Verizon Analysis: Top 10 Causes Behind Data Breaches12:00 PM EST Wed. Apr. 24, 2013
The Verizon 2013 Data Breach Investigations Report outlines an analysis of 621 breaches that occurred in 2012. The firm incorporates data from 19 sources, including breach investigations conducted by its own forensics team. The 2013 analysis found that social tactics were broadly tied to most breaches. Attackers use a phishing email containing either a malicious link or a dangerous file attachment. Weak or stolen passwords were used in 76 percent of breaches analyzed by Verizon. The goal appears to be to steal account credentials and bypass security controls by masquerading as a valid user on the network. Here's a closer look at the 10 most interesting findings from the report as well as advice on how to better protect your organization.
Once attackers have access to a corporate network, shell services like SSH and RPC are used to move laterally through an organization, Verizon said. The encryption protocols were also used to export stolen data out of a network. Mitigating the threat involves using one of the 20 Critical Controls; organizations can limit network ports, protocols and services, conservatively applying device configuration, Verizon said.
Verizon said only 15 percent of the breaches it analyzed had a complete and reliable count of compromised records. Making up the bulk of the stolen data was payment information and stolen account credentials. System information was also stolen, followed by internal data and intellectual property. Verizon said financially motivated attackers favor payment and personal information; cyberespionage attacks target trade secrets, internal organizational data and system information; and hacktivists seek out personal information and internal organizational data. Account credentials are coveted by all. Payment card data should be encrypted and never stored. Stored account credentials should be hashed and salted, a cryptographic process that makes them difficult to crack.
Attackers use weak and stolen passwords to masquerade as privileged users. The Verizon teams' analysis of the 2012 caseload found that two-thirds of breaches involved data stored or "at rest" in databases and file servers. Memory scraping malware, spyware and skimmers were responsible for the rest of the stolen data. "There were no instances in which data was compromised in transit," Verizon said. The data suggests that organizations should review user privileges and harden databases and file servers to prevent unauthorized access to the data or at least slow an attacker down, increasing the chances of detection. In addition, employee use of unapproved hardware and privilege abuse accounted for 13 percent of all breaches analyzed.
Verizon found that 85 percent of initial compromises occur within minutes or seconds. The firm said the high number of smash-and-grab point-of-sale system breaches heavily factored into the timeline it established. It took attackers minutes to hours to steal data in 54 percent of the breaches, Verizon said.
If organizations focus on ways to extend the time it takes for an attacker to explore and locate relevant systems, exploit them and exfiltrate data, the chance for detection increases, Verizon said. "Unfortunately we're not really seeing that improvement," Verizon said in its report.
Spyware was used in 30 percent of all breaches analyzed by Verizon. It was used by both financially motivated cybercriminals and nation-state sponsored targeted attackers. Organized cybercriminals use spyware to steal credit card data swiped at point-of-sale terminals and account credentials typed into online back accounts, Verizon said. Meanwhile, targeted attackers use spyware to take screenshots on a victim's system or record keystrokes to get valid account credentials.
Malware was tied to 40 percent of all breaches, Verizon found. Direct installation of malware by an attacker already on a system is the most common attack vector, accounting for 74 percent of all breaches, Verizon said. Malware distributed via email accounted for 47 percent of all breaches, according to the analysis. A malicious email attachment was used in many espionage breaches. Drive-by downloads accounted for only 8 percent of breaches.
Some form of hacking took place in 52 percent of breaches analyzed by Verizon. Attackers often used a backdoor to gain remote access onto a victim's system. In some cases, attackers used SQL injection, a common Web application vulnerability to gain access to a website and its underlying database servers. Malware and hacking still rank as the most common actions, but they were scaled back rather significantly among 2012 breaches, with social methods increasing, Verizon said.
Verizon said executives and managers make a sweet target for cybercriminals using spearphishing attacks. Executives and managers typically have access to proprietary data. Email is the most common vector of social attacks, and Verizon said executives and managers may be more susceptible to opening a .pdf or .ppt document.
Phishing was used in 22 percent of the breaches Verizon analyzed. Phishing jumped bribery and manipulation to become the most widely used social tactic, Verizon said. Phishing was used in more than 95 percent of targeted attacks. Cybercriminals used the technique against small and large organizations. A study conducted by Herndon, Va.-based ThreatSim, a phishing defense firm, found that just three phishing emails gives an attacker a better-than-50-percent chance of getting at least one click. Sending 10 phishing emails almost guarantees an employee will click on a phishing link.
Phishing was four times higher in 2012 breaches when compared to the previous year. Valid account credentials were used by every threat actor. Financially motivated cybercriminals often brute force their way into organizations, exploiting weak passwords in point-of-sale systems. Meanwhile, nation-state sponsored targeted attackers are more discreet, using phishing or malware laden file attachment to quietly steal credentials from end users or trick them into giving up their username and password. Two-factor authentication can help thwart the use of valid credentials, Verizon said.