lolloj - Fotolia

Business failing to learn lessons of past cyber attacks, report shows

Organisations are still failing to address basic security issues and well-known attack methods, Verizon’s latest Data Breach Investigations Report reveals

This article can also be found in the Premium Editorial Download: Computer Weekly: Graph databases are making connections

Business and other organisations are failing to learn the lessons of past cyber attacks, the latest Verizon Data Breach Investigations Report (DBIR) reveals.

The analysis of 2,260 breaches and more than 100,000 incidents at 67 organisations in 82 countries shows that organisations are still failing to address basic issues and well-known attack methods.

“This year’s study underlines that things are not getting better,” said Laurance Dine, managing principal of investigative response at Verizon Enterprise Solutions.

“We continue to see the same kind of attacks exploiting the same vulnerabilities because many organisations still lack basic defences,” he told Computer Weekly.

The 2016 DBIR shows, for example, that nearly two-thirds of confirmed data breaches involved using weak, default or stolen passwords.

The report also shows that most attacks exploit known vulnerabilities that organisations have never patched, despite patches being available for months – or even years – with the top 10 known vulnerabilities accounting for 85% of successful exploits.

“User security awareness continues to be overlooked as organisations fail to understand that they need to make their employees the first line of defence,” said Dine.

“Organisations should be investing in training to help employees know what they should and shouldn’t be doing, and to be aware of the risks so they can alert security teams if they spot anything suspicious,” he said.

For this reason, Dine said it is important for organisations to have the processes in place that make it easy for employees to report security issues.

Phishing attacks

Phishing is one area where increased user awareness could help, said Dine, especially as the use of fraudulent emails to steal credentials or spread malware increased dramatically in the past year.

“If we could reduce phishing through user awareness training, we could probably reduce a lot of the other stuff as well because many of the attacks start with a simple phishing email,” said Dine.

The study shows that 30% of phishing messages were opened – up from 23% in the 2015 report – and 12% clicked on malicious attachments or links that installed malware.

In previous years, phishing was a leading attack pattern for cyber espionage, but now features in most cyber attacks.

According to Verizon researchers, this technique is amazingly effective and offers attackers a number of advantages, such as a very quick time to compromise and the ability to target specific individuals and organisations.

Human error cause of most attacks

Underlining the importance of user awareness and the human element of security, the report shows that human error accounts for the largest proportion of security incidents, with 26% of these errors involve sending sensitive info to the wrong person.

Other errors include improper disposal of company information, misconfiguration of IT systems, and lost and stolen assets such as laptops and smartphones. 

Of increasing concern to Verizon’s security researchers is the speed in which cyber crime is committed. In 93% of cases, it took attackers up to a few minutes to compromise systems and data exfiltration occurred in minutes in 28% of the cases.

Meanwhile, the time between compromise and discovery of a data breach is growing. In 84% of the cases, victims did not find out they had been breached for weeks or more, and most often were informed by law enforcement, not by their own security measures.

As with the 2015 report, compromises of mobile and internet of things (IoT) devices are not a significant factor. However, the report notes that proof of concept exploits are real and it is only a matter of time before a large scale breach affects mobile and IoT devices. This means organisations should continue to be vigilant about protecting smartphones and IoT devices.

The report notes that web application attacks climbed to the top spot for data breaches, and that 95% of web app breaches were financially motivated.

The report also notes that ransomware attacks are on the rise, where attackers encrypt the contents of a device, rendering it useless and then demand a ransom to unlock the data. 

“Ransomware is going crazy. It is everywhere. As an incident response team we are dealing with ransomware attacks all the time,” said Dine.

Rise of a new attack

The 2016 DBIR highlights the rise of a new three-pronged attack that is being used repeatedly, with many organisations falling prey to attacks that follow this pattern.

Typically, attackers send a phishing email with a link pointing to the malicious website or a malicious attachment. Malware is then downloaded onto an individual’s PC that establishes the initial foothold, and additional malware can be used to steal data and credentials or or encrypt files for ransom. Finally, the stolen credentials are used for further attacks by logging into third-party websites such as banking or retail sites, for example.

Bryan Sartin, executive director of the Verizon Risk team, said organisations should strive to understand how cyber criminals operate. “By knowing their patterns, we can best prevent, detect and respond to attacks,” he said.

The report notes that basic, well-executed measures continue to be more important than complex security systems. Verizon researchers recommend that organisations know what attack patterns are most common for their industry, use two-factor authentication, and encourage employees to use two-factor authentication when logging into social networking apps.

Verizon researchers also recommend that organisations monitor all inputs, review all logs to identify malicious activity, encrypt all business critical data, educate employees on security issues, protect data according to its importance, and limit who has access to data according to their role. If stolen devices are encrypted, it’s much harder for attackers to access the data.

“This year’s report once again demonstrates that there is no such thing as an impenetrable system, but often times even a half-decent defence will deter cyber criminals who will move on to look for an easier target,” said Sartin. 

Read more about data breaches

  • Mossack Fonseca breach underlines need to focus cyber security on key data, say experts, after law firm’s founder insists the company was breached by an outside hacker
  • Drawing on insights from more than 400 senior business executives, research from Experian reveals many businesses are ill-prepared for data breaches.
  • The rise in high-profile security breaches has led to an increasingly worried UK public, calling for 24-hour monitoring of sensitive information.
  • Considering that a data breach could happen to any company at any time, a plan of action is the best tactic.

Read more on Hackers and cybercrime prevention

Data Center
Data Management