By Kim Crawley
The annual Verizon Data Breach Investigations Report is a wealth of valuable information about the state of cybersecurity today.
Of course, data breaches remain one of the biggest problems in cybersecurity. Many of the worst breaches expose financial data, authentication credentials, and sensitive legal and medical information. In the wrong hands, this data can help cybercriminals access organizations’ and individuals’ most sensitive data and valuable networks.
Ransomware that targets enterprises is also growing. In fact, ransomware incidents are up 13 percent from the previous year, a larger increase than the previous five years combined. Another data breach vulnerability trend is an increase in human exploitation, whether by phishing, stolen credentials or user errors.
The DBIR is a massive report that resulted from Verizon analyzing a large number of data breaches, which they’ve also verified directly for authenticity. Here’s how Verizon determines which breaches to include:
“The incident must have at least seven enumerations (e.g., threat actor variety, threat action category, variety of integrity loss, et al.) across 34 fields or be a DDoS attack. Exceptions are given to confirmed data breaches with less than seven enumerations. The incident must have at least one known VERIS threat action category (hacking, malware, etc.).”
Verizon acknowledges that many data breaches still go undetected. Nonetheless, as organizations improve their systems for detecting indications of compromise (IOCs), there’s a lot of useful data to be analyzed.
Here are five key findings:
- Web application “hacking” and denial of service attacks are the most common actions that threat actors perform in order to unlawfully access sensitive data in networks. For the sake of the report, hacking is defined as “attempts to intentionally access or harm information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms.”
- Seventy percent of breaches involve web application hacking, 45 percent involve denial of service, 15 percent involve backdoor malware, 15 percent involve ransomware and 10 percent involve email.
- Malicious access to credentials led to just under 50 percent of breaches, phishing in a bit under 20 percent and vulnerability exploits about 10 percent.
- Data breaches are mainly caused by external threat actors, but internal threat actors are still a significant risk, too. About 80 percent of threat actors are external to the targeted organization, and 20 percent are internal—an organization’s own employees, contractors and other insiders.
- Even though internal threat actors conduct fewer attacks, internal attacks expose the most records and therefore lead to more destructive data breaches. External threat actor breaches expose a median of 30,000 records, internal threat actor breaches expose a median of 375,000 records, and threat actors with a partnership relationship (often in the supply chain) expose a median of 187,500 records.
Whenever organizations are testing to see how vulnerable they are to a data breach, it’s important to simulate internal, external and supply chain attacks. Web application pentesting is also more important than ever. As DBIR makes clear, it’s critical that every organization test for unauthorized credential exploitation and phishing attacks, too.
Thank you Verizon for helping our industry better understand data breach threats! For more information about how Synack can help organizations prevent data breaches, get in touch here.