Security data nerds look forward to the annual release of the Verizon Data Breach Investigations Report (DBIR). The report contains a breakdown of the prior year’s security incidents and breaches and provides trending data that mature security programs can benchmark against. One of the surprises in this year’s report is that organizations are discovering 60 percent of data breaches in days or less and containing 80 percent of breaches in the same timeframe. Verizon highlights that this is due to more breaches being detected by managed security providers, and not necessarily an improvement of internal detection and containment capabilities.
Social engineering continues to lead the threat actions in data breaches, with phishing being the overwhelmingly preferred method at 96% within the social engineering category. Successful phishing campaigns provide threat actors with the credentials and information they need to gain access to an environment and achieve their goals, be it data exfiltration, establishing a foothold or destruction. The exploitation of our users by threat actors continues to be a successful tactic because organizations do not implement systemic safeguards and controls. Yes, awareness campaigns are essential; however, they are never 100% effective. Organizations need to ensure the following controls are appropriately implemented within their environment:
- Multi-Factor Authentication (MFA) on all publicly exposed applications and services without exception. MFA can block over 99.9 percent of account compromise attacks, and with MFA implemented, knowing or obtaining a password alone will not be enough to gain access to a system.
- E-mail banners that identify and notify recipients when e-mails originate from outside of the organization. Implementing basic banners can be done natively with Microsoft Office 365 in just a few minutes.
- SPAM filters are considered table stakes in any organization, and phishing filters are quickly following suit. These solutions utilize threat intelligence to identify phishing attempts and block the messages from delivery. A critical capability of these solutions is to provide an easy one-click notification button to alert the security operations center. Organizations should also consider automating the removal of identified spam and phishing campaign e-mails from all users’ mailboxes.
Errors in Configuration
The only action type leading to a security breach that is consistently seeing year–over–year gains is the error action, which now ranks third, behind hacking and social actions. The misconfiguration variety of error is the most common cause, and the vast majority of these configurations are caught by external parties (e.g., security researchers, customers, etc.). Organizations of all sizes need to embrace configuration management and continuous compliance scans to detect and remediate configuration drift. Unfortunately, configuration management is almost always a shared responsibility between IT, security and developers. Further complicating matters is the level of maturity that is required for an organization to establish secure baselines, detect configuration drift and automate remediations. Some key items to consider in remediating and addressing this area:
- Configuration management is more than just operating systems. It must encompass a number of arenas including networking equipment, cloud environments, content distribution networks, web application firewalls and so forth. Organizations have a choice to prioritize low hanging fruit first or prioritize based on attack surface and threat models.
- Organizations will likely need more than one application to manage configuration management across the various areas; however, providing a consistent reporting, tracking and remediation functions will be crucial to the success of the program.
- Establish secure baselines using industry standards and best practices like the Center for Internet Security (CIS) benchmarks. These benchmarks provide a solid foundation to secure and configure a variety of systems and cloud platforms.
- When implementing configuration management, run the first few scans without remediation, especially if legacy applications and services are in place.
Known Vulnerabilities as an Attack Vector
The exploitation of known vulnerabilities occurs only in a relatively small number of breaches and has not played a major role within incidents and breaches over the past five years. However, evidence shows that threat actors continue to probe this path in parallel to the collection of user credentials. A strong vulnerability management program is a critical defensive measure. A few key considerations in addressing this area:
- Organizations need an accurate inventory of public and private systems and applications to serve as the input to their vulnerability management scanning capability. This inventory should be derived from DNS records and IP Addresses (owned, leased, cloud).
- Ensure all internet-facing web applications are behind a web application firewall (WAF), and that origin servers can only accept web traffic from the WAF provider.
- An organization’s patching capability needs to be holistic and performed consistently. One recommendation is to patch systems, not by environment, but by asset risk. Internet-facing servers should be patched before internal servers with no egress or ingress internet connectivity.
- Organizations should reevaluate and reperform their vulnerability scans after patching procedures are completed to ensure the operation was successful in mitigating the known vulnerabilities.
The Verizon Data Breach Investigations Report contains a wealth of information that organizations should leverage in validating, establishing and improving their cybersecurity programs. However, organizations should not use it as their sole data source for these activities. Diversity of information and thought in these activities are critical in building and maintaining a robust cybersecurity program.
To learn more about Protiviti’s security assessment and vulnerability management offerings, contact us.