Key Takeaways From Verizon’s 2021 Data Breach Report

Breach prevention
Written By Jason Shoup

If you haven’t combed through all 119 pages of Verizon’s 2021 Data Breach Investigations Report, that’s understandable. However the report contains valuable insight for compliance professionals, so ADCG pulled out the relevant takeaways–like the fact that banks are the most commonly discussed target in hacker forums and marketplaces, and that financially motivated cybercrime is on the rise.

Overview

This year, Verizon analyzed over 79,635 cybersecurity incidents– 5,258 of which were confirmed data breaches– from 88 countries around the world.

Of the numerous trends observed in the report, here are a few standouts:

  • 85 percent of breaches involved a human element

  • 61 percent of breaches involved credentials

  • Financial losses were experienced in 58 percent of business email compromises, 24 percent of computer data breaches, and 10 percent of ransomware incidents

  • Organized criminals are, by far, the most common type of actor in breaches

  • Financially-motivated attacks are the most common type of attack

  • Espionage has become a less common motive in recent years, while financial motives are becoming more common

  • “Bank” is the most common term in criminal forums and marketplaces

However, the most valuable insight the report contained was how to adjust your strategy to account for various types of attacks. Before you go through the report yourself, here are some points to consider:

Social Engineering Attacks are Most Successful

The key to understanding Verizon’s report is knowing the difference between an “incident” and a “breach.”

An incident is “a security event that compromises the integrity, confidentiality or availability of an information asset,” while a breach is an “incident that results in the confirmed disclosure–not just potential exposure–of data to an unauthorized party.” Simply put, most attacks are incidents but only successful ones are breaches.

Of the confirmed breaches, 33.5 percent were social engineering attacks–where individuals are manipulated into disclosing confidential or personal information. This made it the most common type of breach, followed by basic web application attacks (26.2 percent), and system intrusion through malware or hacking (18.3 percent).

The vast majority of social engineering breaches involved phishing, although a good portion of them utilized pretexting, where attackers fabricated a scenario in order to lure victims into divulging information.

Cloud-based email servers were the target of choice. These types of attacks often resulted in the loss of credentials, which were then used to fuel future hacking or malware attacks.

One of the more concerning stats in the report is that, while click rates in phishing simulations are going down, the vast majority of social engineering attackers were discovered externally, either through a monitoring service, law enforcement, or actor disclosure. Less than 20 percent of incidents were reported by an employee.

To address these concerns, your team should build a more robust infrastructure through which employees can submit their suspicions of security incidents, and provide training on how to effectively identify potential social engineering attacks. Phishing simulations seem to be effective, but only when they build a greater culture of skepticism and zero-trust towards situations where employees are asked to hand over credentials and other personal and/or confidential information.

The fact of the matter is that employees continue to make mistakes that cause incidents or breaches. Rather than putting the onus on them to use their best judgment, implement an authentication measure employees can use to evaluate the legitimacy of a request for credentials. Ensure that employees know who to report to when inquiring about a potential attack and that there is a clear channel of communication between department heads and security teams.

Denial of Service Was the Most Common Type of Incident…But Don’t Worry Too Much

Of the 29,206 incidents that met Verizon’s quality standards for evaluation, 49.1 percent were denial of service (DoS) attacks intended to compromise the availability of networks and systems. This made it the most common type of incident, followed by basic web application attacks (16.6 percent) and social engineering (13.2 percent).

Despite the frequency of DoS attacks, only four of these attacks resulted in confirmed data disclosure. This is because these attacks are one of the easiest threats to mitigate successfully, and can be effectively dealt with through a subscription to a DoS mitigation service.

For this reason, you should set your sights on these other types of attacks when adapting your security program to evolving threats.

Some Web Application Attacks Can Be Super Simple

This category encompasses web application attacks that involve very few additional actions or steps after the initial web-application compromise. These account for 26.2 percent of all breaches.

