Cybercriminals continue to rely on tried and true methods of attacks that exploit human nature, including phishing and ransomware, according to the Verizon 2016 Data Breach Investigations Report (DBIR).
Now in its ninth year of publication, the 2016 DBIR examined more than 2,260 confirmed data breaches and more than 100,000 reported security incidents to gain a better understanding of the current state of the cybersecurity threat environment.
“The DBIR’s increasing importance to businesses, law enforcement and governmental agencies demonstrates a strong desire to stay ahead of cybercrime,” said Chris Formant, president of Verizon Enterprise Solutions. “Now more than ever, the collaboration and contributions evidenced in the DBIR from organizations across the globe are required to fully understand the threat landscape. And understanding is the first step toward addressing that threat.”
The current report piggybacked on themes introduced in the previous year. The key findings of the 2016 report include:
- 89 percent of all attacks involve financial or espionage motivations.
- Most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years. In fact, the top 10 known vulnerabilities accounted for 85 percent of successful exploits.
- 63 percent of confirmed data breaches involve using weak, default or stolen passwords.
- 95 percent of breaches and 86 percent of security incidents fall into nine patterns.
- Ransomware attacks increased by 16 percent over 2015 findings.
- Basic defenses continue to be sorely lacking in many organizations.
Despite the emergence of new, more sophisticated attack methods, cybercriminals continue to turn to phishing attacks—when someone receives an email from a fraudulent source—and end users are falling for it. 30 percent of these messages were opened, which is up from 25 percent last year. Additionally, 13 percent of those who opened the emails actually proceeded to open the corresponding harmful attachment or link.
The upward trend in phishing attacks can be attributed to the fact that these attacks are not only effective, they also enable attackers to quickly and efficiently pinpoint the organization or individual they want to target.
The report further detailed that “miscellaneous errors” hold the number one position for security related incidents. These include everything from incorrect disposal of company related information, inaccurately configured IT systems, and means of technology such as laptops, going missing.
More than a quarter of these human errors are caused by people within an organization accidently sending sensitive information to the wrong recipients.
“You might say our findings boil down to one common theme — the human element,” said Bryan Sartin, executive director of global security services, Verizon Enterprise Solutions. “Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now. How do you reconcile that?”
Another major concern is the increase in how quickly cybercrimes were able to be committed. In an overwhelming 93 percent of situations, hackers took only minutes, or even less time, to infiltrate. Data exfiltration occurred within minutes in 28 percent of the cases.
This year’s report also called attention to the rise of a new three-pronged attack used repeatedly by cybercriminals. Many organizations are falling prey to this type of attack.
The first prong of the attack involves sending a phishing email with a link to a malicious website or a malicious attachment. In the second prong, malware is downloaded onto the individual’s personal computer, and additional malware is used to steal internal information or encrypt files for ransom. Finally, the attackers than uses the credentials to further attacks, such as logging into a third-party website.
"The goal is to understand how the cybercriminals operate," said Sartin. “By knowing their patterns, we can best prevent, detect and respond to attacks.”
To better protect individuals and organizations from attack, security experts recommend following these core security principles:
- Know what attack patterns are most common for their industry.
- Utilize two-factor authentication for systems and other applications, such as popular social networking sites.
- Patch promptly.
- Monitor all inputs: Review all logs to help identify malicious activity.
- Encrypt data: If stolen devices are encrypted, it’s much harder for attackers to access the data.
- Train staff: Developing security awareness within their organization is critical especially with the rise in phishing attacks.
- Know data and protect it accordingly. Also limit who has access to it.
“This year’s report once again demonstrates that there is no such thing as an impenetrable system, but often times even a basic defense will deter cybercriminals who will move on to look for an easier target,” Sartin said.