When it comes to data breaches, what big, bad cyber-boogeyman method should you fear and point the finger of blame at this year? The biggest security concern is not IoT, not mobile, not even ransomware; it’s you, us, mere humans, which are the weak link being exploited and the number one problem leading to breaches. It’s not some new attack attributed as the cause of most security incidents; oh no, it’s falling for phishing, which has been around since about the dawn of email.
Last year’s DBIR report indicated that 90% of security incidents trace back to PEBKAC and ID10T errors, and that hasn’t really changed according to Verizon's new 2016 Data Breach Investigations Report. Phishing still works, people still click. In fact, phishing works so well that it has “picked up dramatically over the prior year.” Before it was the leading cyber-espionage attack pattern, but now phishing can be blamed for seven of nine security incident patterns. Verizon reported that phishing has continued to trend upward and is found in the most opportunistic attacks as well as “sophisticated nation-state tomfoolery.”
Open. Click. Pwned.
Users, I get it; you’re choking on email, often because CYOA governs the corporate world and a single email might include CCing five or more people. Maybe each responds by tossing in their own two cents? Multiple that by a modest 10 and maybe you are drowning in email? Multiply that by 25 and it’s a wonder you can get any work done. Maybe that is why some users seemed to be camped inside their email and are quick to click, like Johnny-on-the-spot quick, explaining how “the median time for the first user of a phishing campaign to open the malicious email is one minute, 40 seconds.” Verizon also found that “the median time to the first click on the attachment was three minutes, 45 seconds.”
“Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff,” the report stated. “We combined over eight million results of sanctioned phishing tests in 2015 from multiple security awareness vendors aiming to fix just that.”
30% of phishing emails are opened by the intended target – that’s up from 23% cited in Verizon’s 2015 report – and 12% of end users go the additional ID10T mile by clicking the link or opening the attachment; click the attachment and get owned as the malware drops “within seconds” and the cyber thugs, mostly organized crime syndicates (89%) and state-affiliated actors (9%), have their foothold. Most phishing attacks are “a means to install persistent malware.”
Since phishing still works, people still click, cyber crooks don’t have to get slicker, but they sure have gotten quicker. “The time to compromise is almost always days or less, if not minutes or less.” In 93% of the cases which involved stolen data, the “systems were compromised in minutes or less.” Exfiltration occurred within minutes in 28% of cases. It doesn’t matter if it took days for crooks to finish up, since in 83% of cases, victims didn’t realize they had been breached for weeks or more.
Verizon noted there was a rise of a “new three-pronged attack” which involves opening a phishing email that contains a link pointing to a malicious site or a malicious attachment; malware is downloaded, cyber thugs have a foothold and then use additional malware “to look for secrets and internal information to steal (cyberespionage) or encrypt files for ransom. Many times the malware steals credentials to multiple applications through key logging.” In fact, “63% of confirmed data breaches involve using weak, default or stolen passwords.” Those stolen credentials are used “for further attacks, for example, to log into third-party websites like banking or retail sites.”
But, my dear admins, you can’t blame it all on your users as the DBIR explained, “Most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years. In fact, the top 10 known vulnerabilities accounted for 85% of successful exploits.”
You may patch, patch, patch until you are blue in the face as new vulnerabilities are discovered, yet overall we are still “treading water.” Verizon advises to “tread wisely. Fixing mega-vulns is a solid first step, but don’t forget that the other 15% consists of over 900 CVEs, which are also being actively exploited in the wild.”
Fail to patch and more often than not, Johnny Law comes knocking to notify a company of a breach; Third Parties, such as security researchers, rank as second when it comes to external breach discovery.
Phishing isn’t the only area where humans fail. Human error includes “miscellaneous errors” which “take the No. 1 spot for security incidents in this year's report. These can include improper disposal of company information, misconfiguration of IT systems, and lost and stolen assets such as laptops and smartphones. In fact, 26% of these errors involve people mistakenly sending sensitive information to the wrong person.”
“You might say our findings boil down to one common theme – the human element,” said Bryan Sartin, executive director of global security services, Verizon Enterprise Solutions. “Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we've known about for more than a decade now. How do you reconcile that?”