Musings on the “Hopeful” Verizon’s 2017 Data Breach Investigations Report

Verizon’s 2017 Data Breach Investigations Report begins with a Pliny the Elder quote, “Hope is the pillar of the world.”

It’s an odd choice for a publication whose readers inhabit an industry that focuses more often on doom and gloom than optimism and whose purpose is to detail confirmed breaches and not exactly success stories. And yet, a spirit of optimism is part of our work as security professionals (why else would we keep doing this?) and the esprit de corps the report suggests is undeniable.

Pliny the Elder is also an intriguing choice to speak for our industry; and yet, upon reflection, a fitting one. An eccentric, private, and conservative man, he was also a scholar, philosopher, and general who, if memory serves, died attempting to save a friend during the eruption of Mount Vesuvius that destroyed Pompeii. I think, had he lived in today’s world, he would have made an excellent cybersecurity practitioner and member of our tribe.

For those of us in the industry, the report held no new surprises. In fact, it’s almost depressing how similar the results were to previous years. Of the almost 2,000 breaches analyzed, 88% were accomplished with very basic attack vectors that likely could have been prevented with the most rudimentary of interventions, awareness training or adherence to basic cyber-hygiene. Even non-security folks shouldn’t be surprised to read that 66% of malware attacks were installed via malicious email attachments and that 73% of breaches were financially motivated. Still, while not much was new, there remains quite a bit to learn, and I appreciated the report’s new and insightful vertical-focused format.

Here, for your review, are my notes and observations:

Who’s behind the attacks?

While the opening charts may indicate an increase of roughly 12% in internal actors over the previous year, a deeper dive into the numbers shows this is due more to the fact that less external actors appear to be represented. This is an interesting and surprising trend that certainly bears more consideration and investigation. The clear majority of breaches, at 75%, continues to involve external actors. Further, and likely not surprising to anyone in the industry, 51% of breaches involved organized criminal groups.

What tactics do they use?

While the top mix of tactics identified was similar to previous years, the percentages of overall breaches they represented is interesting to note: 62% featured hacking, 51% involved malware, 81% involved stolen or compromised credentials and 43% involved social engineering. For the most part, I suspect many of these breaches were a result of a combination of 3-4 of these tactics. However, I’m quite surprised that malware was not a driver behind a greater percentage overall and, at the same time, not at all surprised that credentials continue to be such a huge problem.

Who are the victims?

Financial, healthcare and public sector organizations accounted for more than half of the breaches covered by the report while retail and accommodation combined to only account for 15%. These numbers may be somewhat misrepresentative of the current climate as the top sectors identified are also the most regulated and, therefore, much more likely to have reported a breach.

This year’s biggest victims were in the Information industry itself with Web portals being the hardest hit. Non-retail websites used by millions of consumers who log in with single-factor authentication and provide personal information such as names, addresses, etc., are of particular interest to cybercriminals due to the large volumes of credential and identity data that can be obtained by means of a single breach. And you certainly didn’t have to be in the cybersecurity industry to have heard of the “newsworthy” hacks at Yahoo and others that make up a significant portion of this reported trend.

Hospitality

Hotel breaches have been widely reported this past year, as have restaurant breaches (now also included in the hospitality category). This is significant to me in that it clearly demonstrates how smaller businesses without IT departments and little-to-no security expertise are continuing to become targets of opportunity. No one is too small to be a target anymore. Point-of-sale attacks continue to be “absolutely rampant” in this industry and with good reason as smaller businesses in this category such as your local pizza place accept payment cards too and while the transaction volumes may not be as significant as that of a major hotel chain, they are easy to hack and have very little risk associated with detection and attribution.

Education

The education industry has incredibly unique requirements when it comes to cybersecurity. By their very nature, educational institutions need to be both open to allow for academic freedom and highly secure as custodians of valuable personal information of students and intellectual property of researchers. As one university CIO I know always notes, “Every September, we take on a whole new cohort of 10,000 aspiring and amateur hackers.”

