The takeaway from the 10th annual Verizon Data Breach Investigations Report is depressingly familiar: Of the 1,935 breaches analyzed, 88 percent were accomplished using a familiar list of nine attack vectors, meaning they could probably have been prevented by a few simple cyber-hygiene measures.
The DBIR, an analysis of breaches and incidents investigated by Verizon personnel or reported by one of their 65 partner organizations, is one of the most comprehensive reports in an industry that sometimes seems to specialize in thinly sourced surveys — marketing gussied up as research. So its release is closely watched by cybersecurity mavens every April.
But in recent years, the DBIR has become a repetitive litany of attacks that exploit well-known and long patched vulnerabilities in familiar ways. The 2017 report released Thursday found, for example, that 81 percent of hacking-related breaches employ either reused/stolen passwords or weak/crackable ones.
“There is no such thing as an impenetrable system, but doing the [cybersecurity] basics well makes a real difference,” said Bryan Sartin, executive director of Verizon’s Global Security Services, in a statement. “Often, even a basic defense will deter cybercriminals who will move on to look for an easier target,” he concluded.
Ensuring that software is patched, using two-factor identity authentication, encrypting sensitive data and segmenting the network to protect it — these basic hygiene measures are the cybersecurity equivalent of “locking our windows and doors, brushing our teeth and using our seat-belts,” said former Director of National Intelligence James Clapper on Wednesday. But many organizations neglect these basic measures.
“The victims … make it easy” for cybercriminals and online spies, Clapper added during a keynote at the Gigamon Public Sector Cybersecurity Summit.
Clapper was discussing cybersecurity in general, not commenting on the Verizon report. But the prescriptions he offered echo those proffered by the report’s authors — underlining the extent to which the solutions are well and widely understood.
For instance, both Clapper and Verizon executives emphasize the importance of training — especially when dealing with phishing or pretexting emails.
“Cyberattacks targeting the human factor are still a major issue,” Sartin said. “And as our report shows, it is working, with a significant increase in both phishing and pretexting this year.”
Clapper said he had eventually concluded that “the only way to improve” security awareness and stop staff clicking on attachments or links in unknown email was “to test [them] and publicize the results. … No manager wants to see his results compare unfavorably with his fellows’,” he said.
In addition to the 1,935 confirmed breaches of organizations from 84 different countries, the report also analyzes 42,068 incidents where attackers appear to have compromised a system, but where there was no confirmed theft or loss of data.
This year saw the highest proportion of attacks targeting smaller businesses, with 61 percent of breaches happening at companies with fewer than 1,000 employees.
For the first time this year, the report also offers an industry-by-industry breakdown of attacks. One takeaway from that information: Manufacturers are particularly vulnerable to cyber-espionage.
But the report caught flack in some quarters, for not including data about Industrial Control Systems breaches. ICS are computer-controlled industrial machines which run factories, refineries and chemical plants.
“ICS are the systems that [run] volatile chemical and oil refining processes, produce electricity and clean water, and deliver many other products and services upon which we rely in our daily lives,” Eddie Habibi, founder and CEO of ICS cybersecurity company PAS. “They are also the systems that prevent industrial accidents.”
Because corporate resources are finite, “we need to look at risk comprehensively,” added Habibi. “Unfortunately, reports that only focus on IT systems and don’t include ICS perpetuate an environment of risk that outsider and insider threats will eventually exploit.”