Each year Verizon, in conjunction with the VERIS Community Database initiative, releases the annual data breach investigations report. This year’s report is based on analysis of 42,068 security incidents, including 1,935 confirmed data breaches. Within this free report, readers are provided incident analysis universally and by industry, detailed insights, and tips to mitigate cyber security threats. For data professionals, the data breach report is one of those “must at least skim” resources to understand the changing nature of threats that you are most likely to face to help you prepare and prevent them.
Understanding Most Common Threats
There are a wide variety of data related threats being used by criminals to compromise your data. Some a much more popular than others. The real value of reviewing incident patterns is to improve your organization’s awareness of tactics used by the enemy. You can also use these findings as a tool to educate and garner support for improving your data governance and information security initiatives.
The 10th annual Data Breach Investigations Report reveals:
- The biggest cyber security threats and what you can do to mitigate them.
- Who’s behind the attacks and how they’re getting in.
- What motivates the cybercriminals.
- How nine incident patterns can help you predict what the cybercriminals will do next.
- That no system is 100% secure.
Being aware of the threats you face will help you improve data security. Cybercriminals are using all the information they can get hold of — you should too. Here are a few facts extracted from this year’s report.
I highly encourage to download this report and skim through all of the findings.
Here is the updated summary of all incidents. For data management professionals and analytics leaders leading self-service BI governance programs, the privilege misuse and errors sections are important for you to comprehend and mitigate. Last winter I shared a white paper on that topic and tips you can revisit.
The summary of incidents by type shown below and related detailed within the full report is also interesting for analytics leaders. Data exports, privilege misuse and data mishandling sections are specifically relevant for us.
Another finding that I thought was a bit shocking was malware sources. Apparently you absolutely need to be updating your Office installs and investing in extra email scanning of attachments. Take a look at the breakdown in the treemap below of malware sources. If you don’t have a malware scanner app like Malwarebytes, I do recommend investing in one and keep it updated.
Earlier this year, I reformatted two of my Windows laptops to prevent issues since I kept seeing Remote Desktop Service being re-enabled after I had manually disabled it numerous times. It was scary. Apparently the cause of that issue was my Norton Anti-Virus service – Norton Anti-Virus needs control of remote desktop services. Yikes!
A bit about botnets
Botnets continue to be a powerful tool built and utilized (either by renting out or direct use) by organized criminal groups for financial gain. One type of zombie herd that is leveraged in attacks against banking institutions is DoS botnets, which use strength in numbers to spew unwanted traffic at their victims’ infrastructure. These gained national attention in 2012 with ideology-driven attacks against US banks. Another threat worthy of note is consumer devices infected with banking Trojans. Banking Trojans are not new on the cybercrime scene, but are still omnipresent and ever evolving. The difficulty for banking institutions is that many of the nefarious acts or, in VERIS lingo, “Threat Actions” are against their customers, not internally managed devices.
A common event chain is:
- Send malicious attachment to consumer.
- Malware installs on device and identifies when user accesses banking sites.
- Keyloggers capture user credentials to be reused fraudulently.
OR User web request is redirected to a fake site where credentials are entered and captured.
- Threat actor issues legitimate credentials to application acting as the customer potentially triggering an SMS second factor authorization code.
- The second factor is presented to the fake website and step 4 is repeated.
- Account balances get smaller
Bottom Line = Be super careful with email!
I have noticed more fake newsletters that I did not sign up for coming my way. My first instinct is to click “Unsubscribe” – BUT – before you do that double-check that the unsubscribe link looks legit.
Don’t click links in email without hovering over them to see if they look legit.
Top 5 Tips to Prevent Incidents
The importance of knowing what you have—whether it’s data, hardware, virtualized systems or software—and where it’s kept is becoming crucial.
- Know where all your assets and information reside
Information Technology (IT)/Operational Technology (OT)/Internet of Things (IoT) asset inventories should be kept up to date. Discovery scans must be conducted regularly to identify and classify unknown assets. All known assets must be scanned regularly to identify, report and flag unknown software installed. E-discovery exercises must be conducted regularly to scan for sensitive information—protected healthcare information (PHI), personally identifiable information (PII), cardholder data (CHD) or other sensitive information—lying unprotected on systems. Proper access/authorization control, encryption, truncation and tokenization procedures can all be used to protect such information.
- Restrict direct ingress and egress traffic
Organizations must implement effective and seamless controls to restrict direct egress from or ingress traffic to its critical infrastructure setup. It is often seen that some organizations only focus on enforcing ingress filtering controls. However, of equal importance are egress filtering controls. Most of the command and control connections, tunneling, and reverse shell activities leverage the egress access from the compromised systems to exfiltrate data or establish remote control access.
- Implement multi-factor authentication
No matter how strong your password is, it’s of no use if it’s stolen, cracked, orpassword-dumped. In a world of zero-day vulnerabilities and increasing use of keylogging software/mobile apps, it’s paramount that critical application/information always requires at least two-factor authentication. For starters, there are mainly three types of authentication factors—for example, something you know (password, passphrase), something you have (such as access card, token, private key) and something you are (biometrics such as fingerprint, retina scan).
- Limit direct administrative access to critical systems
Disallow direct network-based administrative access to critical systems. Implement a securely hardened jump host system that acts as a gateway for any administrative access (SSH, RDP, HTTPS, etc.) to the critical system. Implement a Privileged Identity Management (PIM) system to provide stricter control on any high-privilege access to sensitive systems.
- Implement centralized logging and event monitoring
Send system logs to a centralized location. Set up relevant processes and technology components to monitor and correlate all events/logs to identify a security incident and provide a timely and effective response. Define anomalous and then look for it. Set up procedures to periodically check if all systems are properly sending logs.