Ransomware remains the dominant form of cyberattack and phishing attacks now have more impact, despite more awareness. Meanwhile, cryptojacking isn’t as serious as has been reported.
Those are the key findings in the latest report on cybersecurity breach trends by Verizon Communications. Verizon publishes the report annually, and this year’s report, released Wednesday, is its twelfth and the largest ever.
A record number of organizations (73) contributed to the report, which analyzed 41,686 security incidents and 2,013 confirmed breaches from 86 countries as well as 1.5 billion data points of related information, such as data from malware research firms.
In total, the amount of information Verizon analyzed rose ten-fold since last year, from about 100 gigabytes to a terabyte, Gabriel Bassett, Verizon’s senior information security data scientist and one of the report’s authors, told us.
“We had partners who provide whole-internet scan data as well as partners who provided honeypot data,” he said. “We also had criminal forum and marketplace data that we were able to analyze.”
Cryptojacking and Ransomware
The most surprising finding was that cryptojacking didn’t turn out to be as big a problem as people thought.
In fact, according to Bassett, cryptojacking attacks — where hackers take over data center resources to mine cryptocurrency — accounted for only 2 percent of all cybersecurity incidents.
This wasn’t because cryptojacking isn’t technically considered a breach, since no data is lost, he added.
“We cross-correlated it with our malware data,” he said. “It is not happening as substantially as other types of malware. If an organization is deciding how to position their defenses, our recommendation is to focus on other threats.”
For example, the single most common threat variety were threats involving command-and-control functionality — the standard type of malware that conducts attacks and exfiltrates data. Command-and-control functionality was involved in 47 percent of all incidents, while ransomware was in second place, at 24 percent.
“It’s such an easy attack path,” Bassett said, referring to ransomware. “You don’t have to worry about monetizing stolen data or other things. In fact, the hardest part of ransomware is helping people understand how to buy bitcoin. The customer service is the hardest part.”
Backdoor attacks were in the third place, at about 15 percent, followed by spyware and keyloggers. The numbers add up to more than 100 percent because many incidents involved mulitple action varieties.
Breaches due to configuration errors continued a steady climb this year.
According to Verizon, human error of various kinds accounted for a fifth of all breaches this year.
Of those errors, 21 percent were cloud configuration errors — up from 17 percent in 2017 and 0 percent in 2010.
“In security, we make the assumption that things are perfect, that our people are perfect, our processes are perfect, our tools are perfect — and a lot of times it leads to issues,” Bassett said. “If the security community just assumed that nothing is perfect, what would that mean? Would we change the way we do things to prevent errors? Maybe you should provide systems that degrade gracefully if people make mistakes.”
Phishing and Social Engineering Attacks on Executives
Nowhere is the danger of human error more apparent than when employees click on malicious email links or accidentally pay fraudulent invoices.
In fact, the number of social engineering attacks against C-level executives resulted in 36 data breaches this year, up from five in last year’s report.
“It did increase a lot,” Bassett said. And when it comes to all cybersecurity breaches, the percentage of attacks against C-level executives rose twelve-fold.
When it comes to phishing, however, employees have gotten a lot better at spotting fraudulent emails. The percentage of successful phishing attempts dropped from 24 percent to just 3 percent this year.
Unfortunately, any number bigger than zero is too high. “The population of potential targets is so large that even if only 1 percent of the population falls for it, there are still enough targets for attackers,” he said.
It only takes one employee to fall victim for attackers to get a foothold in an organization.
As a result, phishing was involved in 32 percent of all breaches this year, twice as high as last year.
The number of attacks associated with espionage also increased this year and now accounts for a quarter of all breaches.
These attacks are more sophisticated than the purely financially-motivated ones.
On average, according to Basset, a financially-motivated attack involves two steps and two different action varieties. Attacks motivated by espionage contain an average of five steps and involve five different types of attack actions.
An attacker looking to quickly make some money usually moves on to an easier target after a failed attempt. Attackers looking for political, military, or corporate secrets, such as intellectual property, are more focused on a particular target.
That means cybersecurity managers should take into account the kinds of attackers they’re most likely to face. If they are protecting valuable intellectual property, for example, they should have extremely deep defenses.
These companies are “going to have to commit substantially more resources to stop [hackers], because if their Plan A fails, then they’re going to try Plan B,” Bassett said.
Organizations defending against financially-motivated attackers, however, should focus on the basics, such as patching, anti-phishing defenses, multi-factor authentication, and password management.
Meanwhile, In Other Reports
While Verizon’s is usually the biggest cybersecurity report of the year, other organizations have released their own reports over the past few days as well.
For example, according to a report by Risk Based Security, there have been 1,903 total reported breaches in the first quarter of this year, up more than 56 percent compared to the first quarter of 2018. The number of records breached hit 1.9 billion, up 29 percent from 1.4 billion during the same period last year.
Another report, from Shared Assessment, surveyed companies and found that 26 percent of breaches involved IoT devices, up from 15 percent the year before. Only 9 percent of respondents said they educate employees and third parties about the risks of IoT devices, 32 percent said there’s no one person or department in their organization responsible for managing IoT risks, while 87 percent said they expect to experience an attack due to unsecured IoT devices, such as a botnet attack. Eighty-four percent said they expect to experience a breach due to IoT devices.
In a report released by Oracle last week, based on a survey of C-suite executives and policy makers, “human error” was ranked as the top cybersecurity risk for their organizations and foreign governments as the biggest threat to the tech industry.
McAfee released its own cybersecurity survey of IT professionals last week. It showed that data is now being stolen by a wider variety of methods, with the leading data exfiltration vectors being database leaks, cloud applications, and removable USB drives.