These types of attacks almost always involve some sort of hacking of servers. This can involve the use of stolen credentials and brute force through a web application vector in order to compromise either web apps or mail servers. When mail servers were compromised, 96 percent of them were cloud-based. Unfortunately, there is no way to predict when such attacks will happen or how regular they will be; 95 percent of organizations that experienced such attacks suffered between 637 and 3.3 billion attempts.

Less common were attacks that involved the exploitation of vulnerabilities in web apps, where criminals would either attempt to repurpose the app for malware distribution, install malware for future attacks or deface the app.

Beware of System Intrusion

This category encompasses more complex attacks than social engineering, accounting for 14.5 percent of all breaches. These breaches involve some type of Malware, such as Ransomware and Magecart 70 percent of the time. And 40 percent of these breaches involve hacking, most often the use of stolen credentials and brute force attacks.

The report notes an increase in the prevalence of ransomware in attacks, with 5 percent of total incidents and 10 percent of all breaches involving ransomware. This upward trend is likely because actors have started publishing the data they steal, instead of just encrypting it. In 60 percent of cases, the ransomware was directly installed through desktop sharing apps, while email, network propagation, and other malware accounted for the rest.

Since ransomware is as common as ever before, it’s wise to adjust your budget accordingly. The financial impact of these attacks will vary, but 95 percent of incidents had an impact between $69 and $1.5 million. Other expenses to look out for when budgeting involve legal guidance (between $806 and $53,961) and forensics (between $2,402 and $336,499), while business email compromises ran organizations between $250 and $985,755 and the cost of computer data breaches sat between $148 and $1.6 million.

Magecart attacks are where attackers exploit a vulnerability before using stolen credentials to access the code of an eCommerce website that processes credit card data. This causes the data to land in the attacker’s servers, as well as the intended endpoint, allowing it to go largely undetected. In fact, 65 percent of all system intrusion cases involved payment cards in some way. However, attackers are less likely than they were in the past to target payment data directly; now they more frequently target data that impacts the victim organization’s operations in order to secure ransomware payments.

Forty percent of malware cases that weren’t ransomware cases involved either C2, Trojans, or downloaders. Thirty percent of the time the malware was directly installed by the actor, 23 percent were sent by email and 20 percent were dropped from a web application. When crafting your cybersecurity strategy, be sure that you have a clear way to defend against these three major entry points.

Employees Still Misuse Their Data Privileges

About 4.2 percent of breaches were a result of colleagues or employees abusing their access to data in order to either steal data they weren’t authorized to take or use the data in unauthorized ways. Unsurprisingly, 99 percent of these attacks were committed by internal actors, although partners were occasionally at fault.

Most perpetrators of privilege abuse were financially motivated, whether they were trying to sell the stolen data or access it in order to start a competing business or benefit their next employer. Much less common? People who did it as a joke or stunt–and even rarer were those who acted on a grudge against their employer.

While these attacks are more likely to go unnoticed for years, it underlines the necessity of implementing adequate detective controls.

Lost and Stolen Assets Can Also Lead to Breaches

About 1.6 percent of breaches were due to the theft or misplacement of an asset that contained personal, medical, bank, or other types of sensitive information. While 87 percent of these attacks involved external actors, such as a thief stealing the relevant device, 17 percent involved internal actors, such as employees or partners.

Even though more incidents were due to error than theft, the implications for organizations are largely the same regardless of whether a device was accidentally misplaced or deliberately stolen; the device must remotely wipe either way. Make sure your employees are provided with a means to easily report any lost or stolen assets to your organization.

Look out for other “miscellaneous errors” that can lead to breaches, such as misconfiguration of database assets and employees sending data to the wrong recipients. Create a culture where employees feel comfortable being upfront about such mistakes so your organization can get to work on mitigating the risks as soon as possible.

Jason Shoup
Previous

How to Comply With Biden’s Executive Order on Cybersecurity
Next

How to Comply With Pennsylvania’s Impending Data Privacy Act