The Report
Verizon recently released the 11th edition of its Data Breach Investigations Report. The 2018 report reveals interesting trends with regards to hacking, malware and other breach types across multiple industries. The fact that the report is based on actual data from real-world data breaches and security incidents makes it more reliable and less subjective than other breach reports.
At SpyCloud, we always look forward to the Verizon Breach Report every year. It is sobering but also provides data-backed evidence that helps us explain why companies must do more to protect themselves and their customers. The data doesn’t lie, mostly ;-). Breaches, and in particular, account takeover (ATO), is a massive problem that is growing faster than most companies can implement prevention strategies. The tools that many use are ineffective, thus the spike in incidents.
We want to highlight a few of the findings and then offer some guidance on how companies can minimize their risk of being another statistic. Download the full Verizon report for additional insights.
In 2018, Verizon discovered:
Over 53,000 security incidents
2,216 confirmed data breaches as a result of those incidents
Who is involved?
73%
of breaches were carried out by outsiders
50%
of breaches were conducted by organized criminal groups
Who are the targets?
58%
are small businesses
24%
are healthcare organizations
Top action varieties in breaches:
#1
Use of stolen credentials
(hacking)
#3
Phishing
(social)
#2
RAM scraper
(malware)
Interesting findings:
76%
of breaches were financially motivated
68%
of breaches took months or longer to discover
Related: SpyCloud’s Annual Credential Exposure Report
SpyCloud’s Take
As experts in the security industry, we want to offer up our evaluation of Verizon’s findings. First, according to the report, the overwhelming majority of breaches are perpetrated by outsiders. Wait, is that true? There are plenty of studies and articles you can find that claim it’s the insiders (employees) that pose the greatest risk to organizations. Tripwire called insider threats the “main security threat in 2017.” So who is right? Actually, both.
Tripwire provides some context around its statement by saying, “While insider threats in cyber security are often associated with malicious users, in truth, employees are inadvertently causing corporate data breaches and leaks daily.”
At SpyCloud, we find the same thing. Employees can make several mistakes, often undetected until the damage has spread. By choosing weak passwords, reusing existing passwords across multiple accounts, and/or reusing passwords that have already been compromised, they are putting their personal information at risk along with sensitive corporate data. They are providing an entryway into company servers and databases, often without any indication of such a crime. To make things worse, they fall victim to phishing and malware attacks by opening up attachments or clicking on links they believe to be safe, often spreading the attack to co-workers.
Related: Customer Account Takeover Can Be Prevented
Many of the larger businesses have systems and technologies in place to combat such attacks, at least they believe they do, yet the employee still remains a major risk factor. Smaller companies, as the report notes, are the primary targets because criminals know they are less likely to have employed the more sophisticated prevention strategies of larger companies. No matter the size of the company, however, account takeover (ATO) must be taken seriously. ATO is one of the biggest risks to the enterprise yet it is grossly underserved. Companies believe they are protected when they are actually still at risk. They have incomplete and ineffective monitoring capabilities and lack response tools.
Timing Is Everything
The lack of appropriate technology to stop ATO brings us to the finding perhaps most relevant to every organization – nearly two-thirds of the breaches took months to discover. Every day the criminal is given free reign with his/her stolen credentials exacerbates the situation tenfold. Once the criminal steals the credentials, they sell them to criminal communities in the underground who then use and sell them to even larger communities. This mushrooming effect means more company, customer and employee data can be stolen, used and/or sold with every passing hour.
According to the report, the “Breach Timeline” is rapid, yet the containment period can take years. “When breaches are successful, the time to compromise continues to be very short…most often measured in seconds or minutes. The discovery timeline is likelier to be weeks or months.” These are months and even years that can end up costing a company dearly. Just look at the Yahoo breach for a case study of what not to do.
The processes and tools companies implement to monitor employee and customer accounts must do more. Monitoring is only the first step, yet that is the sole focus of many technologies and most find exposures too late in the ATO lifecycle to do much good. Remember, every hour counts.
Taking action is critical – but not just any action. It must be rapid and it must shut down the account immediately. Verizon says, “The single most important factor which determines the prospects of making a successful recovery…is the speed of response. The quicker the notification, and the quicker that the response team can mobilize and respond, the better chance we have of securing the necessary evidence to identify the wrongdoer, recover assets and otherwise minimize the commercial and reputational impact of a breach.”
We couldn’t agree more. You may not be able to completely prevent a breach, but you can prevent account takeover with early identification of suspicious activity and an immediate, automated response. What does this look like?
What Should Happen When Exposure Is Detected
When an exposure is detected, the account should be automatically locked down and the password is forced to be reset. This step shouldn’t require an admin to approve or initiate. That takes time and requires the admin to 1) be available at the time of the alert, and 2) make the activity a priority. Too much is riding on one person’s responsiveness and thanks to automation, this process can be in immediate lock-step with the detection phase.
Of course, an ounce of prevention is worth a pound of cure. Educating employees of the importance of choosing strong, unique passwords and never reusing passwords is a must. Equally important is teaching them to be suspicious of attachments and links. A strong firewall and updated security software can help. Additional preventative measures include following NIST password creation guidelines and implementing a password enforcer that automatically requires users to choose a healthy password before they can register.
Related: New NIST Guidelines Acknowledge We’re Only Human
These preventative measures, early detection and swift response are the three required elements to any ATO prevention strategy. When implemented correctly, organizations will stay ahead of the criminals and will be less likely to be a statistic on future Verizon reports.