C-Level executives with access to a company’s most sensitive information are now the major focus for social engineering attacks. According to Verizon’s 2019 Data Breach Investigations Report, senior executives are 12 times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than in previous years. Financial motivation remains the key driver. Financially-motivated social engineering attacks (representing 12% of all data breaches analysed) are a key topic in this year’s report, highlighting the critical need to ensure that all employees within a business are made fully aware of the potential impact of cyber crime.
“Enterprises are increasingly using edge-based applications to deliver credible insights and experience,” commented George Fischer, president of Verizon Global Enterprise. “Supply chain data, video and other critical and often personal data will be assembled and analysed at eye-blink speed, changing how applications use secure network capabilities. Security must remain front and centre when implementing these new applications and architectures.”
Fischer went on to state: “Technical IT hygiene and network security are table stakes when it comes to reducing risk. It all begins with understanding your risk posture and the threat landscape so that you can develop and action a solid plan to protect your business against the reality of cyber crime. Knowledge is power. Our report offers organisations large and small a comprehensive overview of the present cyber threat landscape such that they can quickly develop effective defence strategies.”
A successful pre-texting attack on senior executives can reap large dividends as a result of their (often unchallenged) approval authority and privileged access when it comes to critical systems. Typically time-starved and under pressure to deliver, senior executives may quickly review and click on e-mails prior to moving on to the next (or have assistants managing e-mail on their behalf), making suspicious e-mails more likely to infiltrate the system. The increasing success of social attacks such as business e-mail compromises (which represent 370 incidents or 248 confirmed breaches of those analysed by Verizon) can be linked to the unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cyber crime.
This year’s findings also highlight how the growing trend to share and store information within cost-effective cloud-based solutions is exposing companies to additional security risks. Verizon’s analysis found that there was a substantial shift towards the compromise of cloud-based e-mail accounts via the use of stolen credentials. In addition, publishing errors in the cloud are increasing year-on-year. Misconfiguration (ie ‘Miscellaneous Errors’) resulted in a number of massive cloud-based file storage breaches, exposing at least 60 million records analysed in the Data Breach Investigations Report data set. This accounts for 21% of breaches caused by errors.
Bryan Sartin, executive director of security professional services at Verizon, observed: “As businesses embrace new digital ways of working, many are unaware of the new security risks to which they may be exposed. They really need access to cyber detection tools to gain access to a daily view of their security posture, supported by statistics on the latest cyber threats. Security needs to be seen as a flexible and smart strategic asset that constantly delivers to the businesses and impacts the bottom line.”
Major report findings in summary
The Data Breach Investigations Report continues to deliver comprehensive data-driven analysis of the cyber threat landscape. Major findings of the 2019 report include the following:
*New analysis from the FBI’s Internet Crime Complaint Centre (IC3) Provides insightful analysis of the impact of business e-mail compromises and computer data breaches. The findings highlight how the former can be remedied. When the IC3 Recovery Asset Team acts upon business e-mail compromises and works with the destination bank, it was found that half of all US-based business e-mail compromises had 99% of the money recovered or frozen, while only 9% had nothing recovered
*Attacks on Human Resources personnel have decreased from last year The report’s findings suggest that there have been six times fewer Human Resources personnel impacted this year compared to last
*Chip and PIN payment technology has started delivering security dividends The number of physical terminal compromises in payment card-related breaches is decreasing compared to web application compromises
*Ransomware attacks are still going strong They account for nearly 24% of incidents where malware was used. Ransomware has become so commonplace that it’s less frequently mentioned in the specialist trade media unless there’s a high profile target involved
*Media-hyped cryptomining attacks were hardly existent These types of attacks were not listed in the Top 10 malware varieties, and only accounted for roughly 2% of incidents
*Outsider threats remain dominant External threat actors are still the primary force behind attacks (69% of breaches) with insiders accounting for 34% of all breach episodes in the last 12 months
Putting business sectors under the microscope
Once again, this year’s report from Verizon highlights the biggest threats faced by individual industries, and also offers guidance on what companies can do to mitigate these risks.
