ktsdesign - Fotolia

Cyber espionage up, but basic defences still down, DBIR shows

Organisations are still failing to address basic security issues and well-known attack methods, Verizon’s latest Data Breach Investigations Report reveals for a second year in a row

Cyber espionage and ransomware attacks are increasing and affecting a wider range of organisations than ever before, warns the Verizon 2017 Data Breach Investigations Report (DBIR).

Overall, financial services firms were the most prevalent victims, accounting for nearly a quarter of breaches in the past year, underlining that financial gain is the top motive for attacks.

However, cyber espionage is the second greatest motive. Data on more than 1,900 breaches at 65 organisations in 84 countries shows that cyber espionage is now the most common type of attack seen in manufacturing, the public sector and education.

“Despite all the media hype around the security risks related to IoT [internet of things], we are not seeing that yet,” said Dave Hylender, senior risk analyst at Verizon.

“Cyber espionage is the most interesting aspect of the data relating to real data breaches that we are seeing because it is becoming more prevalent and more sophisticated,” he told Computer Weekly.  

Around 15% of the breaches analysed were espionage-related, which analysts ascribe to the proliferation of proprietary research, prototypes and confidential personal data.

Many of these types of data are held by academic institutions, which is why the education sector is also now being targeted by cyber espionage campaigns.

Outdated security defences

The latest data also shows that organised criminal groups escalated their use of ransomware to extort money from victims, with a 50% increase in ransomware attacks in the past year.

Despite this increase and the related media coverage surrounding the use of ransomware, many organisations still rely on out-of-date approaches, and are not investing in security precautions. 

Instead, many organisations are opting to pay a ransom demand rather than invest in security, the report said, but some industries are under greater threat than others. For example, ransomware accounted for 72% of all malware incidents in the healthcare sector.

While the data shows malware is big business, with 51% of breaches analysed involving malware, ransomware rose to the fifth most common specific malware variety, up from 22nd in 2014.

Pretexting rises up the attack ranks

The 2017 DBIR shows that pretexting has emerged as a popular tactic and is on the increase and commonly used in business email compromise or whaling attacks, where attackers trick people into helping them by pretending to be a senior company executive.

The report shows that pretexting is predominantly targeted at financial department employees – the ones who hold the keys to money transfers. Email was the top communication vector, accounting for 88% of financial pretexting incidents.

“Pretexting is even more specific than spear phishing because attackers build a believable scenario through multiple interaction with victims to gain their confidence,” said Hylender.

“The problem is that these pretexting emails are often so well done, and even come from legitimate email accounts, that they will fool most people.”

The only practical way to counter this type of social engineering attack, said Hylender, is to develop a system where there needs to be more than one person to approve transactions above a set limit.

“Under no circumstance should an email alone be enough to order a transaction, even in emergency situations and even if it appears to come from the CEO,” he said.

Get the security basics right

Now in its 10th year, the DBIR once again showed that organisations of all types and sizes are targeted by cyber attacks, and for a second year running, the DBIR highlighted that organisations are still getting the basics wrong.

For example, 81% of hacking-related breaches using either stolen, weak or easy-to-guess passwords, but the report said this method of attack is easily prevented by better password hygiene, greater awareness of phishing, and the use of two-factor authentication.

“The information security community has to get better at addressing the root causes, because otherwise the threats are just never going to go away”
Dave Hylender, Verizon

Verizon also recommends using log files and change management systems to provide early warnings of a breach, training employees to spot warning signs, keeping access rights to a bare minimum, prompt patching, and encrypting sensitive data.

Many organisations are also still failing to deal with phishing attacks, despite the fact that the 2016 DBIR flagged the growing use of phishing techniques linked to software installation on a user’s device.

In this year’s report, 95% of phishing attacks follow this process, with 43% of data breaches using phishing, which is commonly used in both cyber-espionage and financially motivated attacks.

Phishing was present in 21% all security incidents, up from just 8% the year before, which analysts ascribe to the success rate it delivers. The data shows that 7.3% of phishing attacks were successful, resulting in the victim clicking on a link or email attachment sent by cyber criminals. Worse still, 6.5% of victims fell into the trap a second time, and 2% clicked more than three times.

Repeating the same mistakes

The DBIR is aimed at giving governments and organisations the information they need to anticipate cyber attacks and more effectively mitigate cyber risk.

“But each year we see the same attack techniques working,” said Hylender, who has worked on the DBIR since inception. “The information security community has to get better at addressing the root causes, because otherwise the threats are just never going to go away,” he said.

The failure by many organisations to get the basics right and address the issues highlighted by the DBIR, he said, is why there is very little change in the findings of the DBIR from year to year and why the same old attack methods continue to be successful.

“For many organisations, the reality is that they are still not locking the front door and attackers are just walking in,” said Hylender.

Read more about data breaches

Read more on Hackers and cybercrime prevention