Verizon Breach Report: Attackers Take Only Seconds To Capitalize On A Basic Security Mistake

Weak and stolen passwords, poorly configured systems and error-riddled applications are at the core of nearly every data breach and security incident, according to the 2014 Verizon Data Breach Investigations Report, the security industry's annual analysis of data breaches, released Tuesday.

Attackers often exploit basic security missteps in seconds, found the report, which has become the security industry's go-to document for identifying popular hacking techniques and common lapses in data protection strategies.

Verizon analyzed more than 1,300 confirmed data breaches that took place in 2013. Two out of three breaches involved the use of weak or stolen account credentials, prompting the need for the adoption of two-factor authentication, said Christopher Porter, a managing principal at Verizon.

[Related: Verizon 2014 Data Breach Report: The Bad Guys Are Winning ]

Sponsored post

"Criminals have lists of default passwords and stolen credentials, and when that doesn't work they're brute-forcing their way in," Porter told CRN. "Two-factor authentication could go a long way to making it difficult for criminals to move anywhere once they gain access to a corporate network."

The Verizon analysis found that businesses are getting better at proactive network monitoring and at reviewing system logs to detect threats, but cybercriminals are getting more efficient at compromising systems, according to Porter. Internal discoveries are steadily increasing, but law enforcement is still typically the bearer of breach news, he said.

Businesses do a poor job of monitoring systems to detect attacks because it is expensive, there aren't enough skilled IT professionals to do the job, and spotting potential problems from thousands of events is difficult, said Arthur Hedge, CEO of Morristown, N.J.-based managed security service provider Castle Ventures, which reviews system logs and provides network monitoring services. Organizations need to do a better job of integrating IT operations with security to reduce false positives and make monitoring a more efficient practice, Hedge said.

"There are lots of alarms, security events and infrastructure failures due to misconfigured servers or application errors," Hedge said. "IT infrastructure operations and security need to have a process to communicate so that those annoyances can get fixed immediately because they mask the security incidents that the security team needs to investigate."

NEXT: Businesses Struggle To Prioritize Risk

Greg Bell, IT director at Nashville, Tenn.-based DCI Donor Services, a provider of tissue bank services, said his IT team of seven relies on Trend Micro for endpoint security protection, but the company's field managers handle donor cases from remote locations, making the process of securing systems more complicated. The Verizon analysis found that lost or stolen devices -- mainly laptops -- were the biggest cause of data breaches in the health-care industry. At DCI Donor Services, Bell's team is currently deploying additional monitoring to watch traffic flow at key entry points to the corporate network. The increased visibility will help the team detect threats and prioritize risk reduction efforts, Bell said.

"We're just going to have far more proactive and valuable information we can use to protect systems that provide key services," Bell told CRN. "It's the things we don't see coming that worry me the most, and I think the biggest thing for us is to identify and react as quickly as we can to threats so that we can contain a problem before it gets out of control."

For the first time, the 2014 Verizon Data Breach Investigations Report contained information gleaned from 63,000 confirmed security incidents. Verizon said this year's data was collected from 50 organizations, including industry information security and analysis centers, law enforcement agencies from various countries, security vendors and private sector organizations.

The Verizon analysis combined threat actors, hacking techniques and the assets being targeted by attackers to uncover common incident patterns for the first time. According to Verizon, nine patterns can describe 92 percent of the more than 100,000 security incidents it has collected over the past decade.

Web application attacks, cyberespionage and card skimming are the top three incident patterns that result in data breaches, Verizon said. But a review of tens of thousands of security incidents found employees at the core of many security incidents.

Miscellaneous errors such as emailing personally identifiable information topped the list of incident patterns. Human errors were associated with more than 16,500 security incidents and 412 confirmed breaches in 2013. Insider threats and privilege abuse, an often underreported issue, also ranked high over the 10-year review period. Verizon said malicious insiders and partners were associated with more than 11,000 security incidents and 112 data breaches in 2013, mainly by abusing account privileges.

NEXT: Verizon Report Highlights Need For Patch Management

Web application attacks and cyberespionage were the top two patterns associated with data breaches, according to the Verizon report. Web applications were exploited in nearly 500 confirmed 2013 data breaches Verizon analyzed, highlighting the need for patch management and vulnerability scanning. The use of strong passwords and updating frequently targeted content management systems, such as Drupal, Joomla and Wordpress, would have helped prevent many of the breaches and security incidents, Porter said.

Most organizations are not equipped to fully deal with Web application attacks, said Larry Ponemon, founder and chairman of the Ponemon Institute. In a study commissioned by SQL injection protection vendor DB Networks, Ponemon found it took organizations six months to detect an attack that used SQL injection to gain access to data in the underlying Web server. Organizations aren't addressing vulnerabilities and are not adequately protecting against attacks that target them, Ponemon said.

"In general we find that a lot of organizations really underfund and underprioritize certain areas of security, including addressing Web application vulnerabilities," Ponemon said. "The big funding seems to be on the networking side now, but businesses should look at areas that pose the greatest risk."

Verizon's Porter said it is important for businesses to defend against threats that impact their systems most. Porter referred to the SANS Institute's Top 20 Critical Security Controls, a framework developed by a consortium of U.S. and international agencies. Businesses should identify how their industry is most commonly targeted, Porter said. Apply the security best practices outlined in the document by prioritizing measures with common industry attack patterns, he said.

"Accommodation and retail industries have different controls that need to be put in place than health care does, where data loss is associated commonly with theft of devices," Porter said. The most important way to prioritize is to look at it vertically."

Cyberespionage attacks that stealthily infiltrate a manufacturer, a government organization or think tank to steal internal corporate data and trade secrets increased significantly from the 2013 Verizon report. The 511 security incidents tripled the number from 2013 report, partially due to an increase in data submitted by companies that specialize in investigating the activity. Verizon said there were 306 data breaches associated with cyberespionage activity. Attackers tricked employees into opening malicious file attachments or infected their systems using drive-by attack websites to gain an initial foothold into organizations, Verizon said. State-sponsored attacks made up 81 percent of the security incidents and the Verizon analysis also found incidents associated with organized criminal groups, and industry competitors. Attacks are most often attributed as emanating from China, and the U.S. had the most victim organizations, according to the report.

Detection of cyberespionage attacks are difficult, even with the latest network security appliances and endpoint security software designed to detect custom malware used in some attacks, Porter said. Cyberespionage is rising because there is a lot of time and effort being devoted to detecting discrete information associated with the threat, he said.

"There's no fraud algorithm for this type of activity like the financial services industry has," Porter said. "If you are an espionage actor and stealing IP or sensitive documents or reading someone's email, there's no concrete information that can be used to detect malicious activity."