“Every year, we analyse data and alert companies as to the latest cyber criminal trends in order for them to refocus their security strategies and proactively protect their businesses from cyber threats,” commented Sartin. “However, even though we see specific targets and attack locations change, ultimately the tactics used by the criminals remain the same. There’s an urgent need for businesses large and small to put security and the protection of their customers’ data first. Often, even basic security practices and common sense deter cyber crime.”
Industry findings of note in the 2019 report include the following:
*Education There was a notable shift towards financially motivated crime (80%). 35% of all breaches were due to human error and approximately a quarter of breaches arose from web application attacks, most of which were attributable to the use of stolen credentials used to access cloud-based e-mail
*Healthcare This business sector continues to be the only industry to show a greater number of insider attacks compared to external attacks (60% versus 42% respectively). Unsurprisingly, medical data is eighteen times more likely to be compromised in this industry and, when an internal actor’s involved, it’s 14 times more likely to be a medical professional such as a doctor or nurse that’s involved
*Manufacturing For the second year in a row, financially motivated attacks outnumber cyber espionage as the main reason for breaches in manufacturing, and this year by a more significant percentage (68%)
*Public Sector Cyber espionage rose this year. However, nearly 47% of breaches were only discovered years after the initial attack
*Retail Since 2015, Point of Sale breaches have decreased by a factor of ten, while Web Application breaches are now thirteen times more likely
More data means deeper insights
“We’re privileged to include data from more contributors this year than ever before, and had the pleasure of welcoming the FBI into our fold for the very first time,” added Sartin. “We’re able to provide the valuable insights from our Data Breach Investigations Report research as a result of the participation of our renowned contributors. We would like to thank them all for their continued support and welcome other organisations from around the world to join us in our forthcoming editions.”
This is the 12th Edition of the Data Breach Investigations Report and boasts the highest number of global contributors so far. There have been 73 contributors in total since its launch in 2008. The 2019 document contains an in-depth analysis of 41,686 security incidents (including 2,013 confirmed breaches). With this increase of contributors, Verizon saw a substantial escalation in the volume of data (totalling approximately 1.5 billion data points of non-incident data, in fact) to be analysed.
This year’s report also debuts new metrics and reasoning which helps to identify which services are seen as the most lucrative for attackers to both scan for and attack at scale. This analysis is based on honeypot and Internet scan data.
*The complete Verizon 2019 Data Breach Investigations Report is available to view on the Data Breach Investigations Report resource page. Any organisation wishing to become a Data Breach Investigations Report contributor going forward should e-mail email@example.com for further information
Comment from industry specialists
Mandeep Sandhu, principle solutions engineer at SentinelOne, explained: “The new Verizon Data Breach Investigations Report again highlights that organisations lack of visibility into their infrastructure. This is still a key issue. However, given the volume of security alerts and incidents that need to be manage, teams are often overwhelmed. Autonomous security can help with these high volumes, allowing for more focus on monitoring and securing high target systems – as 60% of attacks involved hacking a web application – or individuals like the C-Level executives mentioned within the document.”
In conversation with Risk Xtra, Sandhu continued: “With cyber attacks increasing in their complexity, security teams need to be able to quickly identify and understand all cyber criminal activity across their organisation’s environment. That includes third party/supply chain environments as well. Organisations should aim to use technologies designed to detect and respond to cyber criminal activity as they often have access to all attack details and therefore have the ability to restore files and system configurations with minimal impact to business operations. This is especially important in ransomware attacks.”
