Verizon just published their annual Data Breach Investigations Report (DBIR). Verizon annually collects data from investigations they have performed as part of incident response engagements as well as an increasing number of third party contributors in industry, academia, and government. Although not perfect, it is a fairly comprehensive study and is useful for businesses to help make decisions on where to focus their efforts.
Some interesting facts:
- Financial services companies are, not surprisingly, a focus of attack by adversaries.
- Over 80% of incidents were predominantly external.
- Motives for attack are largely financial (75%) and the remaining espionage (corporate or government).
- Phishing is the main vector of attack that most non-retail companies should be concerned about.
- As server attacks have trended downward from 50% in 2009 to under 40% in 2015, attacks on desktops and laptops have gone up from under 20% to nearly equal of server attacks in the same period.
- The human as a direct victim has increased from under 10% in 2009 to over 20% in 2015 including phishing, malware, and impersonation.
- Adobe products are the quickest to fall victim to exploitation after they are first disclosed, Microsoft a close second.
- The majority of phishing emails lead a victim to download malware so that the attacker has a foothold into the computer system (http://triadanet.com/anatomy-data-breach/).
- An increasing number of attempts are impersonation attacks where the attacker poses as a member of the victim’s organization (CEO requesting that the CFO make a wire transfer to a new account).
- Out of 8 million results of sanctioned phishing tests (i.e. the internal organization testing their own employees or using a third party to do so), 30% were opened by the target and 12% went on to click on the “malicious” attachment or link which enabled the attack to succeed.
- Nearly 90% of all phishing attempts are from organized crime syndicates while less than 10% are State affiliated.
- Ransomware is a growing trend that is lucrative and therefore we will see more of it.
What can we do to protect ourselves?
Although security reports such as these seem bleak, there are ways that financial firms and individuals can protect themselves and and their companies. Here are a few recommendations based on the Verizon findings.
- Filtering email and web traffic is the first line of defense, however it is not fool proof and many get through.
- Provide employees the opportunity to get awareness training and information, so they can tell if there is something that doesn’t seem quite right.
- Protect your network from your own employees in case they do click on something and antivirus doesn’t catch it by segmenting your company’s network either directly or making sure employees don’t have access to things they don’t need.
- Work with your web application vendors to ensure that they are properly validating inputs. Poorly validated data inputs is a quick way to have an application compromised and the underlying data accessed.
- If you use a content management system for your website such as WordPress, Joomla, or Drupal, ensure you have someone keeping an eye on it, up to date, and using only actively maintained plugins and add-ons. If you’re not sure, contact your website developer to give you feedback.
- Review your policies on USB drive use. If an employee has access to information, it could be leaked out on purpose or by accident. Look at USB encryption as a way to protect against data loss and misuse.
- Ensure you have proper backups that are reviewed, kept off site and disconnected from protected machines. This way if your computer or server is infected- especially with Ransomware, it doesn’t spread to your backups rendering them useless.
- Patch, Patch Patch! Keep your systems and applications up to date.
- Consider application white listing (only allow approved applications to be run) or filtering certain attachments at your gateways (email and web).