The unofficial theme of the 2016 Verizon Data Breach Investigations Report was "deja vu all over again." The biggest surprise in this analysis of over 100,000 incidents was that there has been little change in exploited vulnerabilities over the past few years. The report states "the...incident patterns we identified in 2014 still reign supreme," and that 90% of the incidents which result in data loss are due to just ten vulnerabilities.
What does this mean for security and information technology professionals? Meaning even as organizations shift to mobile and sensors, cybercriminals are still focused on the basics. While this is good news for your risk mitigation planning and the mobile fears which keep you up at night, there's definitely a little horror in it, too.
Smart criminals operate on the principles of risk and reward, much like the rest of us law-abiding citizens. Why invest in a complex mobile attack when employees are still clicking on malicious links in emails and patches are going without updates for years on end? While the threat vector is still complex and evolving, the most effective risk mitigation strategies are going to focus on making sure the basics are covered. Join us as we review the most common information security mistakes which could have prevented many of the incidents in this year's 2016 DBIR.
1. Failing to Change Default Passwords
In 63% of security incidents that resulted in data loss, criminals used actual credentials to gain entry to the system. While the majority of these credentials were stolen, a stunning amount (13%) just involved "brute force." Far too many organizations are failing to change default passwords on systems, such as the out-of-the-box "admin" login.
Unfortunately, poor password practices aren't isolated to end-users with little knowledge of security. Recent studies by other organizations indicate that 36% of IT professionals share passwords with colleagues. An additional 55% of IT professionals change their passwords less frequently than end-users do.
Passwords aren't fool-proof, but it's clearly an enormous number of security pros are failing to take the basic precautions prescribed by PCI compliance requirements, which include avoiding the use of vendor-supplied defaults. With the help of better policy and practice, organizations can avoid this remarkably simple mistake.
2. Employee Phishing Vulnerability
Unfortunately, phishing still represents a major payload opportunity for attackers. In the past year, 30% of phishing recipients opened malicious emails, and 12% clicked on a link or attachment. This shockingly represented an increase over the 2015 DBIR, where just 23% of phishing emails were opened. Eighty-nine percent of these emails are sent by organized crime syndicates with the usual intent of "install[ing] persistent malware."
There is no question organizations are attempting to educate their employees on the risks of phishing emails. PCI compliance standards require staff to be educated and for organizations to prepare comprehensive policies on acceptable use. The error in this common vulnerability probably isn't a sheer lack of training, but the impact of these education programs.
Research by Axelos indicates the majority of organizations worldwide are relying primarily on spam filters to sort out malicious emails. While adoption rates vary by geography, only 31-70% of organizations are launching simulated phishing attacks. Simulation can be among the most "effective and relatively inexpensive" ways to impart real behavioral change to your staff.
3. Not Closing Up Known Vulnerabilities
Humans are risky, but failure to understand your network and environment is also a common point of vulnerability. The top ten "known vulnerabilities" accounted for 85% of attacks, with the other 15% comprised of some other 900+ vulnerabilities. In fact, most attacks exploit known vulnerabilities organizations never patched, despite patches being due for updates for months or years.
In keeping with a trend visible in 2015's DBIR, there were no incidents of data loss that resulted from the exploitation of mobile or internet of things (IoT) devices. While this doesn't mean companies should ignore the risks of mobile, sensors, or other connected devices, it does indicate focusing on known vulnerabilities and patterns should be the cornerstone of your risk mitigation program.
There's no such thing as the perfect network, however, the concept of risk and reward is critical. Bryan Sartin, executive director of the Verizon Risk team, believes "oftentimes even a half-decent defense will deter cybercriminals who will move on to look for an easier target." As a result, Verizon's risk team's key recommendations to protect against the most common exploits include:
- Monitoring all inputs,
- Reviewing logs religiously,
- Encrypting business-critical data,
- Employee education,
- Protecting data, and
- Practicing access governance.
Full compliance with all twelve PCI compliance requirements isn't a guarantee your organization won't suffer data loss, but it can go a long way toward risk mitigation.
4. Failing to Use Real-Time Monitoring
While attackers aren't being especially innovative about their methods of attack, they have become significantly more efficient after gaining entry to a company's network.
According to the 2016 DBIR:
- 82% of attackers completed a compromise within a matter of "minutes."
- 21% of data retrieval is complete within minutes.
- 67% of data retrieval is complete in several days or fewer.
Despite the trend toward quick entry and departure, only 25% of organizations notice the incident within several days or more quicker. For 75% of companies, it takes weeks or longer to notice their system has been compromised. This indicates many organizations have failed to implement basic protection measures for change detection, such as real-time file integrity monitoring software. This fact has introduced an immense amount of risk.
Implementing technology to detect negative changes in critical system files can aid in your ability to defend against attacks slipping through your firewall, intrusion detection system, and other barriers. Failure to detect entry can result in a loss of revenue, damaged consumer trust, and costly compliance-related fines. With real-time change detection, organizations can position themselves to protect against today's cybercriminals, who are working faster than ever.
May 17, 2016