Social engineering attacks against C-level executives, hacks of cloud-based email servers, and compromises of payment card web apps were all notably up last year, according to the newly released 2019 Verizon Data Breach Investigations Report (DBIR).
Other key takeaways from the past year included a marked decrease in successful attacks against physical point-of-sale terminals and a sharp drop in reported W-2 scams. And despite being in an ongoing battle for popularity among cybercriminals, ransomware beat out cryptomining programs by a wide margin in terms of the number of incidents in which they were involved.
For its report, Verizon recorded 41,686 security incidents in 86 countries during the period of Nov. 1, 2017 to Oct. 31, 2018 – nearly 12,000 fewer events than the previous annual period. Verizon also registered 2,013 data breaches versus 2,216 in the previous year. (By Verizon's definition an incident is when data is exposed to possible harm, while a breach is when an unauthorized party is confirmed to have accessed data.)
Compared to previous years covered by the report, C-level executives last year were 12 times more likely to be the target of a social engineering incident and nine times more likely to be the target in a breach caused by social engineering.
"I'm not at all surprised to see C-Suite attacks featuring strongly as cybercriminal methodologies have evolved and matured over the past decade," said Brian Higgins, security specialist at Comparitech.com, in emailed comments. "Whereas before, a global phishing email might elicit a worthwhile haul of bank details and other criminally commoditized data, the modern cyber crime organization recognizes the value in more targeted, high level attack."
Meanwhile, as companies continued to migrate important data and processes to the cloud, cybercriminals naturally began seeing this trend as an opportunity. Consequently, Verizon researchers reported an increase in hacks against cloud-based email servers using stolen credentials. In fact, they found that unauthorized access of cloud-based email servers were involved in over 50 percent of breaches that involved a web application as an attack vector.
"As businesses embrace new digital ways of working, many are unaware of the new security risks to which they may be exposed," said Bryan Sartin, executive director of security professional services at Verizon said in a company press release. That's why "Security needs to be seen as a flexible and smart strategic asset that constantly delivers to the businesses, and impacts the bottom line," he continued.
"As more and more information and data, the 'crown jewels' of any business, migrates to SaaS and IaaS based solutions, organizations just do not have visibility and control that they had with their traditional enterprise security capabilities," added Pravin Kothari, founder and CEO of CipherCloud, in emailed comments. "Criminals are also finding it far easier to target the cloud to utilize stolen passwords, API vulnerabilities or misconfiguration to take over accounts and access all information like an authorized user, thus bypassing all security controls."
Verizon further reported that compromises of payment card web applications are poised to soon surpass successful attacks on physical payment terminals, which have decreased in frequency potentially due to the effectiveness of chip and PIN technology, the report suggests.
The researchers also noted a major decrease in reported W-2 tax form scams, which they said almost entirely disappeared from the DBIR data set. In its report, Verizon guesses this trend could be "due to improved awareness within organizations, noting a correlation between this development and a 6x year-over-year decrease in breaches affecting human resource personnel.
Ransomware made another strong showing in this year's report, accounting for almost 24 percent of incidents in which a malware program was used – second only to C2 communications malware. Meanwhile cryptominers didn't even crack the top ten, only appearing in two percent of incidents.
"The numbers in this year’s data set do not support the hype" around cryptominers, the report states.
Among 21 industry categories listed in the report (including an "unknown" category), the public sector experienced the most breaches with a total of 330, followed by health care (304), "unknown" (289) and finance (207). The public sector also suffered through the highest number of incidents (23,399), followed by "unknown" (7,350) and the entertainment industry (6,299).
Other notable statistics from the report:
- Perpetrators: 69 percent of breaches were executed by outsiders, including cybercriminal groups (39 percent) and nation-state or state-affiliated actors (23 percent). Just over a third, 34 percent, involved an insider threat. (Some breaches could have involved both external and internal actors.)
- Tactics: 52 percent of breaches involved hacking, 33 percent included social engineering as a component, 32 percent involved phishing, 29 percent were made possible through stolen credentials and 28 percent were malware-enabled.
- Motive: 71 percent of breaches were financially motivated, while 25 percent were conducted as part of an espionage operation designed to gain a strategic advantage.
"While many reports will talk about nation-state hacking or advanced threats, what this year’s DBIR shows, as it has for many years now, is that the attacks that are most successful are not new or even particularly clever – they're just effective," said Bob Huber, CSO of Tenable. Business email compromise attacks, malware infections and... tried-and-tested credential abuse make up the report's key findings. Translating this simply: it’s a lack of basic cyber hygiene that is still to blame for nearly all 41,686 security incidents and 2,013 confirmed breaches."