by Tova Osofsky
Posted on June 22, 2022
Want to interview Tova?Contact
Verizon recently issued the 2022 edition of their Data Breach Investigations Report (DBIR). This edition is number 15, so the editors took a look back at the data from their first report in 2008 to see what’s new and what’s changed. There’s a lot of interesting and useful data in the report.
This year’s report was based on a comprehensive examination of 23,896 “security incidents.” Of those incidents, 5,212 were confirmed as data breaches.
Ransomware continues to be a growth business, up another 13% in 2021 and present in one out of every four data breaches. Even companies that are well prepared with backups and procedures for coping with a ransomware attack can suffer significant financial loss, since it takes time and work to recover from a ransomware attack, whether or not a ransom is paid. Loss of customer trust and brand equity may also take a significant toll following a ransomware attack.
Despite increasing cybersecurity awareness, and corporate efforts to improve training and put “foolproof” systems in place, 82% of all data breaches involved the human element, whether it was someone falling for a phishing attack, use of stolen credentials, or a mistake. Mistakes alone accounted for 13% of breaches. Among the most common contributing factors were misconfigured cloud storage and unmanaged devices.
Perhaps Douglas Adams was right when he said, “A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.” For years, the cybersecurity industry has been struggling to stay one step ahead of those very ingenious and not-so-foolish “fools.” To be fair, many cybercriminals today are exceptionally sophisticated. Even careful, knowledgeable employees can fall victim to some of today’s clever attacks – it’s not only fools who make mistakes.
One of the challenges inherent in combatting phishing is that it is a function of huge volume. The vast majority of employees never actually click on a phishing email, and an even vaster majority of phishing emails never get clicked, or even opened. Yet the volume of phishing attacks is so high that the 2.9% of users that do click through are sufficient to touch off a huge number of data breaches and ransomware attacks.
In 95% of the attacks on all organization by external actors, financial or personal gain was the motive behind the attack.
For larger organizations in particular, however, that number drops to 71%. “Hacktivism,” hacking into an organization as a type of civil disobedience and protest, accounts for fully 25% of the data breaches.
While some things haven’t changed, there have been drastic changes in other areas:
As the French say, plus ça change, plus c’est la même chose, “the more things change, the more they stay the same.” Some things haven’t changed much in the last 15 years:
Let’s take another look at the first two items we mentioned above as remaining stable over 15 years of DBIR reports:
First, that only 20% of data breaches were attributed to an insider – a figure that is termed “infrequent” in the report:
The relative infrequency of data breaches attributed to insiders may be surprising to some. It is widely believed and commonly reported that insider incidents outnumber those caused by other sources.
Given that 82% of attacks involved a human element, it is crucial to note that attributed to an insider does not mean involving an insider. Instead, it means that an insider intentionally set about to breach the security of the organization they work for or have credentials to access for reasons including financial gain, personal or professional grudges, or just for the kicks.
This distinction is brought home by the second item we cited above as remaining constant – that web application hacking and email are the most frequent attack vectors. Users – including insiders – of course, play a critical, albeit often inadvertent, role in both.
Consider the most critical web application security risks, as classified by the Open Web Application Security Project (OWASP). In its most recent version, OWASP ranks broken access control as the most critical threat – with “access control” defined as “enforcement of policies such that users cannot act outside of their intended permissions.” Broken access control can result in “unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits.”
Today, with many employees working remotely from unmanaged devices, and more enterprises than ever delegating essential functions like payroll and billing to 3rd party contractors, enforcing access control is a significant challenge. These 3rd party users need access to corporate applications to accomplish their tasks, yet without the ability to install access controls on user devices, it’s challenging to restrict access to only the resources they need.
Web application firewalls (WAFs), the technology that has traditionally been used to control access, are no longer effective. A shocking 65% of respondents in a recent survey reported that attacks on their application layers bypassed their WAFs – one of the reasons that web applications top the DBIR attack vector list.
ZTEdge Web Application Isolation (WAI) is a Zero Trust, cloud-based approach that enables enforcement of least-privilege access control to corporate apps – on-premises, cloud and SaaS – from unmanaged devices. WAI routes all interactions via the Ericom Global Cloud, effectively airgapping apps to keep malware from unmanaged devices away.
Within the isolated cloud-based containers, granular per-user policies are applied to restrict what apps and data each user can access and how. Downloading, uploading and cut-and-paste capabilities can be restricted or blocked to protect sensitive data, and DLP applied to shield PII from exposure. WAI prevents data from being cached on user devices, so data will not be at risk if an unmanaged device is stolen or lost.
As a centrally managed solution, WAI does not require any software to be installed on user endpoints. Apps are accessed through whichever browser each user prefers to use – not a dedicated “enterprise” browser.
Cutting through all the data about different types of attacks and motives, the DBIR report emphasizes four key ways that breaches occur. The report states:
There are four key paths leading to your estate: Credentials, Phishing, Exploiting vulnerabilities and Botnets. These four pervade all areas of the DBIR, and no organization is safe without a plan to handle them all.
The best way to protect against all four is to implement a comprehensive Zero Trust-based cybersecurity solution such as ZTEdge, a cloud-delivered Secure Access Service Edge (SASE) that provides critical tools such as Remote Browser Isolation, Zero Trust Network Access, and built-in Identity and Access Management (IAM) as well as WAI.
To learn more about how ZTEdge can protect your organization from breaches, request a demo today.
Regulated industries like healthcare and financial services are facing an increasingly complex regulatory environment.
Dr. Chase Cunningham demos how cybercriminals scan for open ports, a step typically used for reconnaissance to plan an attack and find vulnerable targets.
Dr. Chase Cunningham manipulates the source code to change session storage values and the token the fictional Juice Shop uses, then demos the WAI security solution.