Credentials, credentials, credentials: Enterprises still failing at security basics

Verizon releases 2016 Data Breach Investigations Report

“Credentials, credentials, credentials,” should be the number one takeaway for enterprises from Verizon’s 2016 Data Breach Investigations Report (DBIR), according to Dave Ostertag.

“We see over and over again single-factor VPN access being exploited with a simple Zeus variant; a phishing email going to an employee or to a vendor and then that access is used to get into [an enterprise’s network] and steal privileged access credentials,” said Ostertag, Verizon’s global investigation manager,

All too often network access is secured only with single-factor authentication, he said. Enterprises need to invest in true multifactor protection for network access as well as multifactor authentication or one-time-use password vaults to protect sensitive data.

Sixty three per cent of confirmed data breaches drawn covered by the 2016 DBIR involved attackers using weak, default or stolen passwords.

The other headline lesson for organisations is to invest in training and awareness to combat social engineering, Ostertag said.

“We see increasingly an initial social engineering attack to gain the information needed to create a phishing email; we still see the number of people opening those attachments and clicking on the links is way too high,” he said.

Almost a third of phishing messages were opened by recipients, up from 23 per cent in 2014, the DBIR states. Some 12 per cent of targets opened an attachment or clicked on a link within phishing emails.

This year’s DBIR is based on a dataset comprising 64,199 incidences and 2260 breaches. Financial gain was by far the biggest motivation for attacks, followed by espionage as a distant second. The two categories together accounted for 89 per cent of breaches.

As with previous editions, the overwhelming majority — 95 per cent — of breaches covered by the report fall in to nine patterns: Miscellaneous errors (17.7 per cent of breaches); insider and privilege misuse (16.3 per cent); physical theft and loss (15.1 per cent); denial of service (15 per cent); crimeware (12.4 per cent); Web app attacks (8.3 per cent), point-of-sale intrusions (0.8 per cent); cyber-espionage (0.4 per cent); payment card skimmers (0.2 per cent) (“everything else” accounted for 13.8 per cent of breaches).

Within individual industries, in most cases around three quarters of incidents and breaches were covered by three patterns.

Large organisations are often being left vulnerable by patchwork environments that are the legacy of a string of acquisitions, Ostertag said. In addition, in many cases he has witnessed gaps between an organisation’s on-paper security posture and the reality.

Ostertag said that interviews with management and scrutiny of security policies can indicate a healthy security environment — “but when you get down to the employees that are responsible for day-to-day performing those processes and carrying out those activities that are described, we find a lot of times it just doesn’t happen.”

“There’s that gap between what management thinks the company is doing and what is actually happening — that goes on in a lot of organisations,” he said.

“I think you close that gap by changing the way that you manage security programs,” Ostertag said.

“Rather than just relying on assessments that only involve interviews and reading policies, verify. Sample and verify just like you do in any other audit.”

Ostertag said that often the vulnerabilities that are exploited have existed for years.

“A high percentage of the breaches involve patchable vulnerabilities, so make sure that those basics are taken care of before you worry about the more exotic [attacks],” Ostertag said.

The 2014 breach of US retailer Target was a wakeup call for boards, Ostertag said, and the attention security receives from upper management has subsequently been boosted.

“The directors themselves were sued personally by the shareholders for not making sure that data was secure,” Ostertag said.

“That and a lot of the attention around that around the world has caused boards of directors to realise they have to be involved in the security program. You can’t just rely on people further down in the organisation to be responsible for it

“More and more boards are asking that we go in front of them and we talk about the DBIR. A lot of boards ask us, ‘What should we be doing at our level?’ Our answer to that is — you should be involved. You’re responsible, you set the strategy, you set the philosophy for the organisation.

“Everyone in the organisation should know that security is as important as everything else that you do, no matter what your particular business does.”

Aaron Sharp, a Sydney-based security solutions consultant at Verizon Enterprise Solutions, said that he had seen a trend of cyber security turning into “cyber risk”, particularly among larger organisations such as the ASX 100.

“So it’s not just stopping with the information security team – it’s actually within group risk. The information security teams and the group risk people are actually working more closely together to not just understand the likelihood of an event happening but what the real impact is. That’s what I’ve seen as a big change in the last 18 to 24 months — it’s really firmly within the risk management function now.”