Highlights From The 2017 Data Breach Investigations Report (DBIR)

Verizon has released the tenth edition of its Data Breach Investigations Report (DBIR) for 2017. The 2017 DBIR report includes the latest data on real-world data breaches and security incidents investigated by Verizon or by one their data contributors (such as security vendors and law enforcement agencies). This year’s report also includes data specific to key industries and who targets such verticals and why. 

If you’re a first time reader, the DBIR over recent years breaks down data into both breaches and also incidents filtered to be more relevant by motive or sector. Of course not all incidents turn into data disclosure (or breach), but it is important to recognize trends in external and internal actors, motives and best practices to defend against them. That way, incidents won’t turn into breaches in the future.

I’ve described some of the key highlights and takeways from the report. 

Who is behind the breaches?

According to the Verizon report, 75% of breaches were perpetuated by outsiders and 25% internal. Further, 18% were caused by state-affiliated actors and 51% criminal groups.

What were the most common tactics?

The DBIR states that 62% were the result of hacking and 51% involve malware. A large majority (81%) of the breaches involved stolen and/or weak passwords. 43% were attributed to social attacks and 14% related to miscellaneous errors (such as publishing errors, misconfigurations).

Which industries made up the majority of the breaches?

The Financial industry made up the largest percentage (24%), followed by Healthcare (15%), Retail and Accommodation (15%) and Public sectors (12%).

What were some of the most common themes?

66% of malware installed was done via malicious email attachments. 73% were financially motivated and 27% were discovered by third parties.

One interesting theme highlighted in the DBIR report is the record loss of data where millions of members of websites suffered data breaches of personal information (such as logins, passwords and emails). Organizations need to understand secondary motives of hackers to steal personal data to use in hacking campaigns and use same credentials against your websites (even if not involved in original breach).

This emphasizes the need for organizations to implement two-factor authentication (2FA). Although consumers need to understand they should not use same passwords across multiple websites and should use strong passwords, it will inevitable that folks will still do stupid things. Thus organizations should setup 2FA protections, which can help mitigate the risk of bad password practices of password re-use.

What were some of the overall trends?

Last year showed a down tick in the percentage of breaches attributed to external actors, while seeing a corresponding uptick in percentage caused internal actors, although relative numbers remained constant. 

Some of the causes for the downward trend were most likely attributed to the decline in password stealing botnets in 2016 as compared to 2015 (such as the Dridex botnet takedown in late 2015) and drop in the big POS intrusions that skewed previous year results.

There was also the “triple threat” of hacking, malware and social attacks has been on top and trending upwards and no sign of changing soon.

Ransomware moved from the 22nd most common form of malware in 2014 to the fifth most common malware in this year’s report. The threat has also shifted from consumers to vulnerable organizations. The impressive innovation of ransomware technology (e.g., exploit kits, master boot record locking, etc.) has helped ransomware continue to evolve as a formidable threat.

Introduction to Industries

In this year’s 2017 report, Verizon introduces a section covering industry-specific findings on incidents and breaches in industries such as Food Services, Financial Services, Healthcare, Education and Public Sector.

For example, in the Financial Services industry, there were 998 incidents, 471 with confirmed data disclosure. Denial of Service (DoS), web application attacks and payment card skimming combined made up 88% of the security incidents. A larger percentage (94%) was attributed to external actors, 6% to internal actors.  The types of data compromised were 71% credentials, 12% payment data and 9% personal data.

It is worth quoting out the “common event chain” so prevalent in one of the most common banking Trojan threats also highlighted in recent National Institute of Standards and Technology (NIST):

  1. Send malicious attachment to consumer.
  2. Malware installs on consumer device and identifies when they are accessing a banking site.
  3. Key loggers capture user credentials to be reused fraudulently (OR User web request is redirected to a fake site where credentials are entered and captured).
  4. Threat actor issues legitimate credentials to application acting as the customer potentially triggering an SMS second factor authorization code.
  5. The second factor is presented to the fake website and step 4 is repeated.
  6. Account balances get smaller.

Looking deeper into the Healthcare industry, 32% of incidents were attributed to external actors, whereas a whopping 68% internal and 6% partners. Insider misuse was the leading issue given large amounts of medical/patient data is available to swaths of medical practitioners.

The availability of so much data combined with poor security practices has led to incidents that could have surely been prevented. Examples included dumping x-ray results in land fill, lost laptops (without whole disk encryption), and “snooping eyes” or where healthcare may review medical data “for fun”.

It is also interesting to note the Health and Human Services (HHS) now says that Ransomware incidents must now be reported as breach and issued guidance on how organizations can protect themselves against the threat.

The Information Industry (NAICS 51) probably grabbed some of the biggest headlines for data breaches given the millions of affected members of websites related to software publishers, telecom carriers, cloud providers, social media sites and even gambling.

Almost 60% of the breaches in the industry were caused to web app attacks. Three-quarters of the victims were small businesses who may not have dedicated security staff or expertise.

There was a strong grouping into six cyber threats to include practice of phishing users, install C2 and keylogging software used to capture credentials and ultimately exfiltrate data out of the organization. SQL injection was also used against poorly written web application code.

The Manufacturing and Public sectors were the top sectors targeted for Cyber-espionage motives and consisted of 94% and 64% of total breaches respectively. It is important to know where and who has access to your most valuable data is (such as trade secrets, product proprietary designs and data) and protect from data loss.

In almost 60% of the cases involving the public sector, it took organizations years to detect the breach. This could have been caused by combination of stealthy nation state actors who stay hidden for long periods of time as well as smaller government agencies that don’t have the appropriate resources to spot issues sooner.

“Things to Consider” (best practices)

In each of the industries, DBIR includes some good best practices or “things to consider” that could help reduce the risk of future incidents or could have prevented previous breaches.

Some of the most common practices from the DBIR I summarized across many of the different industries:

  • Use two-factor authentication across all websites and privileged access to sensitive internal systems
  • Change default passwords and use strong passwords
  • Ensure DoS protection of external websites
  • Insider Threats:
    • Periodically monitor employee activities
    • Don’t give more permissions to employees than then need
    • Disable accounts upon employee departure
    • Use “warning banners” on systems so employees are aware of policies and ensure employees are aware that their activities are being monitored
  • Miscellaneous errors:
    • Have second person sign off on publishing content to websites or changes
    • Have a good policy for data handling and disposal of sensitive data (such as data stored on hard drives or printed on paper).
    • Encrypt laptops (use whole disk encryption) and mobile devices
    • Backup systems routinely
  • Have good business continuity and disaster recovery plans for your critical systems and applications.
  • Keep software up to data (OS, web apps, plug-ins).
  • Segregate networks based on data sensitivity (such as retail POS or customer database systems from rest of internal network).
  • Monitor egress points to prevent data loss.

The report further goes into detail on the different types of malware such as ransomware and other crimeware families as well as an excellent deep dive into incident classification patterns.