A lack of security common sense still plagues businesses with 30 percent of phishing emails opened by campaign targets. Worse, 12 percent click on the attachments inside those phishing attacks, giving crooks easy access to systems to snarf up credentials that are later used to pull off financially or espionage motivated crimes.
That’s the big takeaway from Verizon’s 2016 Data Breach Investigations Report. Scheduled to be publicly released Wednesday, the report (PDF) taps information from more 100,000 incidents, 2,260 confirmed data breaches from 67 contributors including security service providers, law enforcement and government agencies.
Most alarming is not what’s new in the report, rather what’s old and still causing chaos behind corporate firewalls. Older phishing attacks, malware and weak passwords, Verizon said, are still dominating the threat landscape. Phishing emails, something security experts have warned us about for over a decade, are opened by nearly one out of three recipients. And that’s bad news, compared to 2015’s DBIR report of 23 percent of phishing messages opened by recipients.
“The phishing email is being leveraged by opportunistic and targeted attacks,” said Marc Spitler, a researcher and co-author of Verizon’s Data Breach Investigations Report. “It is being leveraged by state affiliated groups and organized crime. It’s leveraging that human aspect of making targets interact with a link or more often an email attachment.”
And what are those phishing attacks after? In a word, credentials.
Phishing emails, Verizon reports, are packed with exploits within one thing in mind – steal privileged access credentials. Phishing scams are used to open up backdoors that establish footholds and smuggle malware into targeted networks.
Stolen credentials are then used to push the breach further into and across networks in hopes of stumbling on access to financial data or point-of-sale bank card systems. “We call this the birth and re-birth of data breach. The first page of the intruder’s playbook is phishing, but after malware is used to get control over a device attackers go in different criminal directions within a company’s network,” Spitler said.
Once intruders make it in, 89 percent of those data breaches were either financially or espionage motivated, Verizon reports.
Verizon said most attacks compromise a system within days of initial infection – with two-thirds of crooks making off with stolen data within 48 hours after the initial compromise. However, some attackers work at lightning speed, Verizon reports, with a growing number of intruders compromising systems in minutes and make off with stolen data just as fast.
“What’s not happening quickly, and what we’d like to see, is how long it takes to discover intrusions,” Spitler said. “Unfortunately, the time to discovery is not progressing at the same rate as the time to compromise. They are innovating faster than we are,” he said.
For those reasons, things such as single-factor authentication just doesn’t cut anymore. Enterprises need to upgrade to true multifactor protection for network access, Verizon recommends. When it comes to confirmed data breaches, 63 percent involved attackers using weak, default or stolen passwords.
Understanding attack patterns is half the battle when it comes to playing defense, Spitler said.
According to Verizon’s DBIR report 95 percent of breaches fall in to nine patterns: Miscellaneous errors represent 17.7 percent of breaches; insider and privilege misuse (16.3 percent); physical theft and loss (15.1 percent); denial of service (15 percent); crimeware (12.4 percent); web app attacks (8.3 percent), point-of-sale intrusions (0.8 percent); cyber-espionage (0.4 per cent); payment card skimmers (0.2 per cent).