Cyber-espionage continues to be the motivation behind a considerable portion of the attacks directed at this industry, comprising 26% of breaches. Miscellaneous errors come in at a close second, which is significantly higher than most other industries and likely related to the openness of the culture and large number of students who have various degrees of access to sensitive information and systems. I, for one, recall being hired as an undergrad by professors and the university’s IT department to perform work that I was wildly unqualified for at the time, but at an hourly rate that was well within their limited budgets.

The report’s data indicates that state-affiliated actors appear to have heavily targeted educational institutions, with phishing and social engineering being the most common attack vectors. Further, the data indicates that DDoS attacks continue to plague the education industry. I, again, can attest to this, having seen countless incidents of it in the field this past year.

Financial and Insurance

Once again, in financial and insurance, denial of service, Web application attacks and payment card skimming represent the lion’s share of attack vectors, with 88% of all security incidents falling within the financial services sector. The motivation for these attacks is noted as being 96% financial, which, given the targeted industry, should come as no surprise.

The report takes special note of insider threats and, in particular, fraud. This, too, correlates with my own observations of activity in the field as more and more financial services organizations are investing in solutions that far exceed regulatory compliance to ensure consumer confidence.

Healthcare

The healthcare industry, needless to say, has had a bad year when it comes to breaches. Privilege misuse, errors and physical theft and loss represent 80% of the breaches in this sector, with a distribution of threat actors that include 32% external, 68% internal, 6% partner.

The vast majority of motives are attributed to financial gain at 64%. However, in this sector, we also see 23% attributed to fun and 7% to grudges—a disturbing trend that speaks to the need for more security awareness training and policy enforcement within healthcare organizations.

Ransomware attacks are not counted as breaches for the purposes of the report, but the report does indicate that they account for 72% of malware incidents in the healthcare industry.

Information

Other than healthcare, I can’t think of an industry that was harder hit or used up more ink in the media than breaches related to information companies. Denial of service and Web application attacks (especially related to portal sites) as well as crimeware represented 90% of security incidents, with 97% attribution to external actors.

Breaches in the sector were primarily related to credentials and personal data with members of the various affected sites sometimes measuring in the millions. Howeever, because the information breached in these attacks is typically considered less sensitive than regulated data, site admins and organizations may simply opt to notify and force password changes rather than implement more stringent two-factor authentication protocols or other security measures that may impose friction on the overall use of their sites by consumers.

Manufacturing

Cyber-espionage conducted by external actors once again dominates the manufacturing industry report this year with 90% of breaches referencing trade secrets. Most of these attacks appear targeted rather than opportunistic and perpetrated by state or state-sponsored actors. The vast majority also appears to be “low and slow” in nature with threat actors penetrating manufacturers’ networks and doing their upmost to remain undetected so as to be able to slowly siphon off as much valuable intellectual property as possible.

Public Administration

Cyber-espionage basically summarizes this industry’s section of the report with state-affiliated actors comprising more than half of all attacks. Much like the manufacturing sector, attackers seek to remain undetected. However, in the case of public sector breaches, many go undetected for much longer periods, sometimes even years.

As the government is required to report incidents, the report contains significant data related to this industry, but most indicators remain constant from the previous year’s report. It should be noted though that due to the sheer length of time it takes to discover breaches in the public sector, the data must be considered as a lagging indicator when compared to other industries.

Retail

Denial-of-service attacks were rampant, representing 80% of hacking incidents. The other main focus was e-commerce sites. Credentials stolen via phishing attacks were the main attack vector in this area and the sheer number of unwanted messages that ended up in my spam folder this past year would certainly validate these findings.

Brick-and-mortar endpoints continue to suffer breaches by means of credit card skimmers at gas pumps and ATMs while, surprisingly, point-of-sale breaches were down considerably this year.

Why this report is so worth studying each year

While the data presented is often heavy on percentages and the commentary can be humorous from time to time, what makes this report so valuable to me as a security professional is two-fold.

First, it validates many of my assumptions and direct observations and brings credibility to both. Second, it often contradicts my assumptions and direct observations and prohibits complacency in my thinking.

I found the new format to be quite informative. Often, when working in specific verticals, I would only read the related reports. The new format demonstrates clearly that there is much to learn from studying the trends taking place in other industries, the similarities and, more importantly, the differences.

To learn more, check out the executive summary and full copy of the Verizon 2017 Data Breach Investigations Report, 10th Edition.