs. While training isn't a cure-all, there is value in getting users less click-happy. Two-factor authentication would also severely curtail phishing, as it can render stolen credentials all but useless. While a determined adversary will keep trying to get in, it would disrupt their normal operations. For most other opportunistic attacks, it will force them to move to a different target.

There's no reason why mobile devices aren't being encrypted all the time. If they were, then lost or stolen devices would be classified as security incidents, but not an actual data breach since the data would still be protected. To that end, a segmented network is preferable to a flat network that's easy for attackers to get around in. Better yet: Require extra rounds of authentication to move from one segment to another. The goal should be to make it more costly and time-consuming for attackers to move from the initial device or network compromise (a security incident) to actually stealing data (data breach).