Oh, the joy of joys! It’s that time of year again! No, not the Holidays. It’s Verizon Data Breach Investigations Report season –that special time of year when we are most painfully reminded of how far we haven’t come in securing our systems, applications and data. But, hey, we’re not alone, right? This year’s report is packed full of useful data intended to help ensure you’ve addressed all the low hanging fruit required to help secure your environment.
In comparing this year’s findings to years past, there is one theme that stands out amongst the noise: Follow the data to the money. Analysts have coined this concept Infonomics – the value and economics of information. If you consider the industries that are most targeted, the methods utilized by attackers, the insiders in cahoots, and the ultimate motive, it’s pretty clear that it’s all about the data – or, more precisely, it should be about protecting it against unwanted access.
In this blog, I will review the data points that stood out and helped form this conclusion. First up, let’s look at the verticals.
Physician, heal thyself!
Healthcare breaches jumped 81% – from 296 in 2016 to 536 in 2017 – with a greater insider threat than external threat. Some of this can be attributed to errors, but looking deeper into the data the report shows privilege abuse behind 74% of cases. Whether it’s inadvertent curiosity or a malicious attempt at accessing the Holy Grail of data – personal + health + payment – an 81% jump is not healthy. (See what I did there?)
Looks like you’ll be staying with us for two nights. Would you like an upgraded threat view?
Looking at data in the Accommodation industry vertical, breaches related to privilege misuse jumped from 5 in 2017 to 302 in 2018. That’s like a 5,940% increase, putting Accommodation at the concierge level in terms of risk. It’s no wonder, though. As with Healthcare, Accommodation/Hotel information stores contain a wealth of customer information – payment, personal preferences, rewards, and more.
Small businesses suffer disproportionately
Breaches affecting small businesses grew from 22% in 2017 to 58% in 2018. Often strapped for resources – people, budget, technology – small businesses are both the engine of our economy and a ripe target for cyber-attacks. Please see the figure from this year’s DBIR (page 5) at right. The one with the really subtle callout.
Public Sector – Still a yuuuuuuuuuuuuge problem
Despite your perspective on what’s going on in Washington, you have to admit that public service is a noble professional calling. Looking at Figure 39 from this year’s report, though, shows a decidedly ignoble pattern– Privilege Misuse. The data tells us that most often the misuse is privilege abuse (78%), which of course is using existing privileges in a manner that is unauthorized and/or out of policy. Cyber espionage notwithstanding, with Edward Snowden and Reality Winner in mind, it’s imperative to have privileged password and least privilege management solution in place to assign accountability and control over the keys to the kingdom, while balancing that out with user behavior analysis to map patterns of access.
Insider or Outsider?
Next up, let’s look at how the mix of outsider vs. insider breaches has changed over the years. We learn from the 2018 report that 73% of breaches were perpetrated by outsiders, and 27% by insiders. Although only subtly different from 2017 (75%/25%, respectively), take the long view. Breaches involving insiders has increased from around 20% three years ago to nearly 30% today. Digging in a little deeper into the actor, we see that the system admin (26%) (72/277 breaches) is the #1 culprit. Not every case was malicious, of course. Sometimes the processes can be sloppy, the oversight minimal, and workload too burdensome. That’s why it’s so important to have automated systems for password management, privileged session monitoring and privilege delegation – to provide the control and accountability so admins can be productive with less concern for the impact of mistakes.
Other Interesting Trends
Use of stolen credentials (hacking) is the #1 action variety in breaches again this year at 22% (399/1,799 breaches), with privilege abuse coming in at #4. See Figure 5 from this year’s report (edited, with emphasis).
Credentials (11%) and Secrets (7%) are increasing in number year-on-year as data types compromised, as shown in this year’s report. This reaffirms that stolen credentials can be used to advance attacks and ultimately compromise other data types. As we saw with sysadmins and in the Public Sector above, this screams for a fully automated privileged credential management solution.
In looking at timelines in Figure 10 if this year’s report, compromises and exfiltration are happening in minutes, but discovery takes months, and containment days thereon.
Compare that to last year’s report and you see some consistency. Consider also that the average time to vulnerability resolution is 57 days, up from 30 days not so long ago.
Recommendations for Better Protecting Access to Your Data (And Therefore the Biggest Asset Your Organization Possesses)
Our recommendations aren’t that new. In fact, they’re quite similar to last year’s recommendations (and bear a striking resemblance to the year’s before that, too). Cybersecurity hygiene is key, and I detect a pattern. The reason is, most organizations still struggle with the basics. Here’s your top 5 list:
- Deploy patches for known vulnerabilities as soon as possible to mitigate the attack surface of external parties seeking to become insiders by leveraging credentials to move laterally throughout an organization. Lateral movement can lead an attacker to encrypt a file server or database, which the report tells us, is much more damaging than encrypting a single user device. (In fact, we just released new rules in PowerBroker for Windows that will help you detect lateral movement.)
- Deploy a password management solution that discovers every account in the environment, securely stores and manages credentials, requires an approval process for check-out, monitors activity while checked out, and rotates the credential upon check-in. Looks for a workflow-based process for obtaining privileges. If requests happen during normal business hours and within acceptable parameters, set auto-approval rules to enable access without restricting admin productivity. But, if time, day, or location indicators point to something out of band, deny it and investigate.
- Segment your network or implement a secure enclave that ensures all privileged accounts (employees, contractors, and third parties) do not have direct access to manage devices. This model ensures that only approved devices and restricted network paths can be used to communicate with secured resources.
- Enforce least privilege across your entire environment by removing local admin rights from end users, and restricting the use of admin and root account privileges to servers in your data center. Elevating rights to applications on an exception basis, and employing fine-grained policy controls once access is granted can quickly limit the lateral movement of would-be attackers.
- Implement multi-factor. Multi-factor authentication raises the bar given the number of breaches that involve weak, stolen or default credentials. As the report says (page 28), “… passwords, regardless of length or complexity, are not sufficient on their own.” Attackers need credentials to move laterally and multi-factor makes that movement more complex. When reviewing the need for multi-factor the only right answer is every user, every account.
At the end of the day, you have to understand what you’re protecting access to, and then build your defenses out from there. This year’s DBIR tells me it’s (still) all about the data – prioritizing and protecting it.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.