Breaking down the 2017 Verizon Data Breach Investigation Report
Verizon’s infamous Data Breach Investigations Report (DBIR) came out last week. It’s a testament to the diverse data Verizon now has that this year’s report is separated out by industry. In other words, more industries are seeing attacks and it allows the data to be divided and still hold merit. A few findings stood out to me as worthy of a deeper look:
Pretexting is an emerging trend in which an attacker impersonates a CEO or CFO or corporate bigwig by spoofing an email to try and get information from employees. For example, the boss might send you an email asking you to help them transfer money or request information about how to do that from the company.
Pretexting is a very big threat that will continue to grow because it takes advantage of urgency and common cultural situations where employees will set aside procedures and policies in order to make sure the boss does not get upset. Most phishing training focuses on the content: malware and links rather than the sender, and in this case, the sender and what is being asked is the issue. People will no doubt feel under pressure to make sure the boss is happy and some of the requests will seem entirely legitimate to the right employee. Therefore, security training staff need to make these types of messages a priority.
Microsoft Office-based malware and low patching metrics
I always feel the most vulnerable systems are the most popular. There was a time when cyber defenders would debate on the security of Mac vs. Windows. As soon as Mac entered the corporate enterprise, the vulnerabilities and exploits started to appear. Microsoft Office products are most popular and thus the biggest target for exploitation, just like Java.
The report found that the public sector only patched 30% of vulnerabilities found – 33% of which were on time and the financial sector patched only 25%, with 33% on time. This is simply not good enough. Patching is basic blocking and tackling for any cyber program.
It often fails because the responsibility is shared across two organizations. Security teams identify the vulnerabilities. Server and desktop teams then have to patch them. If this program is not taking into account how the firewalls and other compensating controls can reduce the risks of these exploits, IT departments are often faced with a huge backlog of patches with no prioritization.
The rise in credential theft
Hackers are after credentials in order to move within their target to gain access to data. Directly attacking these production systems is costly and often exploitation leads to detection of outages. It's akin to robbing a bank by using a stick of dynamite. Getting the safe combination is easier. As long as employees are offering up their credentials by accident or other means, direct exploitation will remain a plan “C” for most attackers.
Credential theft is plan “A” for hackers and multi-factor authentication will need to become a basic strategy along with internal segmentation and reduction of shared passwords. These strategies take time, effort and cultural shifts but an absolute requirement in modern business.
Changes in ransomware
In the DBIR, Verizon noted that the “most significant change to ransomware in 2016 was the swing away from infecting individual consumer systems toward targeting vulnerable organizations.” This is a path we see a lot of malware take – testing the waters by targeting consumers and then moving to target organizations. Or it could be a case of consumer systems infecting organizations due to the flexible way in which people work these days.
Organizations are a set of common systems using common defense controls. If a single machine in a company can be infected, chances are every machine is a target. They are on the same image using the same patch backlog and culture. To use an analogy, it is far more effective to launch a rock at a flock of birds.These are just some of the ways hackers are advancing their techniques to breach organizations and capitalize on their crimes. Of course, seeing the big picture and identifying weak spots in security infrastructure is one of the best ways to prevent them from reaching their nefarious goals. Intelligent Security Management can help provide this bigger picture and keep the stats in these kinds of reports from growing in the bad guy’s favor.