CybersecuritySecurity

Protiviti Perspective: Verizon 2020 Data Breach Investigations Report

Roger Delph
August 27, 2020
4 min read

Security data nerds look forward to the annual release of the Verizon Data Breach Investigations Report (DBIR). The report contains a breakdown of the prior year’s security incidents and breaches and provides trending data that mature security programs can benchmark againstOne of the surprises in this year’s report is that organizations are discovering 60 percent of data breaches in days or less and containing 80 percent of breaches in the same timeframe. Verizon highlights that this is due to more breaches being detected by managed security providers, and not necessarily an improvement of internal detection and containment capabilities.  

Social Engineering 

Social engineering continues to lead the threat actions in data breaches, with phishing being the overwhelmingly preferred method at 96% within the social engineering category. Successful phishing campaigns provide threat actors with the credentials and information they need to gain access to an environment and achieve their goals, be it data exfiltration, establishing a foothold or destruction. The exploitation of our users by threat actors continues to be a successful tactic because organizations do not implement systemic safeguards and controls. Yes, awareness campaigns are essential; however, they are never 100% effective. Organizations need to ensure the following controls are appropriately implemented within their environment: 

  • Multi-Factor Authentication (MFA) on all publicly exposed applications and services without exception. MFA can block over 99.9 percent of account compromise attacks, and with MFA implemented, knowing or obtaining a password alone will not be enough to gain access to a system. 
  • E-mail banners that identify and notify recipients when e-mails originate from outside of the organization. Implementing basic banners can be done natively with Microsoft Office 365 in just a few minutes. 
  • SPAM filters are considered table stakes in any organization, and phishing filters are quickly following suit. These solutions utilize threat intelligence to identify phishing attempts and block the messages from delivery. A critical capability of these solutions is to provide an easy one-click notification button to alert the security operations center. Organizations should also consider automating the removal of identified spam and phishing campaign e-mails from all users’ mailboxes. 

Errors in Configuration 

The only action type leading to a security breach that is consistently seeing yearoveryear gains is the error action, which now ranks third, behind hacking and social actions. The misconfiguration variety of error is the most common cause, and the vast majority of these configurations are caught by external parties (e.g., security researchers, customers, etc.). Organizations of all sizes need to embrace configuration management and continuous compliance scans to detect and remediate configuration drift. Unfortunately, configuration management is almost always a shared responsibility between IT, security and developers. Further complicating matters is the level of maturity that is required for an organization to establish secure baselines, detect configuration drift and automate remediations. Some key items to consider in remediating and addressing this area: 

  • Configuration management is more than just operating systems. It must encompass a number of arenas including networking equipment, cloud environments, content distribution networks, web application firewalls and so forth. Organizations have a choice to prioritize low hanging fruit first or prioritize based on attack surface and threat models. 
  • Organizations will likely need more than one application to manage configuration management across the various areas; however, providing a consistent reporting, tracking and remediation functions will be crucial to the success of the program.
  • Establish secure baselines using industry standards and best practices like the Center for Internet Security (CIS) benchmarks. These benchmarks provide a solid foundation to secure and configure a variety of systems and cloud platforms.
  • When implementing configuration management, run the first few scans without remediation, especially if legacy applications and services are in place. 

Known Vulnerabilities as an Attack Vector 

The exploitation of known vulnerabilities occurs only in a relatively small number of breaches and has not played a major role within incidents and breaches over the past five years. However, evidence shows that threat actors continue to probe this path in parallel to the collection of user credentials. A strong vulnerability management program is a critical defensive measure. A few key considerations in addressing this area: 

  • Organizations need an accurate inventory of public and private systems and applications to serve as the input to their vulnerability management scanning capability. This inventory should be derived from DNS records and IP Addresses (owned, leased, cloud). 
  • Ensure all internet-facing web applications are behind a web application firewall (WAF), and that origin servers can only accept web traffic from the WAF provider. 
  • An organization’s patching capability needs to be holistic and performed consistently. One recommendation is to patch systems, not by environment, but by asset risk. Internet-facing servers should be patched before internal servers with no egress or ingress internet connectivity.
  • Organizations should reevaluate and reperform their vulnerability scans after patching procedures are completed to ensure the operation was successful in mitigating the known vulnerabilities. 

Wrapping Up 

The Verizon Data Breach Investigations Report contains a wealth of information that organizations should leverage in validating, establishing and improving their cybersecurity programs. However, organizations should not use it as their sole data source for these activities. Diversity of information and thought in these activities are critical in building and maintaining a robust cybersecurity program.  

 

To learn more about Protiviti’s security assessment and vulnerability management offeringscontact us. 

Roger Delph

Senior Manager
Technology Consulting - Security & Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More