Verizon has released its 2019 Data Breach Investigations Report (DBIR), and not surprisingly its findings are receiving a lot of attention from industry media and analysts. Security Boulevard’s “SecurityExpert” writes it provides “…the most valuable annual ‘state of the nation’ report in the security industry.” ZDNet Editor-in-Chief Larry Dignancalls it “basically the bible of security,” a designation also bestowed on it by Security Week’s Kevin Townsend who says that “purely from its detail and breadth of coverage, DBIR has become the breach bible for the security industry.”
Are they being a bit hyperbolic? Perhaps. But then again, maybe not, considering the incredible volume of data Verizon collects and analyzes: 41,686 security incidents, of which 2,013 were confirmed data breaches, provided by 73 public and private sources from 86 countries.
At 77 pages full of numbers and charts, it will take you a good chunk of time to read through the entire report. That’s not to say it isn’t fascinating and educational, so I encourage you to find the time. But in the interim, let’s take a look at the top-level findings according to the report’s authors and some journalists and industry experts.
More Nation-State Attacks – a Lot More
The report showed a sharp rise in the number of nation-state attacks last year. It attributes 23 percent of all breaches to nation states or state-sponsored actors – more than double the number from last year’s report. The public sector is a primary target of cyberespionage with the number of espionage-driven breaches for government entities jumping 168% year over year.
SearchSecurity.com Associate Editorial Director Rob Wright reports the increase in attacks motivated by cyberespionage coincides with a slight drop in financially motivated attacks – from 76 percent to 71 percent breaches year-over-year.
Attackers Sticking with the Tried and True
We hear a lot nowadays about how attackers are growing more and more sophisticated in their methods and tactics. However, Verizon found the typical organization received more than 90 percent of their detected malware through email messages. One-third of all breaches involved phishing, and nearly 80 percent of all cyberespionage-related incidents leveraged phishing.
“You would think these things would be defended a little better by now, but things like phishing and social engineering tactics where they may be asking you for information to keep an account open, that stuff still works and it works pretty well,” adds ZDNet’sDignan.
Malcolm Harkins, chief security and trust officer at BlackBerry Cylance, told SearchSecurity’s Wright that while many breaches are attributed to advanced threat actors, the attacks often begin with simple phishing email messages.
“It doesn’t take an advanced actor to create an email that looks like it came from your boss, your wife or your kid, then take a picture from [a] social media site or something else and send you an email,” Harkins said. “And guess what? You’re going to click on the damn thing.”
Targeting Senior Executives
One finding I found very interesting is whom cyberattackers are targeting: senior-level executives are six times more likely to be a target of social engineering than they were only a year ago. Attacks on the C-suite are 12 times more likely than on all other employees, and C-suite executives are nine times more likely to be targets of social engineering attacks. The report draws the conclusion that “typically time-starved and under pressure to deliver, senior executives quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to get through.”
As the HIPAA Journal’s editorial team points out, “these figures show just how important it is for C-suite executives to receive regular security awareness training.”
As I explained in a previous blog post, holding regular employee education sessions to raise their awareness levels alone is not adequate. The security team needs to be able to identify an attack even after a user clicks on a phishing link. That’s why we developed PARANOID to be agnostic to vulnerabilities, malware or attack vectors old and new. If malware succeeds in slipping past your perimeter defenses and tries to exfiltrate, corrupt, encrypt or delete data, corrupt system settings, move laterally or communicate with a C2 server, PARANOID blocks it in real-time.
I could go on and on citing all of the fascinating findings and conclusions in this year’s Verizon DBIR, but in the interest of brevity, here’s a short list:
- Small businesses are targets too: 43% of breaches occurred at small organizations
- Dwell time is too long: As Tara Seals at ThreatPost reports, more than half (56%) of data breaches took months or longer to discover
- Ransomware remains a major threat: ransomware is the second most common type of malware reported
- Money talks: despite the rise in cyberespionage, financial gain is still attackers’ most common motivation (71%).
I encourage you to download and read the report here, and follow the links to the various news articles I’ve hyperlinked to throughout this post. And if you’re a technology history buff, try to pick out all of the retro products on ZDNet’s video studio set like the seemingly pristine Commodore 64.