For the ninth consecutive year, Verizon has published its annual Data Breach Investigations Report (DBIR). Read on to find out Checkmarx’s key takeaways from the Verizon 2016 Data Breach Investigations Report report.
The 2016 Data Breach Investigations Report is based on a final dataset of 62,199 security incidents and 2,260 data breaches. These incidents affect organizations in more than 82 countries and the victims are organizations varying in both industry and size.
In the report, an incident is defined as a “security event that compromises the integrity, confidentiality or availability of an information asset,” while a breach is considered an “incident that results in the confirmed disclosure (not just potential exposure) of data to an unauthorized party.”
Verizon 2016 Data Breach Investigation Report – Key Takeaways
Vulnerability Creation is Outpacing Vulnerability Closing
The DBIR discusses the race between the number of vulnerabilities created and the number addressed. This research clearly suggests that patching vulnerabilities is not working. As shown in the graph below, vulnerability creation is occurring at a faster rate than vulnerability closing. The report recommends that organizations establish a process for vulnerability remediation as a first step.
For organizations with systems that are unable to be patched, or upgraded to the latest software, the DBIR recommends using a Plan B which would involve applying other risk mitigations such as configuration changes or isolation. This Plan B should also include planning how vulnerable devices could be replaced without subjecting the business to a significant disruption. Plan B, however, should only be performed until the vulnerability is properly addressed and should not be the first choice.
Trouble in the Transportation and Finance Sectors
When we take a look at the distribution of attacks graph below, it’s evident that industries that have adopted, and increased, web applications usage for their businesses in the past year (such as financials) are seeing the impact on the attack patterns. This is under the assumption that mobile applications are bundled with web applications and it is clear that both the financial and transportation verticals are the top targets when it comes to web application attack vectors. Both of these industries have ramped up their web and mobile application services in the past years, creating a very fertile attack surface.
Web Sites: Now Business Critical Platforms
Additional confirmation discusses the fact that websites have become a business critical platform. Business websites have transformed from eye-catching pages with a marketing pitch about the organization to platforms connected to the backend servers which communicate directly with organization’s databases in order to provide functionality, store and collect data.
This report also confirms that the motivation for attacks continues to be for financial gain since, “95% of confirmed web app breaches were financially motivated.
Input validation as one of the recommended controls
Seeing that SQLi is still an enabler for web application attacks, the DBIR report stresses again the need for input validation. Additionally, plugins–very often open source–are also a concern raised in the report. The report recommends establishing a patch process, however it’s also critical to ensure that any open source components in your web applications aren’t exposing vulnerabilities in the first place.
The Growth of Cyber Espionage
Cyber espionage is on the rise as anonymous group, and state, attacks have begun taking a major piece of the pie. While these attacks are usually on the more sophisticated side of things they are all still using the techniques we are very familiar with.
Droppers, Phishing and targeted malware remain as some of the popular foot-in-the-door techniques. When these techniques are not in play to implement the persistent malware installation, the exploitation of existing vulnerabilities always will work for the attackers. While the DBIR indicates that browser plugins are the main target to exploit vulnerabilities, they forget to mention the very popular Adobe and Java vulnerabilities.
Dispelling Cyber Myths
The team behind the DBIR worked hard to try and dispel some common assumptions that some may have about the realities of cyber security. One myth that they shed light on is the belief that hackers are always precise when finding a target to hit with a zero-day attack. The contrary, however, is true with a majority of attacks being opportunistic, indiscriminate and exploiting known vulnerabilities. In fact, they note that the top 10 vulnerabilities account for 85% of successful exploit traffic.
Another myth worth dispelling is that today no one falls for phishing attacks anymore. This would seem to make sense as classic phishing schemes like the “Nigerian Prince email,” and other advanced-fee scams are publicly mocked and turned into laughable memes, but the opposite, unfortunately, rings true. A surprising 30% of phishing emails are opened and 12% of the target go on to click the link or the attachment, often within minutes of opening the email!
To read more about the dangers posed by phishing attacks, read: Everyone Talks About Phishing, But No One Blames XSS