You know the saying – the more things change, the more they stay the same. Well, in support of that theory, it's that time of year once again for the Verizon Data Breach Investigations Report (DBIR). If you need a stark reminder of just how bad security is out there – and perhaps some ammunition to support your information security program – you need to check out the 2017 report. It's chock-full of the same things the authors have been reporting over the past decade. In essence: criminal hackers have the upper hand.
Reading through the findings, there are several things that jumped out at me. These are what I believe to be some of the most important ones:
- Eighty-eight percent of breaches fall into the nine patterns that Verizon first identified in its study three years ago. I’m not sure if this suggests we’ve yet to master these areas or that the criminals just know where they can find success.
- Ninety-five percent of phishing attacks that led to a breach were followed by software installation. Once the bad guys get in, they want to stick around for as long as they can. Why not install malware and reside there indefinitely?
- One section in the executive summary document has some headings that I couldn't agree with more. For instance:
- “No one thinks it's going to be them. Until it is.” Yup! Organizations think they’ve got the basics covered. They clearly don't – otherwise I wouldn’t see what I see in my work and we wouldn’t be hearing the same things from Verizon and other studies year after year. I often see arrogance in executive management and even among IT staff leading them to believe that they’re immune.
- Another was “People are also still failing to set strong passwords.” Really!? It’s 2017, for crying out loud!
- One thing Verizon mentions is that if you haven't suffered a data breach, you’ve either been incredibly well prepared or very, very lucky. It's more than just being well prepared and lucky, I think that a lack of information and not knowing what to look for is the case in way more situations than we care to acknowledge.
- The majority of attacks (75 percent) are perpetuated by outsiders. No surprises there. Still, a hefty percentage involved insiders. You know, those who are trusted to do most anything at any time with no true oversight. Only two percent involved business partners. Still, given all of the trust in those relationships, not to mention the contracts that lawyers love to rely on for security, you would think that that number would be closer to zero.
- Just over one-fourth of breaches were discovered by third parties. You don’t want to be on the receiving end of those types of phone calls.
- Two-thirds of malware was installed via malicious email attachments. Really? If this is not a failure in our messaging and endpoint protection systems, I don't know what it is. Why can't these attacks be stopped? I think they can if you use the proper cloud, server, and endpoint protection. Most people don't. Furthermore, this malware exploits – in many cases – known vulnerabilities in software that simply haven’t been patched in months or years. There’s really no excuse.
- Eighty-one percent of hacking-related breaches leveraged weak and/or stolen passwords. I can understand stolen passwords to an extent, given the complexity of malware and the lack of protection, but there’s absolutely no reason for weak passwords. I'm not surprised, though, given how much pushback I see executive management give many IT and security teams if they tighten down enterprise password policies. So, it’s a policy born in ignorance or old-school thinking that we simply cannot seem to resolve.
- Social attacks were used 43 percent of the time. Many people just don’t see the value or they mistakenly believe that their default vendor phishing templates are good enough. Most security assessments I’m involved in have zero phishing testing. A penetration test that does not include social engineering via email phishing or other means is not a complete penetration test. That’s indefensible.
- Web-application attacks, one of my favorite areas to study and work in, were mostly comprised of stolen credentials and SQL injection. Stolen credentials start elsewhere, but the impact can still be minimized with user behavior analytics and multi-factor authentication. SQL injection exists not necessarily as a fault of developers and QA pros, but because of the fact that it was not tested for – and discovered – before the bad guys. Again, preventable and mostly inexcusable.
As Verizon says, no system is completely secure, but too many organizations are just making it too darned easy. Furthermore, many of the incidents and breaches are entirely avoidable. But why? Knowing what we now know and having access to the resources and tools that are available, I’m having trouble wrapping my head around why we keep seeing the same challenges. Is it because IT departments are overwhelmed? Perhaps there's a lack of budget? Improper tools? Maybe this would be a good time to throw users or unsupportive executives under the bus? I think it's a lot of these things.
There's a strong human psychology component to all of this, not unlike various things that afflict society, such as poor health habits and divisive politics. We seem to know what the problems are and, by and large, we know how to solve them. Still, we keep doing the same old things and, presumably, expecting something different. Ayn Rand nailed it by saying “The hardest thing to explain is the glaringly evident which everybody has decided not to see.”
Kudos to Verizon for presenting this year’s DBIR data in such an easy-to-read and humorous way. The authors even provide solutions for fixing many of these challenges. If they’re giving away this advice for free, and we continue to see the same things moving forward, I shudder to think just how badly information security oversights and gaffes will impact businesses into the future.
Kevin Beaver, CISSP is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta, Georgia-based Principle Logic, LLC. Kevin has written/co-written 12 books on information security including the best-selling Hacking For Dummies (currently in its 5th edition).