DBIR 2020 – Lessons learned from the misfortune of the collective
Hacking is the most common culprit for data breaches
It’s really interesting to see that 45% of breaches occurred due to hacking, and 22% via targeting a user or employee. This also correlates with that 22% were phishing attacks. The most common distribution initially is still via email, and the malware shipped is most frequently carried in office documents. This means that we as organizations must consider a few things for correct defense – blocking documents with active content, disallowing execution from the temporary email and browser folders, and keeping your users educated and security aware.
The data from this year’s report shows an alarming rate of credentials theft and social attacks including phishing and email compromises as the main causes of data breaches (67%), and if we break this down further, 37% of credential theft breaches used stolen or weak credentials of which 25% stemmed from a phishing attack with human error being a contributing factor at 22%. During Covid-19 our customers have reported a steep increase in the number of social engineering attempts targeting their staff, and many businesses are struggling with the age-old problem of security awareness and education amongst their workforce. As a top control creating a robust security awareness training program which every staff member must complete during on-boarding and take part in regular training as conditions change is crucial. This is particularly relevant now as more employees will continue to work from home post-pandemic.
Pro tip: The CIS framework lists hacking and red teaming as control #20 because this is not where companies start but mature their security journey. So, if you have matured through other controls/training and want to audit for this issue, the best way is using red teaming to emulate attacks based on those attacker patterns. A red teaming exercise will allow you to adapt, further and train staff to ensure that should a breach occurs you have taken preventative action to harden the network after an initial breach.
Application security is an organization-wide issue
Where data breaches are occurring is also interesting. 43% of breaches involved web applications and 90% of attacks were attributed to “hacking” targeting the web application layer from weak, default or stolen credentials to exploit usage. This is currently one of the most important areas for organizations to protect their critical assets, networks, and their customers’ and employees’ data. But with 31% of companies admitting to prioritizing speed to market over security standards from our own research, it’s no surprise that web applications are so frequently targeted by hackers.
The report results show a two-fold year on year increase in web application breaches to 43% overall with breaches in the Education and insurance sectors reaching a staggering 81% of breaches from web apps. With stolen credentials being used in over 80% of overall cases - a worrying trend as some businesses are moving their critical apps to the cloud, making it even more complex to secure. Ransomware also saw a slight increase, found in 27% of malware incidents with varieties including functionality and ‘capture app data’ to steal data through open app pathways like outdated software to plant and spread ransomware and lock away key data for financial gain.
It’s interesting to note that credential stuffing attacks and credential leaks do not entirely correlate - the attackers will incorporate the information into their attacks, but credential stealing attacks are a constant ongoing plague and threat which is used for credential stuffing. So, don’t expect credentials stuffing attacks are the cause of a privacy breach, it’s better to have measures in place to prevent these before and expect them to become slightly more encompassing each time. The key to reducing this risk is to ensure stolen credentials are worthless in relation to your entire infrastructure and multifactor authentication is in place to protect every layer of your technology stack.
Continuously reviewing your security of web applications and the servers they run on is essential as this would have prevented a great amount of these attacks. Implementing application security controls to check for common vulnerabilities such as OWASP Top 10 and WASC could prevent brute force access attempts, and for the more critical apps this should not be a once a year check, it should be a continuous and automated undertaking to ensure your data is protected at any given time.
Pro tip: For most organizations today it’s extremely hard to keep track of all assets and data across different systems and different teams (DevOps, Operations, IT etc), and it’s cost preventative to pen test everything and pre-emptively patch for all new web applications. Our recommendation for mission critical apps or those operating in highly regulated industries where you process sensitive personal data is to consider what we call ‘continuous pen test’, a pioneering application security testing service that continually scans the web app, detects code changes, assesses business logic errors with manual testing and provides guided solutions and DevOps integration to help customers remediate critical vulnerabilities in the shortest time. Learn more here.
Cloud misconfiguration is a gift that keeps on giving (to attackers)
24% of breached servers were cloud hosted systems, including recent examples including a breach of an Amazon cloud where 30GB of credit application data was stolen by a hacker in July 2019. This shows rather clearly that the shift to this new technology with its streamlining of release and deploy, comes with associated security challenges. There is also an interesting correlation between automated deployments and the increased prevalence of misconfigurations as it becomes the most common cause for breaches and a prime target for cyber-attackers.
