Business failing to learn lessons of past cyber attacks, report shows

Phishing attacks

Phishing is one area where increased user awareness could help, said Dine, especially as the use of fraudulent emails to steal credentials or spread malware increased dramatically in the past year.

“If we could reduce phishing through user awareness training, we could probably reduce a lot of the other stuff as well because many of the attacks start with a simple phishing email,” said Dine.

The study shows that 30% of phishing messages were opened – up from 23% in the 2015 report – and 12% clicked on malicious attachments or links that installed malware.

In previous years, phishing was a leading attack pattern for cyber espionage, but now features in most cyber attacks.

According to Verizon researchers, this technique is amazingly effective and offers attackers a number of advantages, such as a very quick time to compromise and the ability to target specific individuals and organisations.

Human error cause of most attacks

Underlining the importance of user awareness and the human element of security, the report shows that human error accounts for the largest proportion of security incidents, with 26% of these errors involve sending sensitive info to the wrong person.

Other errors include improper disposal of company information, misconfiguration of IT systems, and lost and stolen assets such as laptops and smartphones. 

Of increasing concern to Verizon’s security researchers is the speed in which cyber crime is committed. In 93% of cases, it took attackers up to a few minutes to compromise systems and data exfiltration occurred in minutes in 28% of the cases.

Meanwhile, the time between compromise and discovery of a data breach is growing. In 84% of the cases, victims did not find out they had been breached for weeks or more, and most often were informed by law enforcement, not by their own security measures.

As with the 2015 report, compromises of mobile and internet of things (IoT) devices are not a significant factor. However, the report notes that proof of concept exploits are real and it is only a matter of time before a large scale breach affects mobile and IoT devices. This means organisations should continue to be vigilant about protecting smartphones and IoT devices.

The report notes that web application attacks climbed to the top spot for data breaches, and that 95% of web app breaches were financially motivated.

The report also notes that ransomware attacks are on the rise, where attackers encrypt the contents of a device, rendering it useless and then demand a ransom to unlock the data. 

“Ransomware is going crazy. It is everywhere. As an incident response team we are dealing with ransomware attacks all the time,” said Dine.

Rise of a new attack

The 2016 DBIR highlights the rise of a new three-pronged attack that is being used repeatedly, with many organisations falling prey to attacks that follow this pattern.

Typically, attackers send a phishing email with a link pointing to the malicious website or a malicious attachment. Malware is then downloaded onto an individual’s PC that establishes the initial foothold, and additional malware can be used to steal data and credentials or or encrypt files for ransom. Finally, the stolen credentials are used for further attacks by logging into third-party websites such as banking or retail sites, for example.

Bryan Sartin, executive director of the Verizon Risk team, said organisations should strive to understand how cyber criminals operate. “By knowing their patterns, we can best prevent, detect and respond to attacks,” he said.

The report notes that basic, well-executed measures continue to be more important than complex security systems. Verizon researchers recommend that organisations know what attack patterns are most common for their industry, use two-factor authentication, and encourage employees to use two-factor authentication when logging into social networking apps.

Verizon researchers also recommend that organisations monitor all inputs, review all logs to identify malicious activity, encrypt all business critical data, educate employees on security issues, protect data according to its importance, and limit who has access to data according to their role. If stolen devices are encrypted, it’s much harder for attackers to access the data.

“This year’s report once again demonstrates that there is no such thing as an impenetrable system, but often times even a half-decent defence will deter cyber criminals who will move on to look for an easier target,” said Sartin.