by Jasmine Chennikara-Varghese
This year’s Verizon Data Breach Investigation Report (DBIR) analyzes the current threat landscape and provides insights for improving cyber defenses. The 2019 DBIR is based on data gathered from more than 40,000 cybersecurity incidents and over 2,000 confirmed data breaches across 86 countries. The real world data in the DBIR reinforces that basic security measures such as training, multi-factor authentication and continuous monitoring can be effective deterrents against compromises. Here are some key highlights from the report:
- Targets: C-level executives were 12 times more likely to be a target of an attack. Small businesses experienced 43% of breaches.Financial gain remained the most common driver behind data breaches at 71%. To account for financial attacks, the DBIR defined a new subset of data called financially-motivated social engineering (FMSE) which focuses on credential theft and misleading people to transfer money into fraudulent accounts. FMSE affected all industries, but they were more likely to target Professional Services, Healthcare and Finance organizations.
- Methods: While ransomware attacks were down, threat actors used back doors, credential compromises and privilege escalations to gain access to critical systems. Attacks initiated by a simple phishing email messages were at 32% while 29% of attacks used stolen credentials. More than half of the breaches started with some kind of compromise or hack, 33% used social engineering and about 28% employed malware.Insiders continued to play a critical role, with internal actors involved in 34% of breaches. Misuse by authorized users, such as privilege abuse, data mishandling and unapproved workarounds, accounted for 15% of data breaches. Human errors, such as misconfiguring servers to allow unauthorized access, were the cause of 21% of breaches. To minimize such insider threats, strict access controls and user provisioning as well as continuous monitoring of user activities in business applications are essential.
- Cloud Exposure: Cloud applications were not immune to attacks and cloud storage mishaps exposed 60 million records. More than half of web application attacks involved the use of stolen credentials against cloud-based email servers. Once threat actors had access to email accounts and the underlying email server, they sent phishing email messages from those accounts, commenced business email compromise (BEC) campaigns or compromised administrator accounts to gain full access to the environment. Improving user training, utilizing multi-factor authentication, applying a least privilege user model and leveraging comprehensive user behavior analytics can mitigate incidents initiated with stolen credentials.
- Detection: While attackers typically took minutes to compromise an information asset, organizations were still much slower to discover these attacks. More than half of data breaches took months or longer to detect. The long “dwell time” from compromise to detection meant threat actors had more time to perform malicious activities, leak confidential data, steal credentials and commit fraudulent transactions. By enabling visibility into critical applications and databases, organizations can more proactively detect compromise and reduce “dwell time”.
Greenlight solutions provide user provisioning and user privilege auditing as well as enhanced visibility into business applications and transactions in the cloud and on-premise. Learn how you can improve your cyber security defenses with Greenlight and better navigate the threat landscape reported in the 2019 Verizon DBIR.