We're Still Making The Same Cybersecurity Mistakes

Danielle Beurteaux

Telecomm company Verizon recently released its 2016 Data Breach Investigations Report. This is Verizon’s 9th annual report on cybersecurity. This year’s report looks at over 100,000 events and slices and dices them by type, motivation (well, there’s one predominant one), cause, etc.

While the report is surprisingly readable—it is not without humor and contains extremely colorful and informative tables—we’ve summarized some of the high points (if we can call them that) in cybersecurity that occurred in 2015.

Who’s been hit?

First off, “accommodation” was the biggest target industry for security attacks last year. Healthcare, education, entertainment, and public/government targets were also high on attackers’ lists.

Trends in hackery

Top techniques include malware, hacking via stolen credentials or backdoor malware, phishing, and spyware/keylogger malware. Trending downwards: brute force and RAM and backdoor malware.

Attacks are happening via people (phishing) and devices (personal computers and POS) infected with malware.

Most attacks happen quickly—within minutes, or, in cases of POS hacks, days—and detection primarily comes from law enforcement and third-party notifications. As noted in the report, this is a problem because by the time a breach is discovered, it’s often over.

Yep, phishing is still a thing. A big thing.

Haven’t we figured out phishing yet? Apparently not. Technology might rule our lives, but human fallibility is still a top security problem. And don’t underestimate employee security missteps: “Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff.”

The vast majority of perps are organized crime groups (89%), with “state-affiliated actors” (i.e. spies) in a distant second place (9%).

Credentials

They’re looking for credentials, and they’re using frail and stolen passwords. The ubiquitous username/password combo remains a prime target and tool for cybercriminals. For this reason, security experts continue to recommend using multi-factor usernames and password —  at least until someone figures out something better (biometrics, anyone?).

Web app attacks

As websites become more complex, the opportunities for security misbehavior has also increased. The Verizon report credits the Dridex Botnet takedown for offering insight into what’s going on with these attacks. (Also, good fun: Dridex is now being spread via JavaScript attachments). Again, the majority of these confirmed attacks were for money.

POS

Look out, hotels and retailers—POS attacks continue to be a popular hack. As the report notes, retailers got the worst of it in 2014, and large corporate hotel chains in 2015. Keystroke login malware and RAM scraping continue to be the most-used techniques.

Insider and privilege misuse

Also a problem: users with legitimate access to information that they use for illegitimate purposes. These tend to be regular employees who are either looking for money or committing acts of espionage. (And in case you’re concerned about potential Edward Snowdens, those acting for ideology’s sake are few.) Here’s one takeaway lesson: Be sure to immediately remove access credentials for all departing employees at any level. These are the breaches that typically take the longest to uncover.

Miscellaneous/loss/theft

People make mistakes. They also lose things. A lot. They send emails to the wrong people, leave laptops behind, and fail to adequately dispose of documents containing sensitive information. Recommended solutions: Encryption, an appropriate data disposal protocol, and turning employees into cyborgs limiting dependence on printed matter.

The report also covers crimeware (Miscellaneous)—organized crime looking for financial gain. These culprits still like to use skimmers (Hello, Romania!). Cyber-espionage, according to the report, tends to focus on getting at trade secrets and insider info, and DoS attacks tend to be either very fast and big (as in data), or smaller and longer.

To sum up, many of the recommendations to ensure a better level of security are common-sense and not new: Keep software updated, educate employees on security, be cognizant of data disposal, have an incident reporting structure, and the like. And don’t leave your laptop on the backseat of your car.

For more on cybersecurity strategies, see Every Round Of Privacy Fears Fade As New Technology Comes Along.


Danielle Beurteaux

About Danielle Beurteaux

Danielle Beurteaux is a New York–based writer who covers business, technology, and philanthropy. Her work has appeared in The New York Times and on Popular Mechanics, CNN, and Institutional Investor's Alpha, among other outlets.