The Verizon Data Breach Investigations Report once again shows that shoddy security practices and lack of patching are at the heart of most breaches. The annual report, released April 26, provides visibility into the state of security and why breaches occur.
The 2016 report is based on Verizon's analysis of more than 100,000 security incidents, of which 2,260 were confirmed as data breaches. In contrast, the 2015 report received data from 79,790 security events, with 2,122 confirmed data breaches.
As was the case in the 2015 report, Verizon once again has found that little has changed in the breach landscape, with attackers using the same tactics and organizations failing in the same basic areas of security. Known vulnerabilities continue to be a root cause for many breaches, explained Suzanne Widup, senior consultant, Network and Information Security, Verizon RISK Team and a co-author of the DBIR. According to the DBIR, 85 percent of all successful exploits in the last year can be attributed to 10 already-patched vulnerabilities. In some cases, the patches have been available for years and there are vulnerabilities from 1999 that can still show up as root causes of breaches.
"Attackers are still exploiting old vulnerabilities really well, and they don't have to use zero-days," Widup told eWEEK. "There are a lot of things that really should have been patched a long time ago."
Web application attacks increased 33 percent in 2015 compared with 2014, and in 95 percent of these breaches, it was all in the name of financial gain. Web attacks rose this year to 82 percent—from 31 percent last year—against financial services firms, who along with information and retail industries, were hit most by these types of attacks, of which the report recorded 5,334 total incidents, 908 of which were data breaches.
Financial firms were hit with the most data breaches last year, with some 795 breaches, followed by the accommodation/hotel sector (282), information sector (194), public sector (193), retail (137) and healthcare (115). The decline in big-box retail hacks syncs with many retailers starting to beef up transaction security, including their point-of-sale (PoS) systems. Hotels, meanwhile, have been the new target for cybercriminals in the past year.
Attackers getting faster in their hacks, but victims are still slow to detect they’ve been hit. According to the DBIR, most attackers (82 percent) compromised victims within minutes, and about 67 percent pilfered data within days, while 21 percent did so within minutes.
According to the report, 30 percent of phishing messages were opened by organizations, compared with 23 percent in the 2015 report.
Meanwhile, Web attacks encompassed not only stolen credentials, but attacks via content management systems (CMS). “A lot of plug-ins have vulnerabilities. You have so many layers to worry about in a Web app,” including ensuring there aren’t input-validation flaws. “A lot of hacking stems from there,” Spitler says.
Some 95 percent of confirmed Web breaches were financially motivated, according to the report. “In attacks against ecommerce servers, web shells are used to access the payment application code and capture user input,” for example, the report said. CMSes are often the vector for installing those web shells.