The Big PictureOutsiders were behind the majority of cyberattacks last year (73 percent). Organized crime groups carried out 50 percent of all data breaches with 12 percent involving actors known as nation-state or state-affiliated. Meanwhile, 28 percent of data breaches were perpetrated by internal actors. Nine out of 10 times, the main drivers motivating them were financial gain and espionage.
Breach TimelineIt takes cybercriminals just minutes, or even seconds, to compromise a system – but only three percent of breaches are discovered as quickly. Sadly, this year’s report shows that two-thirds (68 percent) of attacks went undiscovered for months or longer. Tim Erlin, VP of Product Management & Strategy at Tripwire, believes that faster recovery begins with monitoring for changes on the network:
"It may seem trite, but every incident begins with some kind of change. Organizations shouldn’t underestimate the value of being able to detect changes in their environment and make sense of them. Start by understanding what you have, then by ensuring it’s deployed securely, and follow-up with monitoring for changes. If you need an independent third-party to justify these controls, the CIS 20 critical security controls does exactly that."
Social AttacksUnfortunately, humans are still considered the weakest security link – something organizations should be wary of when 98 percent of incidents and 93 percent of breaches involved phishing and pretexting (defined by the DBIR as the creation of a false narrative to obtain information or influence behavior). On the bright side, 78 percent of people in a median-sized organization don’t click a single phish all year. However, four percent of people in any given phishing campaign will click the link, but at least it’s an improvement from 11 percent back in 2014.
RansomwareThis year’s report crowned ransomware as the most prevalent variety of malware, seen in 39 percent of cases where malicious software was identified. The DBIR also notes that in recent years, we’ve seen more server assets affected, meaning “infections aren’t limited to the first desktop that is infected.”
"Lateral movement and other post-compromise activities often reel in other systems that are available for infection and obscuration. Encrypting a file server or database is more damaging than a single user device." – Verizon DBIR, pg. 14
Findings by IndustryInstead of getting lost in the numbers, the report encourages readers to look at the data from the perspective of their own industry. As expected, threat actors, motives and attack patterns can vary significantly from one industry to another.
Accommodation and Food ServicesUnsurprisingly, the accommodation and food services industry continues to be dominated by financially-motived point-of-sale (POS) breaches, accounting for 90 percent of all breaches within this vertical. Furthermore, 96 percent of malware-related breaches utilize RAM scrapers to stealthily collect credit card data. The DBIR also notes: “As evidenced by the great number of ‘integrity’ issues in our caseload, illicit software installation continues to be rampant.” Here's Erlin's thoughts on that finding:
"Illicit is a great term here because it covers both malicious and simply prohibited. It’s time for the industry to move from data integrity to Integrity Management. Used as a framework for understanding and managing risk, Integrity Management can drive down incident and improve risk mitigation."
EducationThe education sector is frequently targeted with Denial of Service (DoS) attacks, especially now that online classes are becoming more commonplace. “Make sure you have adequate DoS protection against these attacks and an appropriate migration plan in place for when they do occur,” the DBIR recommends (pg. 30). Last year, the education industry was also highly targeted by the evolving W-2 scam. The DBIR explains it is not immediately clear why this scenario has figured so prominently in Education, but “it may be due to the more ‘open source’ nature of schools and universities.” To protect against this, it recommends conducting regular security training and having routine security audits.
Financial and InsuranceDoS attacks are also a top pattern for the finance and insurance industry, although attacks were not as rampant as in recent years. Regardless, the DBIR adds that, “while you are strengthening authentication into your applications, ensure that you have controls and response plans in place for availability attacks, as well” (pg. 31). Another interesting finding involves the type of data frequently compromised – banking information (13 percent) actually trails behind both personally identifiable information (36 percent) and payment card information (34 percent).
HealthcareHealthcare is the only industry that has a greater insider threat than it does an external threat regarding data breaches. This is likely due to the fact that this vertical suffers from a large amount of human errors and employee misuse. As far as incidents, healthcare is nearly seven times more likely to feature a casual error than other industries. Additionally, ransomware accounts for a whopping 85 percent of all malware in healthcare. “Due to the ease of the attack, the low risk for the criminal, and the potential for high monetary yields, [ransomware] is likely here for a lengthy stay,” warns the DBIR (pg. 34). The report urges healthcare security practitioners to “ensure that policies and procedures are in place which mandate monitoring of internal Protected Health Information (PHI) accesses,” as well as to implement preventive controls that can help minimize the impact of ransomware on your network.
InformationPer the DBIR, this vertical includes everything from publishers, motion picture and sound recording industries to telecommunications, data processing companies and broadcasting. This industry was another top target for DoS attacks, accounting for more than half (56 percent) of all incidents. Web application attacks total 41 percent of breaches, and the use of stolen credentials is among the most common methods attackers use to gain unauthorized access.
"Implement a routine checklist for general security hygiene, and have sys admins make sure that the systems you build are built to deploy patches and updates in a timely fashion. Automate anything you can as this reduces the human error associated with many breaches we see. Conducting routine scans to discover misconfigurations before an adversary does." – Verizon DBIR, pg. 36