Misconfigurations are often discovered by external security researchers, unrelated third parties or customers, making it an easy target for hackers. While an unprotected database doesn’t classify as a breach when reported by an employee or found by internal audits, it’s still a cause for concern as 80% of misconfigurations could be detected by external observers and hence should have been detectable by basic controls or monitoring in place.
At the basic level, you must audit assets (cloud workloads) running in cloud environments as well as the configurations of the IaaS provider. Various benchmarks such as those provided by CIS and CSA are good starting points. This again is part of keeping your perimeter safe, and we can help you run automated audits and check for risks, misconfigurations and vulnerabilities.
Pro tip: If you operate in a hybrid or multi-cloud infrastructure running individual checks for each of your public cloud environment is a huge resource drain. That’s why we recommend customers to use automated cloud assessment tools that allows comparison of risk across all major cloud providers (AWS, Azure, Google Cloud, Docker and Kubernetes etc) to homogenize the security controls and reduce the time and effort to maintain shared responsibilities and remediate.
Security siloes give hackers the advantage
Once attackers are in, they usually do not execute advanced multi-step attacks. So, when data from an application or database is stolen, most attackers needed less than 4 steps into the organizations to carry out their mission (or devastation). Every step an attacker needs to take is another opportunity for organizations to detect and contain, and thereby a chance at stopping them. But the truth is: hackers have the advantage. Most organizations strive to break down their complex IT infrastructure to simple components (devices, networks, applications, users etc) that they can be individually managed and secured, often by different teams, while hackers thrive on complexity and see opportunities in the whitespace between organizational siloes and security controls.
For example, avoid using accounts which have domain administration privileges when commissioning laptops, to prevent breaches of such credentials or permissions – this means that an incident targeting a laptop has less chance to, without further hacking, lead to the compromise of the domain and other key systems. This shows the importance of not just protecting the perimeter, companies need to inventorize all systems, devices, applications on the networks as well as review their hardening and configurations as a whole. You ought to ensure that you have full visibility and track assets on all things that can lead to your networks. Remember that a DMZ is a zone where devices are not to be trusted to trust each other, or a vulnerable web application can open door for hackers to infiltrate the infrastructure that it sits on.
Pro tip: Vulnerability management should go beyond infrastructure assessment, as user permissions, data permissions and hardening is not just a question about holding the perimeter – the first breach will come via a web application, an exposed vulnerable device, or via an unfortunate user mistake. Centralize the monitoring, inventory and vulnerability scanning of your entire technology stack will give you the insights to identify the ‘whitespace’ that hackers see, and be able to put the necessary security controls, such as patching and hardening, to eliminate the open attack paths. So don’t get stuck in point assessments and forget the bigger picture, and make sure your toolsets are catered for full stack security testing across networks, devices, web apps, cloud and data.
Final words: prevention is your best defense, don’t fight hackers head on
The report as always has been an excellent read. If we look to the facts, we can also correlate them back to a set of rather simple, easy to implement solutions that would prevent the larger amounts of breaches. In all given situations, preventive action rather than a ‘head in the sand’ reactive approach is vital, just as shifting left for software development makes a bug cheaper to resolve. Remember hackers regularly target and succeed in attacking outdated systems with known vulnerabilities, therefore proactive identification of dangerous threats like misconfiguration issues or missed privileges through automation and continuous scanning can help to make resolving a risk cheaper than fixing a costly data breach incident.
As patching has matured, the shift of focus towards web applications and users, and the targeting of cloud and data, are challenges we are stepping up to resolve. SaaS security testing tooling like ours supports businesses of all sizes and industries to level the playing field with hackers, by utilizing advanced intelligence to create robust detection and effective response strategies before an attack can happen. If more organizations are willing to take the concept of cyber hygiene more seriously and have a continuous vulnerability assessment platform in place that uses integration and automation, we will start to see a fall in data breaches from the DBIR report and might even become history. So if you and your organization also believe in getting the basics right is the best defense and cheapest way to avoid data breach - talk to us and get started with optimal cyber hygiene.