Even in the wake of high-profile malware campaigns such as the WannaCry and NotPetya ransomware, businesses are still failing to get the security basics right when it comes to employee awareness training and patching vulnerabilities.
“People’s security maturity hasn’t really moved on in the past couple of years,” said Chris Tappin, principal consultant at Verizon.
In some cases, organisations have been worn down by the “constant doom and gloom” around security, he said. On top of that businesses are often confronted by vendors that are “trying to sell you the latest security appliances saying ‘Post WannaCry, you’ve got to have this; after Stuxnet our software is now critical to your business.’”
“People are getting hammered with white papers and invites to conference talks and things that say ‘You definitely need artificial intelligence in your SIEM’ or whatever,” he said. “But people aren’t really doing the basics.”
Vulnerabilities in Apache Struts were a “huge thing” in the data set that underpins Verizon’s 2018 Data Breach Investigations Report (DBIR), which was released today, Tappin said.“People’s unpatched Apache Struts were causing absolute havoc,” he said.
Tappin and his colleagues at Verizon encountered customers that had servers with Apache Struts that “haven’t been looked at for three years because they were someone’s pet project who left the business, for example.”
“There were a number of investigations through 2017 where the cause was because of the organisation not patching promptly even when there exists a known vulnerability,” said Verizon senior security consultant Simon Ezard. “Systems are perhaps forgotten, or staff have moved on.”
“They’ve got these patches that have been outstanding for years that they haven’t installed,” Tappin said. “And these are probably the same people that are taking meetings talking about machine learning in firewall rules and things that are really nice to have and nice to think about in the next few years — once you’ve got the basics done.
“But they haven’t got things like an incident response plan. They haven’t got user awareness training for new starters saying ‘Hey, someone might send you an email saying you’ve got a speeding ticket from the ATO. The ATO don’t issue speeding tickets. Think about stuff.’”
The latest edition of the Verizon DBIR is based on 53,308 security incidents and 2216 data breaches across 65 countries.
It revealed that social engineering-based attacks remain popular. Phishing and ‘pretexting’ (“creation of a false narrative to obtain information or influence behaviour”) represented 98 per cent of social incidents and 93 per cent of breaches. Email remained the most attack common vector (96 per cent), the report states.
According to the data gathered by Verizon, 78 per cent of people did not fail a phishing test last year. “Unfortunately,” the report notes, “on average 4% of people in any given phishing campaign will click it, and the vampire only needs one person to let them in.”
“And incredibly, the more phishing emails someone has clicked, the more likely they are to do so again,” Verizon notes.
‘Pretexting’ has increased more than five times since the previous DBIR was issued, from 61 incidents to 170. “Eighty-eight of these incidents specifically targeted HR staff to obtain personal data for the filing of file fraudulent tax returns,” Verizon said.
Many of the measures that organisations need to take to protect themselves are not particularly glamourous when stacked up next to the marketing material produced by some security software and hardware vendors, Tappin said.
“There’s not a glamourous side to ‘Here’s some training for your users to try to get them not to click phishing emails’,” he said.
However, measures such as awareness training, patching systems and restricting admin rights on devices can go a long way to preventing breaches, he added.
“You go into places and people have admin rights over their laptops — and all they’re doing is sending a few emails and creating a few Word documents. But those users have got admin rights so as soon as they click a phishing email — that [malware has] gone out to network shares, that’s installed software on the system, it’s trying to pivot out to other end points, it’s going to servers and trying to collect cached credentials from there.”