Protiviti Perspective: Verizon 2020 Data Breach Investigations Report

Security data nerds look forward to the annual release of the Verizon Data Breach Investigations Report (DBIR). The report contains a breakdown of the prior year’s security incidents and breaches and provides trending data that mature security programs can benchmark againstOne of the surprises in this year’s report is that organizations are discovering 60 percent of data breaches in days or less and containing 80 percent of breaches in the same timeframe. Verizon highlights that this is due to more breaches being detected by managed security providers, and not necessarily an improvement of internal detection and containment capabilities.  

Social Engineering 

Social engineering continues to lead the threat actions in data breaches, with phishing being the overwhelmingly preferred method at 96% within the social engineering category. Successful phishing campaigns provide threat actors with the credentials and information they need to gain access to an environment and achieve their goals, be it data exfiltration, establishing a foothold or destruction. The exploitation of our users by threat actors continues to be a successful tactic because organizations do not implement systemic safeguards and controls. Yes, awareness campaigns are essential; however, they are never 100% effective. Organizations need to ensure the following controls are appropriately implemented within their environment: 

  • Multi-Factor Authentication (MFA) on all publicly exposed applications and services without exception. MFA can block over 99.9 percent of account compromise attacks, and with MFA implemented, knowing or obtaining a password alone will not be enough to gain access to a system. 
  • E-mail banners that identify and notify recipients when e-mails originate from outside of the organization. Implementing basic banners can be done natively with Microsoft Office 365 in just a few minutes. 
  • SPAM filters are considered table stakes in any organization, and phishing filters are quickly following suit. These solutions utilize threat intelligence to identify phishing attempts and block the messages from delivery. A critical capability of these solutions is to provide an easy one-click notification button to alert the security operations center. Organizations should also consider automating the removal of identified spam and phishing campaign e-mails from all users’ mailboxes. 

Errors in Configuration 

The only action type leading to a security breach that is consistently seeing yearoveryear gains is the error action, which now ranks third, behind hacking and social actions. The misconfiguration variety of error is the most common cause, and the vast majority of these configurations are caught by external parties (e.g., security researchers, customers, etc.). Organizations of all sizes need to embrace configuration management and continuous compliance scans to detect and remediate configuration drift. Unfortunately, configuration management is almost always a shared responsibility between IT, security and developers. Further complicating matters is the level of maturity that is required for an organization to establish secure baselines, detect configuration drift and automate remediations. Some key items to consider in remediating and addressing this area: 

  • Configuration management is more than just operating systems. It must encompass a number of arenas including networking equipment, cloud environments, content distribution networks, web application firewalls and so forth. Organizations have a choice to prioritize low hanging fruit first or prioritize based on attack surface and threat models. 
  • Organizations will likely need more than one application to manage configuration management across the various areas; however, providing a consistent reporting, tracking and remediation functions will be crucial to the success of the program.
  • Establish secure baselines using industry standards and best practices like the Center for Internet Security (CIS) benchmarks. These benchmarks provide a solid foundation to secure and configure a variety of systems and cloud platforms.
  • When implementing configuration management, run the first few scans without remediation, especially if legacy applications and services are in place. 

Known Vulnerabilities as an Attack Vector 

The exploitation of known vulnerabilities occurs only in a relatively small number of breaches and has not played a major role within incidents and breaches over the past five years. However, evidence shows that threat actors continue to probe this path in parallel to the collection of user credentials. A strong vulnerability management program is a critical defensive measure. A few key considerations in addressing this area: 

  • Organizations need an accurate inventory of public and private systems and applications to serve as the input to their vulnerability management scanning capability. This inventory should be derived from DNS records and IP Addresses (owned, leased, cloud). 
  • Ensure all internet-facing web applications are behind a web application firewall (WAF), and that origin servers can only accept web traffic from the WAF provider. 
  • An organization’s patching capability needs to be holistic and performed consistently. One recommendation is to patch systems, not by environment, but by asset risk. Internet-facing servers should be patched before internal servers with no egress or ingress internet connectivity.
  • Organizations should reevaluate and reperform their vulnerability scans after patching procedures are completed to ensure the operation was successful in mitigating the known vulnerabilities. 

Wrapping Up 

The Verizon Data Breach Investigations Report contains a wealth of information that organizations should leverage in validating, establishing and improving their cybersecurity programs. However, organizations should not use it as their sole data source for these activities. Diversity of information and thought in these activities are critical in building and maintaining a robust cybersecurity program.  

 

To learn more about Protiviti’s security assessment and vulnerability management offeringscontact us. 

Roger Delph

Senior Manager
Technology Consulting - Security & Privacy

Subscribe to Topics

Are you interested in becoming a #quantum coder? The #quantumcomputing industry is struggling to find talent. Join #ProtivitiTech host @KonstantHacker for a chat about the path to this exciting career with Peter Noell from @ColdQuanta. http://ow.ly/JkKv50KRRcW

In this #ProtivitiTech webinar, we will walk through #security breach case studies we have responded to, break down how attackers targeted and exploited the environments, and how the attacker was able to evade detection or exfiltrate #data. Register now: http://ow.ly/wFL950KQRiZ

In this #ProtivitiTech webinar, hear from panelists that are leading the way in #cybersecurity as they share their experiences on how #genderdiversity plays into the broader #talentgap and the consequences organizations will face if not addressed. http://ow.ly/KM6x50KLT9N

Business continuity and resilience are critical topics in boardrooms and among the C-suite. We have updated our guide to answer key questions, no matter the industry you’re in. Download your copy today. http://ow.ly/f75v50KPwUM

#ProtivitiTech #businesscontinuity

Identifying #cybersecurity issues and creating #riskmanagement plans can be complex. A #CISO who provides relatable information will help in planning for cybersecurity needs. Read more from #ProtivitiTech Terry Jost and Andy Retrum in @AgendaWeek. http://ow.ly/6tna50KPmi4

Load More