The Verizon 2019 Data Breach Investigations Report (DBIR) – Major Takeaways
by Robert Bond
Verizon has released their 12th annual Data Breach Investigations Report (DBIR) with the analysis of nearly 42,000 security incidents and over 2,000 data breaches from 86 countries worldwide. Each year, the Verizon DBIR provides insight into actual security incidents and the ever-evolving cybersecurity threat landscape. The 2019 report paints a picture of financial motivation, social engineering attacks, cloud vulnerabilities, and incident response failures.
- 71% of data breaches were financially motivated
- 33% of all attacks were social in nature
- 60% of web application attacks are against cloud-based e-mail servers
- 56% of breaches took months to discover
The comprehensive 78-page report suggests that six key learnings apply to every industry.
C-level executives are the hottest targets for financially motivated social engineering attacks. In comparison to recent years, they are twelve times more likely to be the target of social incidents and nines times more likely to be the target of breaches involving social media apps and data. Senior executives are often victims of pretexting and whaling because of their approval authority and privileged access to sensitive data.
Cloud-based Solutions Pose New Threat
Organizations have started to migrate servers and, thus, their sensitive data to the cloud in hopes of cost-savings and increased performance. As this year’s DBIR suggests, where the data goes, the hacker is not far behind. Trends show a increase in cloud-based e-mail server attacks, particularly via stolen credentials. Although this does not indicate that cloud services are less secure, it does indicate that configuration errors and other vulnerabilities may be a by-product of the cloud revolution.
Payment Card Breaches Go Digital
Physical terminal compromises concerning payment cards have been surpassed by payment card web application compromises. The most immediate threat facing Point of Sale (POS) controllers and terminals is malware. Verizon suggests that organizations “restrict remote access to POS servers and balance the business needs of interconnectivity” while also “defending against the potential spread of malware.”
Ultimately, skimming at pump stations and ATM’s is on the decline and web app servers breaches are increasing dramatically. POS intrusions in general are on the decline because improvements in fraud detection capabilities.
Ransomware has been around since 1991, but it flooded news stations in mid-2017 when WannaCry attacks spread across the globe. Since then, it has become so commonplace that it rarely makes headlines anymore but is still a serious threat to all industries. Ransomware not only affects industries, but also has impacted entire cities. In March 2018, one of the most sustained cyberattacks against an American city took place using SamSam ransomware. The attack crippled systems and held data ransom for over a week, ultimately costing the city of Atlanta, Georgia a shocking $2.6 million. Ransomware is used in 24% of malware incidents.
W-2 Tax Form Scams on the Decline
Last year, Human Resource personnel were highly targeted for social engineering scams; this year, successful attacks decreased dramatically. Subsequently, W-2 tax form scams nearly dropped off the DBIR data set. This drop is primarily attributed to improved cybersecurity awareness programs such as simulated phishing attacks and standardized employee training.
Phishing Click Rates High on Mobile Devices
Over the last seven years, the click-through rate on phishing simulations dropped from 24% to 3%. However, new data shows that mobile users are increasingly susceptible to phishing attacks. Verizon’s report points the blame towards the limited user interface and user distraction. Mobile vulnerabilities also apply to spear phishing and social media attacks.
No industry is exempt from cyber threats, but certain sectors are more prone to specific types of attacks. The 2019 Verizon DBIR dives into the industries listed below to pinpoint the threats, motivations, and bad actors that each one typically faces.
Accommodations & Food Services
The amount of POS vendor incidents has drastically reduced in the last year, but these intrusions remain the #1 threat in the accommodations and food service industries. Most POS intrusions are discovered by fraud detection or customer notification. The percentage discovered by the company itself is almost negligible, leaving plenty of room for intrusion detection improvement.
The biggest threat to the education industry is employee error. Almost half of all incidents stem from miscellaneous errors, social engineering attacks, and poorly secured credentials. In fact, over 80% of breaches were conducted through web applications using stolen credentials. Verizon says it’s time for the education industry to shape-up their security, starting with mass adoption of two-factor authentication.
Financial and Insurance
Physical ATM attacks have been declining since 2010 and are currently at an all-time low. With the decline of payment card breaches, personal data has become the most targeted information stored by financial and insurance agencies. On-trend with other industries, external and financially-motivated actors continue to target user credentials for web applications.
Healthcare is the only industry that faces a greater internal threat than external threat. Tying with hackers using stolen credentials, internal privilege abuse is the most common threat action variety in the industry. On top of that, ransomware attacks are most common in this vertical, accounting for over 70% of all malware outbreaks.
The information industry focuses on creating, transmitting, and storing sensitive information. This vertical suffers from the second most incidents of all analyzed industries, and the majority stem from user error. Misconfigurations, publishing errors, programming errors, omissions, and malfunctions make up 42% of all breaches in this vertical. Verizon suggests implementing a standard protocol surrounding cloud migrations would help in reducing human error.
For the second year in a row, financially motivated actors beat out cyber-espionage as the #1 motivation for manufacturing incidents. Verizon cites a possible lack of data for this shift, but findings still show an attacker-focus on user credentials for web applications. The second most common hacking attack focuses on exploiting vulnerabilities; system administrators in this vertical would benefit from reviewing and updating their patching practices.
Professional, Technical & Scientific Services
Law offices, advertising agencies, and engineering and design firms are only a few members of this broad industry. Credentials to web applications continue to be compromised and, in this vertical, static passwords are making organizations vulnerable to the simplest attacks.
Cyber-espionage makes up 66% of attacks in the public sector, and 79% of external breaches are attributed to state-affiliated actors. The overwhelming majority are social engineering attacks, to which employees in this vertical are increasingly susceptible. The report-rate for phishing simulations is about half the click-rate, and over half of all breaches aren’t discovered for years.
Breaches involving POS compromises are declining at the same rate as retail web application compromises are rising. Attackers are compromising systems and then injecting code designed to capture consumer data, subsequently compromising data integrity.
Security threats evolve just as technology evolves, sometimes even faster than technology. Yet ultimately, the attacks have stayed consistent over time: crimeware, cyber-espionage, DDoS, privilege misuse, miscellaneous errors, payment card skimmers, PoS intrusion, physical theft and loss, and web application attacks.
“The numbers reveal that 98.5% of security incidents and 88% of data breaches continue to find a home within one of the original nine patterns.”
Knowledge is power and, in this case, the best defense against attackers. The perspective and insight supplied by Verizon’s DBIR can empower organizations and individuals to take targeted steps to protect their customers and themselves.
March 29, 2020
March 20, 2020
March 17, 2020