The 2017 DBIR is an essential read for organizational leaders, cybersecurity practitioners and security industry professionals. The report provides clear information that helps cyber security practitioners and executives devise strategy, and implement tactical responses to the cyber battlefield of today.
In this year’s 10th publication of Verizon's Data Breach Investigation Report, data from nearly 2,000 confirmed breaches were submitted by IT professionals and analyzed by Verizon security experts.
In the report, 88% (up from last year’s 83%) of incidents fall into same industry categories that were first identified in the 2014 report. These attacks are further categorized into key industries identifying attacker’s tactics and system vulnerabilities. The report recommends several approaches to deal with these cyberattacks.
2017 was the year cyber-espionage and cyber warfare hit mainstream
- 75% of confirmed breaches were caused by outsiders
- A shocking 18% of those breaches caused by state affiliated actors.
Little progress is made in eliminating password risk
- 81% of hacking-related breaches leveraged either stolen and/or weak passwords
Malware via email is still a heavy contributor to hacks
- 51% of breaches included malware
- 66% of malware was installed via malicious email attachments
Financial organizations were most affected
- 24% of all attacks were against financial institutions
- 73% of breaches were financially motivated
- 21% of breaches were related to espionage
Other organizations remain in the sights of attackers
- 15% for healthcare
- 15% for retail and accommodation
- 12% for public sector
Phishing remains a favorite sport for Cybercriminals - despite education
In a typical organization of more than 30 employees:
- 7.3% of users across all industries were successfully phished either by link or attachment
- 15% of unique users are phished once
- 3% clicked more than twice
- 1% clicked more than three times.
- Leading Attack Vectors - weak, stolen or compromised credentials: Sticking to pure username and password authentication practically ensures that a breach is likely. With more than one billion credential records stolen in 2016 weak, stolen or compromised credentials remain the leading vulnerability. Organizations with external customers or members who login to its network should have the highest anxiety.
- Attack of the Botnet Armies using compromised credentials: Botnet armies with millions or billions of purchased credentials will be attempting to use those stolen credentials against poorly secured websites and databases. Botnets don’t sleep, and if you don’t protect your identities, you shouldn’t either!
- Threat Patterns: Outside of botnets, espionage is the leading cause of confirmed breaches, followed by privilege misuse and web attacks drop to 6th place.
- Insider and Privileged Privilege Misuse: While insider threats only accounted for 15% of breaches this is still significant with 277 confirmed breaches.
- Phishing: Security awareness training is important and despite advances in awareness, phishing attack click-throughs are not significantly different from one industry to another.
- Ransomware: In 2016 ransomware attacks were the fifth most common form of malware, up from 22nd. Ransomware is the leading form of crime-ware, with 80% delivered by email and 8% via drive-by downloads.
- Point of Sale: 10% of breaches were POS targets. In 2016 almost 65% of breaches involved the use of stolen credentials, while a little over a third used brute force to compromise POS systems.
Stop the Breach
When you are trying to defend against most these attacks, protecting your identity and enforcing least privilege is critical. Protect your users and their identities by:
- Using behavioral analytics to identify bot-like attacks
- Interrupting automated authentication with multi-factor authentication (MFA) challenges
- Using a trusted infrastructure for credential management
- Managing and securing privileged accounts
- Using an IAM maturity model to reduce risk
- Using workflow to manage access approvals to high value resources
- Giving users ONLY the privileges they need to access resources
- Using enterprise mobility management (EMM) to protect mobile devices used for MFA