The 11th edition of the Verizon Data Breach Investigations Report 2018 came out this past month, and not surprisingly, it reveals that hackers have continued to be very successful at using their hacking techniques (many which are well known) and we have failed to stop them.
This report is a must read for cyber security professionals and its highly anticipated release is usually marked in the calendar. It is a great insight into the trends and evolution of cyber-crime and analyses the year’s incidents to help us learn from our past mistakes and understand what we must do better.
“WE HAVE NOT LEARNED FROM OUR PAST MISTAKES”
With more than 53,000 incidents and 2,216 confirmed data breaches cybercrime continues to have far reaching impact and incur increased costs for businesses globally. The report shows some interesting trends and changes in some tactics used by cybercriminals to gain access to sensitive information or deploy malicious software.
What is clear is that cyber security is becoming more essential than any time in history with cyber-crime quickly passing traditional crime in almost every country worldwide.
“TECHNOLOGY ALONE WILL NOT STOP CYBER ATTACKS”
Technology alone can’t protect your identity or sensitive data. Hackers and other threat actors target human beings, seeking ways to trick them into giving up vital information unknowingly. They do this because it’s the easiest way to get at valuable data in a process known as social engineering. So, it’s not surprising that exploited humans are the weakest link in the cyber security chain, and yet the best hope for preventing a cyber security disaster.
We need to get the balance between people and technology right. We have too much complexity in the cyber security industry and it is crucial that we make it simpler and easier to use if we want people to adopt the technology we offer. The future of cyber security lies in making it simple.
Below are my key takeaways from this year’s report.
“I would give all my fame for a pot of ale, and safety”
This leading quote from the report is awesome and we surely can all relate to the challenge staying safe and secure while surfing the internet. Though no matter where we look or what news we read, cyber-crime prevails, and we have no safe place. We have to remember all that is good in the internet and yes, while bad things do happen, we need to embrace the internet and use it with care and responsibility. By knowing the risks and treading carefully we will all be less likely to become victims of cyber-crime. We need to regain trust in the internet and gain a better understanding about where we get the information that we use to make critical decisions about our future.
WE NEED TO TALK MORE ABOUT SUCCESS
We tend to focus more on failures, data breaches, successful hacks and financial fraud. However, no one ever talks about the times when they prevented cyber-attacks or significantly reduced the impact. We need to hear more about how companies prevented cyber-attacks and what works. It would be great to see a section in the next report that, while maybe anonymous, highlights incidents in which the company averted and prevented the cyber-attack.
WHO IS BEHIND CYBER ATTACKS AND DATA BREACHES?
Yes, attribution is probably one of the most difficult tasks in cyber-crime which already has more challenges than most people understand, with misdirection and lack of digital footprints to help lead to the cybercriminal. It is always interesting to see the report’s findings on attribution. So, let’s take a closer look:
Seventy-three percent of cyber-attacks where caused by outsiders, which is what was expected, but it would be interesting to see how much of this was done within country versus cross-border cyber-crime. The surprising number was that 50 percent of cyber-attacks were attributed to organized crime which suggests that organized crime is using hackers as a service. Twelve percent was attributed to nation states—this was quite a surprise as I assumed this number was much lower. But cyber-crime and data breaches appear to be used as political weapons and for economic advantage more by nation states as it is highly likely they are going to get away with it.
WHO ARE THE VICTIMS?
Well, this remains the same as in previous years with Healthcare being the top victim with 24 percent of incidents. It’s followed by the Accommodation and Food Services industry with 15 percent and Public Sector with 14 percent of incidents. Surprisingly Small Business only had 58 percent of incidents which I honestly expected to be higher because supply chain is a major target in today’s cyber-crime. Financial industry seemed to drop lower, most likely due to major investment in cyber security improvements and fraud detection solutions.
WHAT ARE THE MOTIVES?
In Digital Forensics you do one of two things: you follow the money or identify the motive. This usually helps follow the attack path to find the cyber-criminal. So, what are the top motives found in the report? Seventy-six percent was attributed to financial followed by 13 percent to espionage which, combined, covered 90 percent of the incidents. Espionage is likely on the increase due to the political instability around the world and of course financial is always going to be high on the list.
WHAT HACKING TECHNIQUES ARE BEING USED?
Ransomware continues to see more global use and financial impact. The main change with ransomware in 2017 was that the ransom demand dropped considerably from previous years and ransomware became easily accessible as a service. This means that ransomware is now considered a commodity that no longer requires significant technical expertise. If you have a computer and an internet connection, you can obtain ransomware and target a victim. Ransomware is easily accessible to common criminals, so we’ll see an increase in use.
