Data breaches are still far too easy to pull off thanks to avoidable security failings, consultancy Verizon has concluded in its ninth annual Data Breach Investigations Report (DBIR) which draws on the firm's analysis of 2,260 real-world breaches in 85 countries during 2015.
In years gone by, Verizon's report -- still the most authoritative analysis of global data breaches -- was about the swelling volume of incidents but as more and more have been publically disclosed that's almost become a secondary issue. These days, the relevant questions are whether organisations are doing enough to stop them and whether enough of them even care.
Data breaches are now routine, a global condition consumers and companies simply accept as part of life. As if to ram that point home, on the day the company started briefing journalists about the DBIR, a security researcher reported finding an exposed database of 93 million Mexican voters on an Amazon web services server.
Ninety-three million people breached. Security watchers shrugged despite the possibly serious consequences of leaking voter numbers, names, addresses and birth dates in a country infamous for kidnapping.
Data breaches 2016 - the same problem everywhere
Most of the data breaches studied by Verizon entered its log from the US, the country where most of its customers are. However, the firm is adamant that the patterns that underlie breaches are universal across the world, across sector and across different sizes of organisation. Assuming that one country or sector is an exception to the rule would be unwise.
"We see the same things everywhere. The things we see in the US we see in EMEA and APAC," says Verizon's managing principal for investigative response, Laurence Dine.
Phishing is too easy
It's easy to get lost in numbers but some unsettling facts jump out of Verizon's report. More than nine in ten successful data breaches take minutes to execute but weeks or even months to be uncovered. That's a crazy, unbridgeable gap for defenders to close under any circumstances but it's why this is the case that is more interesting.
Verizon documented nearly 10,000 incidents (including 916 confirmed data breaches) where the attack used a simple phishing attack, almost all using emails where the recipient inside the victim organisation clicked on a malicious ink or attachment. The possibly subtle irony of this is not lost on the researchers - the attackers are able to reach out to employees more effectively than the security team at the organisations they work for. Verizon estimates that around 30 percent of phishing messages are opened of which 12 percent click where the attackers want them to.
After being around for a decade or more as an everyday technique, phishing still works. A generation of filtering systems, gateways, anti-malware software, and endpoint monitoring systems seem not to have made much difference. Organisations are getting owned and it's hard to be optimistic about this trend when Verizon compiles its 2016 numbers for next year's DBIR.
The bottom line: Test email filtering and get a better one if too many phishing attacks are getting through. Defend against employees click on links by segmenting the network to make it harder to move around. Use layered authentication rather than static passwords to move from one to the other.
What happens after a successful phishing attack? Often, credential theft, which Verizon detected as having occurred in 1,474 incidents of data disclosure. Armed with user names and passwords from phishing, spyware or keylogging, attackers can often roam networks at will and undetected, looking for further targets including, ironically, systems secured with default passwords.
The weakness here is simply that too many organisations rely on the brittle security of password systems when two-factor authentication (2FA) is now needed to raise the bar. "Your average organisation using that would be less likely to be breached," argues Dine.
The bottom line: two factor authentication is no longer optional
Hand in hand with phishing is the dogged issue of software flaws, which Verizon estimates take a media time of 30 days to be exploited by criminals after they become public or although many are being used after only ten days. There are some interesting patterns here. Adobe flaws are exploited in around 30 days on average, Microsoft in perhaps 100, and Mozilla flaws in more than 200 days.
The problem is that organisations have to patch new flaws in some order and this isn't always easy to prioritise. But one point jumps out and that is that old flaws are still the most commonly wielded. Analysing exploited CVEs (Common Vulnerabilities and Exposures), Verizon found that those from 2007, 2010 and 2011 were greater in number than those form 2015.
This is because it's simple for attackers to try every flaw in an automated way until the hit on one that hasn't been patched in possibly a small number of machines at one company. At the same time, nearly nine out of every ten successful exploits are based on a core hit parade of only ten vulnerabilities.
"People don't know their environments 100 percent. They forget about the old machines in the corner that's not on any patch schedule," says Dine.
The bottom line: security teams should pay attention to the flaws attackers are actually targeting and not simply worry about the fact a given flaw exists.
Web application attacks
Accounting for 908 confirmed data breaches, attacks that break into websites probably fit the image of a lot of incidents. Large numbers of these were reported to the firm but many turned out to be simple defacements or repurposing for some other criminal task such as launching DDoS attacks. Dridex botnet seems to be a big player.
The bottom line: Third-party CMS plug-ins need careful patching.
Data breaches 2016 - mobile malware hype
A week doesn't go past without at least one security vendor talking up the menace of unsecured mobile devices. While that's true for the device itself, as in last year's report, Verizon still sees negligible risk that these platforms are a primary Launchpad for successful data breaches.
"For those looking for proclamations about this being the year that mobile attacks bring us to our knees or that the Internet of Things (IoT) is coming to kill us all, you will be disappointed. We still do not have significant real-world data on these technologies as the vector of attack on organizations," the authors say.
"If you feel we are in error, put down the torches and pitchforks and share any breach data that you have. We are always looking for avenues to shine lights into areas in which we may not have sufficient illumination. Also, their absence is not a suggestion to ignore these areas in your risk management decision-making."
When mobile devices start turning up in breaches, it will most likely be connected to IoT, the authors believe.
Bottom line: there are far easier ways into networks and databases