Chris Ross, a cyber security expert at Barracuda Networks, said: “The Verizon 2019 Data Breach Investigations Report results highlight just how critical e-mail protection really is at present. Phishing remains big business, with 32% of data breaches using phishing techniques. The most worrying finding, however, is the focus that cyber criminals are now placing on targeting C-Level executives. As we all know, senior execs often have wide-ranging access to critical data due to their seniority in the business. However, they’re also extremely time poor and sometimes have executive assistants managing their e-mail accounts for them. The report reveals that senior execs are 12 times more likely to be the target of social incidents and nine times more likely to be targeted by social breaches than in previous years. This comes as no surprise to us, as senior executive attacks are often extremely lucrative, adding many zeros to the end of cyber criminals’ revenues.”
Ross added: “However, there’s good news for those working in HR. Attacks on HR teams are down compared to last year. The report also suggests financial motivation remains the key driver for attacks. With that in mind, it’s clear cyber criminals are still going where the money is. If we’ve learned anything in our time in cyber security, it’s that criminals always respond to what’s going to net them the most income. Attacks aimed at senior execs are clearly what’s working at the moment. All of this illustrates more clearly than ever that security technology by itself is no longer enough. It’s imperative that employers educate their staff – at all levels – to be more aware, and especially so when it comes to phishing and social engineering attacks.”
Disturbing trends highlighted
Bob Rudis, chief data scientist at Rapid7, told Risk Xtra: “There are at leas two disturbing trends in the 2019 Data Breach Investigations Report. First, the rise of breaches involving state-affiliated actors, which is set to eclipse organised crime actors as the apex adversary, and second the data-supported confirmation that we’re definitely facing adaptable adversaries who will do almost anything to attain what they want.”
Rudis continued: “I suspect many incompetent Audit Departments are going to zoom in on that ‘System Admin’ line with utter glee and use it to double down on draconian findings that do little more than impair the ability of security teams to focus on real threats. If you read the nearby text in the Data Breach Investigations Report you’ll see that most of these ‘System Admin’-caused breaches are, in fact, due to errors rather than rogue admins planting logic bombs. These errors are generally server misconfigurations.”
Morey Haber, CTO and CISO at BeyondTrust, informed Risk Xtra: “The results of the Data Breach Investigations Report make it exceedingly clear to us that organisations need to focus on security basics and be persistent with disciplines under their control. Good security hygiene, privilege and password management, intelligent patching and continuous vulnerability management lead to meaningful improvements in data breach protection based on the findings in this year’s report.”
Haber added: “Many findings in this year’s Data Breach Investigations Report substantiate what we saw in our own 2018 Privileged Access Threat Report. We’re looking forward to the findings of our 2019 report which will be released later on this year.”
BeyondTrust’s Top Five recommendations for organisations seeking to immediately strengthen their security postures are as follows:
*Deploy patches for known vulnerabilities as soon as possible in order to mitigate the attack surface of external parties seeking to become insiders by leveraging credentials to move laterally throughout an organisation. Lateral movement can lead an attacker to exfiltrate data from a file server or database, which – as the Verizon report tells us – is much more damaging than owning a single user device
*Deploy a password management solution that discovers every account in the environment, securely stores and manages credentials, requires an approval process for check-out, monitors activity while checked out and rotates the credential upon check-in. Look for a workflow-based process for obtaining privileges. If requests happen during normal business hours and within acceptable parameters, set auto-approval rules to enable access without restricting admin productivity. However, if time, day or location indicators point to something out of the ordinary, then secure workflows can ensure the access is appropriate
*Segment your network or implement a secure enclave to ensure all privileged accounts (of employees, contractors and third parties) do not have direct access to manage devices. This model ensures that only approved devices and restricted network paths can be used to communicate with sensitive resources
*Enforce least privilege across your entire environment by removing local admin rights from end users and restricting the use of admin and root account privileges to servers in your Data Centre. Elevating rights to applications on an exception basis and employing fine-grained policy controls once access is granted can further limit the lateral movement of would-be attackers
*Implement multi-factor authentication. This raises the bar given the number of breaches that involve weak, stolen or default credentials. Attackers need credentials to move laterally and multi-factor authentication makes that movement more difficult. When reviewing the need for multi-factor authentication, the only right answer is ‘every user, every account’