Ransomware remains the top cyber security threat to organisations, humans continue to be significant weakness and HR departments are a top target, according to the latest Verizon Data breach investigations report.
Ransomware attacks are a key cyber security threat for companies of all sizes around the world, warns Verizon’s 2018 Data breach investigations report (DBIR).
Ransomware is the most common type of malware, found in 39% of malware-related data breaches – double that of the previous year, and accounts for over 700 incidents, according to the report based on data from 67 contributing organisations, and analysis of more than 53,000 incidents and more than 2,200 breaches in 65 countries.
Verizon’s analysis shows that ransomware attacks are now moving into business critical systems, which encrypt file servers or databases, inflicting more damage and commanding bigger ransom requests.
Despite the threat, the DBIR shows that businesses are still not investing in appropriate security strategies to combat ransomware, meaning they end up with no option but to pay the ransom.
“When it comes to ransomware, organisations need to ensure they have good visibility across their IT environment, that there is a clear strategy around network segmentation to limit the spread of ransomware, and that there is a fast and efficient patch management programme in place,” said Ali Neal, director of international security solutions at Verizon.
“Last year, there were a lot of sales from technology providers on the back of the most notable ransomware outbreaks, but while some of those have been integrated into organisations’ broader cyber defence programmes, some of them have remained as point solutions, which as such, cannot realise the value or level of protection expected,” he told Computer Weekly.
According to Bryan Sartin, executive director security professional services at Verizon, the security industry needs to help organisations to take a more proactive approach to their security. “Helping them to understand the threats they face is the first step to putting in place solutions to protect themselves,” he said.
The report shows the human factor continues to be a key weakness, with employees are still falling victim to social attacks.
DBIR analysis also flags a shift in how social attacks such as financial pretexting and phishing are used, with these types of attacks representing 98% of social incidents and 93% of all breaches investigated.
Email-borne threats also continue to be a huge threat, with email being the point of entry for attackers in 96% of breaches investigated.
Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasising the need for ongoing employee cyber security education, the report said.
Attacks such as these, which continue to infiltrate organisations via employees, are now increasingly a departmental issue, the report said. Analysis shows that human resource (HR) departments across multiple verticals are now being targeted in a bid to extract employee wage and tax data, so criminals can commit tax fraud and divert tax rebates.
Pretexting, where attempts are made to trick employees into doing something such as transfer funds, has more than doubled in the past year to 170 incidents, up from just 61 incidents the previous year. Nearly 52% of these incidents specifically targeted HR staff to obtain personal data for the filing of file fraudulent tax returns.
Phishing attacks cannot be ignored
Phishing attacks cannot be ignored, the report said. While on average 78% people did not fail a phishing test last year, 4% of people do for any given phishing campaign, and the report notes that a cyber criminal only needs one victim to get access to an organisation.
Sartin said the findings underline the need for organisations to continue to invest in employee education about cyber crime and the detrimental effect a breach can have on brand, reputation and the bottom line. “Employees should be a business’s first line of defence, rather than the weakest link in the security chain. Ongoing training and education programs are essential,” he said.
Beyond education, Neal said organisations again need to segment their data so that critical data is separate and behind appropriate protections.
“Organisations also need to look at which data sets need to be encrypted, and at privilege access management to ensure that only appropriate people have access to the data and to minimise the risk of privilege escalation,” he said.
This approach, said Neal, means that even if someone is tricked into clicking on a malicious link, the organisation’s most critical data is protected by segmentation, strict access controls and encryption.
“Businesses find it difficult to keep abreast of the threat landscape, and continue to put themselves at risk by not adopting dynamic and proactive security strategies,” said George Fischer, president of Verizon Enterprise Solutions. “Verizon gives businesses data-driven, real-life views on the cyber threat landscape, not only through the DBIR series, but also via our comprehensive range of intelligent security products and services.
“This 11th edition of the DBIR gives in-depth information and analysis on what’s really going on in cyber crime, helping organisations to make intelligent decisions on how best to protect themselves,” he said.
DDoS attacks extremely common
Although not strictly a data breach, the report notes that distributed denial of service (DDoS) attacks are extremely common, can impact any organisation and are often used to hide or distract from other malicious activity.
Other key findings of the report include that in data breaches investigated in the past year, organised crime groups still account for 50% of the attacks and most attackers are outsiders. However, the report notes that one breach can have multiple attackers. The data shows that while 72% of attacks were perpetrated by outsiders, 27% involved internal actors, 2% involved partners and 2% featured multiple partners.
Overall, the report notes that “yet again” cyber criminals are still finding success with the same tried and tested techniques, and their victims are still making the same mistakes, and part of the problem, according to Neal, is that many organisations try to solve their security challenges by buying additional security technologies, while in reality the problem they need to solve is a business process issue.
“The average enterprise has something like 60 different security technologies that are put in place, such as Siem [security information and event management] engines, endpoint solutions and next generation firewall platforms, but this is not a single point technology issue,” he said.
Apart from well-resourced organisations, such as those in the financial sector, Neal said most organisations suffer from a lack of integrated and well-defined business processes. “Managed service providers as well as individuals organisations have to is to start tying security systems and information together in a better format, because ultimately, most organisations are looking for a smaller number of more strategic, informed partners pulling on a bigger set of levers with the ambition of automation and AI [artificial intelligence] doing the volume work under the hood rather than the current world of disconnected technologies that work with varying degrees of efficacy.”
Commenting on the finding that most victims (58%) are characterised as small businesses, Neal said these organisations need to pay more attention to their outsourcing strategy in terms of what they can do with their internal resources and what they need to get from outsourcing partners.
“As organisations, particularly small businesses, increasingly move to the cloud, they need to ensure that they have the necessary strength and security in those outsourcing agreements to protect the business,” he said.
This year’s DBIR highlights the biggest threats faced by individual industries, and also offers guidance on what companies can do to mitigate against these risks.
“I am not sure many organisations fully understand their particular enterprise risk profile, especially in the light of the fact that we are moving to a world where there is a need to quantify and qualify risk posture more dynamically and more empirically informed with data across the environment to inform a decision on whether to transfer or mitigate that risk through integrated controls,” said Neal.
Key industry findings include that in the education sector, social engineering targeting personal information is high, which is then used for identity fraud. Highly sensitive research is also at risk, with 20% of attacks motivated by espionage.
In the financial and insurance sector, the report said payment card skimmers installed on ATMs are still big business, but that at the same time there is also a rise in “ATM jackpotting”, where fraudulently installed software or hardware instructs the ATMs to release large amounts of cash. DDoS attacks are also a threat in this sector.
The healthcare sector is the only industry where insider threats are greater than threats from the outside, the report said. Human error also remains a major contributor to healthcare risks.
In the information sector, which includes the publishing, film and music, DDoS attacks account for over half (56%) of the incidents, while in the public sector cyber espionage remains a major concern, with 43% of breaches being espionage-motivated. However it is not only state-secrets that are a target, personal data is also at risk, the report said.
The report urges organisations to take immediate action in the light of the finding that 68% of breaches took months or longer to discover, even though 87% of the breaches examined had data compromised within minutes or less of the attack taking place.
While safety cannot be guaranteed, the report said proactive steps can be taken to help keep organisations from being victims. These include:
- Staying vigilant by monitoring log files and change management systems for early warnings of a breach, training staff to spot the warning signs, and by restricting access to systems and data to only those who need it to do their jobs.
- Patching promptly to guard against many attacks.
- Encrypting sensitive data to make data useless if it is stolen.
- Using two-factor authentication to limit the damage that can be done with lost or stolen credentials.
- Maintaining good physical security because not all data theft happens online.