The Strongroom

The Verizon Data Breach Investigations Report: What does it mean for you?

1st June 2018

Security

Written by Rob Holmes

The Verizon Data Breach Investigations Report: What does it mean for you?

It’s that time of year again when we’re flooded with reports alerting us to the cybercrime wolf at the gate. If you’re not already aware of at least some of the issues they highlight, you’ve probably been lucky enough to have been living in a backcountry hut somewhere: 2017 was the year cybercrime truly broke free of the newsfeeds of IT wonks and became a regular feature in the mainstream news.

That’s because last year we were hit with some big attacks, WannaCry and NotPetya being the two most notable. WannaCry infected hundreds of thousands of victims in a relatively short time period, bringing large parts of the UK’s NHS to its knees. It was probably the first time many outside the IT industry had heard the term ‘ransomware’. And many will remember NotPetya as the attack that shut down shipping giant Maersk.

One of the most recent publications to hit the pavement of cybersecurity street is the Verizon 2018 Data Breach Investigations Report. It describes the landscape of data breaches in 2017 with a good dose of hard data. If you haven’t had the time (or the courage) to read it yet, I’ll give you a synopsis here, with some local context.

Portrait of a cybercriminal

The report shows that breaches are usually made by criminals external to your organisation; most commonly organised crime syndicates. This is true across all industries (healthcare holds the dubious honour of being the only sector where the most common threat actor is an employee). And at 76% of all breaches, by far and away the most common motive is cold hard cash.

Let’s address a common misconception that cybercrime is something that happens ‘over there’, to the big players. The reality is that cybercriminals know no borders. In fact, as a nation of SME businesses, New Zealand represents rich pickings: 58% of cybercrime victims worldwide in 2017 were small and medium businesses. The bottom line: Cybercriminals are interested in attacking the unprepared, regardless of their size, location or wealth.

Now let’s take a look at three broad categories of attacks.

Social attacks

The most common type of social attack highlighted in the report is phishing, which together with pretexting comprises 98% of all social attacks. This sobering statistic is borne out by our experience with our customers. Some comfort can be had in the fact that 78% of employees are judged to be resistant to phishing attempts. But before you think ‘it won’t happen to us’, the bad news is it’s the percentage left that are the danger. The reality is that it only takes one person to let the vampire through the door. If you don’t yet have an active anti-phishing plan, I’d suggest you get one that covers both the ongoing education of your users, and how you will respond when the inevitable happens. Origin Security’s Phriendly Phishing Attack Programme is a great place to start.

Ransomware and botnets

We’ve seen a fair number of cases of ransomware in our customer base over the last two years. It’s a lucrative, highly disruptive attack method, and only needs a singular entrance point to be effect. Ransomware moves laterally and quickly. The post-compromise infection of file and database server assets are where the damage occurs.

Verizon identified 43,000 breaches where botnets were used to steal credentials from infected clients. We recommend that you add a second factor of authentication to your users, and make sure you have a way of detecting and removing any botnet malware.

Denial of Service

DoS attacks are still out there, though according to the figures the size of the attacks (in terms of ‘network size’) has dropped. It’s interesting to note that these types of attacks are not being encountered on a regular basis, but that is not to say that preparation is not needed. A couple of good pieces of advice: First, don’t try and go it alone: Talk to us and your ISP about your defenses. Second, make sure you’re on top of your patching, and get a solid response plan in place. Yep, it’s all about getting those basics right.

So, from an industry perspective, where do you sit? I’ll cover off three of New Zealand’s largest industry verticals:

Financial and Insurance

Banking Trojan Botnets, Denial of Service and Phishing are high on the radar here. Watch out for Ransomware also. Our advice is:

  1. DoS: Ensure defences are in place and you have a plan

  2. Phishing: Measure, educate, and make sure employees have a mechanism to report incidents

  3. Patching: Make sure systems are up to date, patched, and segregated to ensure business continuity

  4. Install strong authentication and visibility into systems and applications, along with a solid response plan if attacks or breaches occur

Manufacturing

The main one to watch out for here is espionage. For most of our manufacturing customers, the loss of R&D and other IP is a high risk, especially if it allows a competitor to bring the product to market sooner or if they’ve been entrusted with someone else’s trade secrets. Most attacks on companies in this sector are specifically targeted, for the purposes of gaining access to trade secrets and IP.

Our advice is:

  1. Phishing: Most external espionage cases begin with some type of phishing attack. Measure educate, and make sure employees have a mechanism to report incidents.

  2. Segregation of systems: To protect your IP, control and monitor who has access to it

  3. DLP: Implement controls, and monitor and block data transfers by employees that look suspicious (especially the ones you forgot to delete when they left!)

  4. Real-time monitoring of your environment: To highlight abnormalities as they occur. Better still, put a team and plan in place to react to them quickly and effectively

Professional, Technical and Scientific Services

Malware and Denial of Service continue to be preferred methods of attack for this sector. Detection and containment times for breaches in this sector was reported as ‘dismal’. This is alarming when you bring the elements of phishing and malware together: If you have ignorance of phishing and no detection in place for malware you have the perfect recipe to allow data to walk out of the door, completely unknown.

Our advice:

  1. Phishing: Hate to sound like a stuck record here, but you know the drill – educate, and make sure employees have a mechanism to report incidents

  2. Proactive monitoring of your environment: Know what threats are impacting you and if you are losing sensitive data

  3. Understand the security controls and posture of your clients: Don’t become their weakest link

Give your business a fighting chance against cybercrime

The Verizon Data Breach Intelligence Report, and others like it, comprehensively demonstrate that no company is immune to cybercrime. The threats aren’t going away anytime soon, but continue to grow in number and sophistication. Origin Security can help you to take a strategic, evolving approach to cybersecurity so you can do everything you can to keep your business safe. Get in touch today to find out more.

Rob Holmes

Chief Technology and Security Officer

Rob leads our consulting team. He has over 20 years’ ICT industry experience in Europe and Australasia and has worked on some of the largest infrastructure projects in the world.

Join the Strongroom
Join The Strongroom and get a regular round-up of news and views to keep you up to date with the fast moving world of cyber security.