According to the Verizon 2016 Data Breach Investigations Report, hackers have been constantly exploiting human nature by relying on well-known attack patterns such as phishing and massive ransomeware campaigns.
The latest security report shows repeating themes from prior-year findings and storylines which keep on playing off of human frailty, including:
- Most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years. In fact, the top 10 known vulnerabilities accounted for 85% of successful exploits
- 89% of all attacks involve financial or espionage motivations
- 63% of confirmed data breaches involve using stolen, default or weak passwords
- 95% of breaches and 86% of security incidents fall into nine patterns
- Ransomware attacks are on the rise
- Basic defenses continue to be sorely lacking in many organizations.
Phishing has picked up dramatically over the prior year. It occurs when the end users receive an email from a fraudulent source.
According to the new security report, 30% of phishing messages were opened, up from 23% in the 2015 report, and 13% of those clicked to open the malicious attachment or nefarious link, causing malware to drop and a foothold gained by hackers.
Phishing used to be a leading attack pattern for the cyber-espionage before, while now it has already spread to seven of the nine incident patterns. This is a very effective technique, which offers cyber criminals a number of advantages such as a very quick time to compromise and the ability to target specific individuals and organizations.
In the list of human errors are those perpetrated by the organizations themselves. Labeled ‘miscellaneous errors,’ the incident pattern group takes the No. 1 spot for security incidents in this year’s report.
To be precise, 26% of these errors involve sending sensitive info to the wrong person. Among the other errors in this category are: improper disposal of company information, mis-configuration of IT systems, and lost and stolen assets such as laptops and smartphones.
“You might say our findings boil down to one common theme – the human element,” said the executive director of the Verizon RISK team, Bryan Sartin.
“Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now. How do you reconcile that?”
Another huge concern of Verizon’s security researchers is the speed in which cybercrime is committed. In 93% of cases, it took hackers minutes or less to compromise systems and data exfiltration occurred within minutes in 28% of the cases.
When compared to the 2015 report, the compromises of mobile and Internet of Things devices are not a significant factor in the 2016 DBIR. Nevertheless, the report notes that proof of concept exploits are real and it’s only a matter of time before a large scale breach impacts mobile and IoT devices, which means organizations should continue to be vigilant about protecting smartphones and IoT devices.
The latest security report calls out the rise of a new three-pronged attack that is being repeated with great regularity. Many organizations are falling prey to the attacks which include:
- Sending a phishing email with a link pointing to the malicious website or mainly a malicious attachment
- Malware is downloaded onto an individual’s PC that establishes the initial foothold, and additional malware can be used to look for secrets and internal information to steal (cyberespionage) or encrypt files for ransom. Many times the malware steals credentials to multiple applications through key logging
- Use of the credentials for further attacks, for example, to log into third party websites like banking or retail sites.