2019 Verizon Data Breach Investigations Report: First impressions from the perimeter
By Tin Zaw, Director, Security Solutions
The much anticipated 2019 edition of the Verizon Data Breach Investigations Report (DBIR) is now available. As the blogosphere and podcasters rush to dissect the data and share their views, let me be one of the first to share my impressions of the current security landscape.
Here are three issues that stand out the most to me.
Espionage is on the rise
External-threat actors continued to be the number one cause of data breaches, something we’ve seen since at least 2011. State-affiliated actors are the number two source for breaches, just behind organized crime, with an uptick in breaches by these groups over the recent past.
While financial gain remains the number one reason for attacks, you don’t have to be a fan of spy novelist John le Carré to notice an uptick in espionage as a motive for threat actors.
Figure 1. Threat actor motives in breaches over time.
Figure 2. Select threat actors in breaches over time.
Web hacking is the number one attack vector in breaches
Hacking was the number one tactic utilized in data breaches, with 52% of breaches analyzed involving hacking. What were they hacking? Web applications. This trend has not changed since we started blogging about them in the DBIR two years ago.
Figure 3. Different threats to web applications require multiple layers of defenses to mitigate them.
Some ports are more popular than others in DDoS attacks
Not all ports are created equal, at least from the standpoint of a DDoS attacker. The 2019 DBIR ranks ports that are associated with DDoS attacks. And the winners are:
- 389 Connectionless LDAP
- 53 DNS
- 123 Network Time Protocol
Figure 4. Comparison of ports in DDoS and honeypot attacks.
What do the top three attacks have in common? They are all connectionless User Datagram Protocol ports that are used in and susceptible to amplification attacks. This correlates with the rise of reflection attacks we saw in 2018, with some, such as the Memcached reflection attack against GitHub grabbing global headlines. Memcached uses UDP 11211, ranked the number 10 breach in the DBIR.
A glimpse at industry verticals
The DBIR analyzes incidents and breaches for industry verticals, as defined by the official North American Industry Classification System. Keep reading for my perspective on security trends affecting three critical industries: Finance, Information, and Retail.
Finance: Phishing and credentials
About 40% of confirmed data breaches in the financial industry involved a mail server. Criminals used social engineering and phishing to trick users into providing their credentials. The compromised accounts were usually utilized to send phishing emails to colleagues. As such, phishing often precedes and follows email compromise.
The DBIR also highlighted that compared to the previous year, there was a significant uptick in the involvement of credentials in data breaches. At the same time, there was a significant decrease in payment information in these breaches.
While an overwhelming majority of breaches were financially motivated, it’s worth noting that 10% of breaches in the financial industry were related to espionage. If not money, what the thieves were after remains unsolved.
It’s been said over and over again that two-factor authentication (2FA) should be standard for customer-facing applications, remote access, cloud-based resources, and other critical assets. Until this happens, data breaches will be a common occurrence for businesses of all sizes.
Information: DoS attacks, nation states, and cyberespionage
According to the U.S. government standard, the information industry consists of organizations that have to do with the creation, transmission, and storing of information, and it includes Hollywood. More than 60% of security incidents (not breaches) that affected this industry this year were denial-of-service attacks, a figure similar to the previous year’s figure. When it comes to confirmed data breaches, the top cause (42%) was due to misconfiguration errors, followed by web app attacks (29%), and the newcomer, cyberespionage (13%). About 36% of external attackers were state-affiliated, the same percentage as organized crime.
When powerful, destructive attacks are distributed, the defenses should also be massive, distributed, and well-managed.
Retail: Payment cards and web applications
The DBIR reports a shift in payment card fraudulent activities away from physical environments where a consumer presents a card to the merchant or a machine to online environments, also known as card-not-present transactions. Thefts happen where the money is, which is why criminals are increasingly after web server assets. More than 75% of 139 retail industry breaches analyzed involve web applications, and 64% of data compromised includes payment information. In related news, the percentage of breaches involving point-of-sale systems decreased by 10 fold between 2014 and 2018 while the percentage of breaches involving web applications increased by 12 fold during the same period.
Figure 5. Comparison of card-present vs. card-not-present fraud.
Compliance with the Payment Card Industry Data Security Standards will continue to be important in coming years, but what is more important is to go beyond standard compliance to truly secure data from financially motivated external (81%) and internal (19%) threat actors.
It remains to be seen whether the upward trend of state-sponsored espionage will continue or fizzle out. But it is likely that we’ll see more of these types of attacks as tensions between nations continue. Add in ongoing web hacking and an increase in DDoS attacks, and it’s clear that any business seeking to protect its assets (financial and intellectual) and those of its customers, must take a broad approach to cybersecurity. We must continue to rely on time-honored practices, such as 2FA, timely patching, and harden security with multilayer defenses, and instill a security mindset and a healthy dose of paranoia among employees to strengthen the human firewall.
Figure 6. Multiple layers of protection for web applications.