DDoS (Distributed Denial of Service) attacks continue to cause major disruption and are often paired with other hacking techniques that are sometimes used for misdirection—while organizations are busy dealing with keeping their services running the cybercriminals are carrying out a crime elsewhere on the network.
Employee carelessness and error still causes many incidents, and phishing is particularly common as hackers know a high percentage of employees will click on a hyperlink or open an interesting attachment, and at that point it’s game over!
Cyber-criminals and hackers persist with identity and credential theft. In, fact, identity theft has increased in record numbers in recent years and has been the main focus of many cyber criminals. This is because it’s much easier to steal a trusted insider’s credentials and bypass traditional cyber security controls than it is to break through the firewall.
WHAT ARE THE CAUSES OF INCIDENTS AND DATA BREACHES?
Not surprisingly, using stolen credentials topped the list of causes for data breaches. A common saying is “It’s easier to ask the employee for their password than try to guess it”, so social engineering continues to be a very successful tactic for hackers. For most employees the only security protecting access is a password, and once the cyber-criminal has it they can easily bypass most company’s security controls.
RAM Scrapping was high up on the list used mostly to capture more sensitive data and privileges. This enables the hacker to get the information needed to go deeper and further into the network, so they can carry out the malicious activity and hide their tracks.
Privilege Abuse is still a major problem for organizations who fail to implement privileged access management solutions. As a result, their employees have high-level privileges that are typically unnecessary to perform their jobs. These privileges go unmanaged and unprotected, leaving the organization exposed to unnecessary risk.
Other common causes are Phishing and errors likely occurring from misconfigurations.
Privileged abuse is also still a huge topic in the report, with the top motive for privilege abuse being financial. The number of credentials being stolen increased significantly compared to previous years, in line with my predictions that credentials are now the most targeted by cyber criminals who use them to blend in with normal authorized traffic, carry out malicious activity and remain hidden with valid credentials. This stood out as an area that needs more attention in cyber security. Personal information theft also kept with the upward trend.
WHO ARE THE INSIDERS TO BE WATCHING?
With 28percent of Incidents and Data Breaches being attributed to insiders, do you know which employees you should be cautious about giving privileged access to, given that it increases the possibility of abuse? This abuse can include walking into their next job with your organization’s sensitive data, selling your information to a competitor, and using it for financial gain or because they’re unhappy with you.
The one thing about insiders is they want to ensure they get away with the criminal act, so who are top of the list likely to carry out such actions? Top of the list is System Administrators who have been given the keys to the kingdom and therefore have access to sensitive data and can make changes on the network and to logs to hide their tracks. This is followed by End-Users, but to me this is kind of a catch-all because at the end of the day isn’t everyone an end-user in some form or another? So, it comes down to what level of access each one has been given to company assets.
WHAT DO HACKERS WANT?
So, another major interesting reading point in the report was what exactly hackers and cyber criminals are after. In the report it highlighted that the most sought-after assets are Databases, Point of Sales—both Servers and Client devices, Web Applications, Desktops and documents being the most attractive company assets being targeted.
“PERSONAL INFORMATION IS THE MOST VALUABLE CORPORATE ASSET”
The data being stolen by cybercriminals in data breaches are personal information, payment details, medical, credentials and internal IP.
EMAIL CONTINUES TO BE THE PRIMARY DELIVERY METHOD OF MALCIOUS MALWARE
If you are still using email today you are more likely to be a victim of ransomware or malicious malware via a simple email. The message contains a malicious link or attachment and all it takes is for one single employee to click on it. Phishing is usually a primary step in a larger cyber-attack, typically used to try and get one foot in the door so the cyber-criminal can use a stolen compromised account to carry out a much larger cyber-attack.
Phishing emails typically use 3 key methods to get the victims to trust it: Fear, Time and Impact. Phishing emails will use those methods when the employee is most distracted by other tasks.
CONCLUSION AND RECOMMENDATIONS
The annual Verizon Data Breach Investigations Report, as always, is a great read and keeps you up to date on all things that have happened in the past year, changes in techniques and the growing trends. Like which industry needs to be more vigilant about certain cyber-crimes versus others.
Cyber security is quickly becoming part of everyone’s daily life and can longer be separated into personal and work life. In the past cyber-attacks were usually only a concern for the workplace though today that is no longer the situation. Today cyber-attacks are more common and affect everyone connected to the internet.
Cyber-attacks are going to be the biggest threat to every human being and business on earth and will be the trigger for future wars and political instability.
Below are my key hacker recommendations to avoid being a victim:
- Educate all key stakeholders on the fundamentals of cyber security.
- Take a people-centric approach to cyber security that prioritizes ease of use and is less complex.
- Implement Multi-Factor Authentication for emails and all sensitive privileged accounts.
- Enable encryption to protect user credentials and privacy.
- Automate the management and security of privileged access using a privileged access management solution.