Data breaches 2016: Verizon names simple failings that lead to data loss

Companies continue to make the same mistakes

Data breaches are still far too easy to pull off thanks to avoidable security failings, consultancy Verizon has concluded in its ninth annual Data Breach Investigations Report (DBIR) which draws on the firm's analysis of 2,260 real-world breaches in 85 countries during 2015.

In years gone by, Verizon's report -- still the most authoritative analysis of global data breaches -- was about the swelling volume of incidents but as more and more have been publically disclosed that's almost become a secondary issue. These days, the relevant questions are whether organisations are doing enough to stop them and whether enough of them even care.

Data breaches are now routine, a global condition consumers and companies simply accept as part of life. As if to ram that point home, on the day the company started briefing journalists about the DBIR, a security researcher reported finding an exposed database of 93 million Mexican voters on an Amazon web services server.

Ninety-three million people breached. Security watchers shrugged despite the possibly serious consequences of leaking voter numbers, names, addresses and birth dates in a country infamous for kidnapping.

Data breaches 2016 - the same problem everywhere

Most of the data breaches studied by Verizon entered its log from the US, the country where most of its customers are. However, the firm is adamant that the patterns that underlie breaches are universal across the world, across sector and across different sizes of organisation. Assuming that one country or sector is an exception to the rule would be unwise.

"We see the same things everywhere. The things we see in the US we see in EMEA and APAC," says Verizon's managing principal for investigative response, Laurence Dine.

Phishing is too easy

It's easy to get lost in numbers but some unsettling facts jump out of Verizon's report. More than nine in ten successful data breaches take minutes to execute but weeks or even months to be uncovered. That's a crazy, unbridgeable gap for defenders to close under any circumstances but it's why this is the case that is more interesting.

Verizon documented nearly 10,000 incidents (including 916 confirmed data breaches) where the attack used a simple phishing attack, almost all using emails where the recipient inside the victim organisation clicked on a malicious ink or attachment. The possibly subtle irony of this is not lost on the researchers - the attackers are able to reach out to employees more effectively than the security team at the organisations they work for. Verizon estimates that around 30 percent of phishing messages are opened of which 12 percent click where the attackers want them to.

After being around for a decade or more as an everyday technique, phishing still works. A generation of filtering systems, gateways, anti-malware software, and endpoint monitoring systems seem not to have made much difference. Organisations are getting owned and it's hard to be optimistic about this trend when Verizon compiles its 2016 numbers for next year's DBIR.

The bottom line: Test email filtering and get a better one if too many phishing attacks are getting through. Defend against employees click on links by segmenting the network to make it harder to move around. Use layered authentication rather than static passwords to move from one to the other.

Credential theft

What happens after a successful phishing attack? Often, credential theft, which Verizon detected as having occurred in 1,474 incidents of data disclosure. Armed with user names and passwords from phishing, spyware or keylogging, attackers can often roam networks at will and undetected, looking for further targets including, ironically, systems secured with default passwords.

The weakness here is simply that too many organisations rely on the brittle security of password systems when two-factor authentication (2FA) is now needed to raise the bar. "Your average organisation using that would be less likely to be breached," argues Dine.

The bottom line: two factor authentication is no longer optional

Software vulnerabilities

Hand in hand with phishing is the dogged issue of software flaws, which Verizon estimates take a media time of 30 days to be exploited by criminals after they become public or although many are being used after only ten days. There are some interesting patterns here. Adobe flaws are exploited in around 30 days on average, Microsoft in perhaps 100, and Mozilla flaws in more than 200 days.

The problem is that organisations have to patch new flaws in some order and this isn't always easy to prioritise. But one point jumps out and that is that old flaws are still the most commonly wielded. Analysing exploited CVEs (Common Vulnerabilities and Exposures), Verizon found that those from 2007, 2010 and 2011 were greater in number than those form 2015.

This is because it's simple for attackers to try every flaw in an automated way until the hit on one that hasn't been patched in possibly a small number of machines at one company. At the same time, nearly nine out of every ten successful exploits are based on a core hit parade of only ten vulnerabilities.

"People don't know their environments 100 percent. They forget about the old machines in the corner that's not on any patch schedule," says Dine.

The bottom line: security teams should pay attention to the flaws attackers are actually targeting and not simply worry about the fact a given flaw exists.

Web application attacks

Accounting for 908 confirmed data breaches, attacks that break into websites probably fit the image of a lot of incidents. Large numbers of these were reported to the firm but many turned out to be simple defacements or repurposing for some other criminal task such as launching DDoS attacks. Dridex botnet seems to be a big player.

The bottom line: Third-party CMS plug-ins need careful patching.

Data breaches 2016 - mobile malware hype

A week doesn't go past without at least one security vendor talking up the menace of unsecured mobile devices. While that's true for the device itself, as in last year's report, Verizon still sees negligible risk that these platforms are a primary Launchpad for successful data breaches.

"For those looking for proclamations about this being the year that mobile attacks bring us to our knees or that the Internet of Things (IoT) is coming to kill us all, you will be disappointed. We still do not have significant real-world data on these technologies as the vector of attack on organizations," the authors say.

"If you feel we are in error, put down the torches and pitchforks and share any breach data that you have. We are always looking for avenues to shine lights into areas in which we may not have sufficient illumination. Also, their absence is not a suggestion to ignore these areas in your risk management decision-making."

When mobile devices start turning up in breaches, it will most likely be connected to IoT, the authors believe.

Bottom line: there are far easier ways into networks and databases

Join the CSO newsletter!

Error: Please check your email address.

More about APACCMSMicrosoftMozillaTestVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place