The 10th edition of the Verizon Data Breach Investigation Report has been published, and familiar issues are still raising their ugly heads.
People are still clicking on malicious links in emails and opening malicious attachments. Worryingly, a quarter of those who make that mistake go on to do it again. Combine that with a failure to keep software patched and still allowing Office applications to run macros, and the Bad Guys are still able to lock up computers with ransomware, steal information (including passwords), or gain remote control of systems. The incidence of ransomware is growing at 50% year on year, Verizon security solutions consultant Aaron Sharp told iTWire.
In Australia, there is "a huge amount of ransomware," said senior consultant Chris Tappin, and it is becoming more complex. Traditionally, it has been delivered in emails, casting a wide net by purporting to be from organisations such as the ATO or Australia Post. Recently, the attacks have become more targeted. US healthcare organisations are a good example of this trend, as they can afford to pay larger ransoms and are highly motivated to resolve the matter quickly.
Another attack that's become locally significant is banking trojans that specifically target business banking, Tappin told iTWire. To improve internal security, organisations often have one person create transactions and someone else to approve them. The scam is carried out by stealing online banking credentials and then altering the payment details before the transactions are approved. "Two-factor authentication is a reasonably simple control" for this problem, he said.
{loadposition stephen08}Returning to the question of passwords, it seems there are still too many people using weak or easily guessed passwords. Part of that can be sheeted home to password re-use: " if you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned," says the report. Again, two-factor authentication can help.
Encryption is often put forward as a way of protecting data from physical loss, but according to the report the majority of confirmed breaches involved the loss of hardcopy documents. So Verizon recommends organisations discourage the printing of sensitive data as well as encouraging or requiring the use of encryption.
Sometimes breaches occur by mistake. Local examples include paper medical records being sent to the tip instead of being destroyed, and non-redacted (or improperly redacted) documents made available on web sites. Verizon suggests the enforcement of formal procedures for the disposal of anything that might contain sensitive data, and making sure that a second person reviews information before it is published.
When insiders deliberately take data, it's most likely in the hope of turning it into cash. But significant minorities want to take it to a new employer or to their own startup, or — especially in the healthcare sector — are just being nosy. However, there is a conflict between the desire to protect privacy and to ensure that clinical information is quickly accessible, especially in emergency situations. "You really need to strike a balance, and it isn't always easy," observed Sharp.
Different industries face different challenges. Understandably, the hospitality industry sees a lot of point of sale breaches (most commonly by organised crime), while the education sector is often targeted by "state-affiliated actors" seeking intellectual property or personal information about staff or students. "Information security should be a priority for the Australian education sector," said Tappin.
Financial institutions face denial of service attacks (they are big targets that lose face and money when customers cannot transact normally), and healthcare faces the unique problem of insiders being responsible for a slight majority of breaches.
"While attackers are using new tactics and tricks, their overall strategies remain relatively unchanged," observes Verizon.
One issue relatively new to the threat landscape is email compromise. This includes tricks such as emails purportedly from the chief executive or chief financial officer asking for urgent payments to be made via wire transfer or similar channels.
In general, "cyber crime doesn't recognise national barriers," said Sharp. The incidence of different types of breach varies more by industry than by geography. One exception is that the US's low adoption of chip and PIN cards means that country has a relatively high incidence of POS-related breaches.
While recent changes to the Privacy Act require larger businesses to disclose breaches, 61% (and growing) of Australian breaches occur in small businesses, which are generally exempt from the disclosure rules, Sharp observed.
So what needs to be done? Sharp put prompt patching and the development of user awareness at the top of his list. With the right education, users can be a real asset, he said, pointing to one major bank where a sizeable proportion of phishing attacks are detected by "human sensors."
Tappin added the need to check that users' privileges are appropriate — "a quick and cheap mitigation" — and to walk through the organisation's response plan to make sure it will work. For example, do all the roles with a part to play in a response still exist, and are the incumbents aware of their responsibilities? Are suppliers and service providers still able to do the work that the plan envisages?
He also suggests that people should not let themselves become overwhelmed by security statistics; the important thing is to make your organisation less of a target than others.
That said, we'll close with a few key statistics from the report:
25% of breaches involved internal actors.
24% of breaches affected financial organisations, followed by healthcare (15%) and retail and accommodation (15%).
51% of breaches included malware, and 66% of malware arrived by email.