Verizon's 2016 Data Breach Investigative Report (DBIR) discovered something the late, great steel driving man John Henry learned the hard way; humans don't stand a chance when it comes to battling soulless machinery.
The report shows this most prominently in the number of successful attacks kicked off by phishing incidents using strong social engineering and stolen credentials. Verizon researchers also indicated that humans are weak not just individually, but even as a group people have no better luck fending off attacks.
“No locale, industry or organization is bulletproof when it comes to the compromise of data,” the report stated. For 2015 Verizon found there were 64,199 data breach incidents with the public sector (47,237), entertainment (2,707), and finance (1,368) being the most targeted. "Financial services really copped a beating in 2015,” Paul Pratley, head of investigations and incident response at MWR InfoSecurity told in an email.
"Of the confirmed data breaches where sensitive data was lost, over 35 percent were in the financial services sector and financially motivated breaches continue their three year upward march relative to any other attacker motivation leaving espionage in decline and every other motivation practically off the map.”
The report also revealed the power of a properly socially engineered phishing attack. The data, which was derived from sanctioned phishing tests that had 8 million total results, showed that 30 percent of phishing messages were opened by the target with 12 percent moving on to click the malicious attachment or link. This is up from 2014 when only 23 percent opened the email with 11 percent clicking on the attachment.
The phisherman also did not have to wait long for a bite. “The median time for the first user of a phishing campaign to open the malicious email is 1 minute, 40 seconds," the report stated. "The median time to the first click on the attachment was 3 minutes, 45 seconds.” There was a small amount of good news. Three percent of those involved in the test attacks recognized the emails as malicious and alerted management.
Rohyt Belani, CEO and co-founder of PhishMe, said this positive employee action has to be nurtured if corporations ever hope to stop and attack. “While there is a tendency to rely on increased automation in IT security, organizations must empower employees to forge an additional, final line of defense against these types of human-targeted attacks," he said. "Not acknowledging employees as an essential part of an organization's security posture is resulting in catastrophic repercussions.”
Another time-oriented fact brought out by the report is that businesses are not increasing their ability to quickly discover a breach, meanwhile criminals have become faster at breaking in and getting away with their stolen goods. “Over the past 10 years, there has been a consistently diverging gap between time to compromise and time to detect," Pratley said. "Attackers have increased their efficiency to the point where they successfully compromise a network in less than a week nearly 100 percent of the time."
He added "defenders however, despite all the investment in flashy blinky boxes out there, have not increased their ability to detect these attacks in less than a week much above the 25 percent mark.” Stolen credentials were also responsible for a large portion of confirmed data breaches in 2015. The report stated 63 percent of confirmed breaches involved taking advantage of weak, default or stolen passwords. This came as no surprise to Qualys CTO Wolfgang Kandek.
“As the Verizon DBIR 2016 shows, companies get breached for two reasons: legacy authentication mechanisms (by that I mean username and passwords) and a lack of vulnerability management,” Kandek told. Tod Beardsley, Rapid7's security research manager, pointed out the reasons the bad guys still go for a stolen credential-based attack is obvious. They are easy to conduct.
“It's much easier to try common, default, stolen and bought credentials on targeted systems than to run finicky exploits, and the fact is that the old username and password combo still works,” he said. Although no massive point-of-sale (POS) attacks, such as Target or Home Depot, took place in 2015, POS was still a popular and effective attack vector. The reported showed a total of 534 incidents took place with 525 resulting in data disclosure with the majority hitting hotel chains.
Web app attacks were also a go-to methodology for criminals with the primary targets being the finance, retail and information sectors. Verizon found 5,334 total incidents for 2015 with 908 resulting in confirmed data disclosure. Web app attacks were also used for an entirely different purpose that stealing information, but to host malware, participate in distributed denial of service or as a repurposed phishing site. Verizon found almost 20,000 companies were hit for this purpose.
110 Reykjavik, Iceland