"If the DBIR were a bottle of decent Scotch Whiskey it would cost you around 100 bucks, instead of being free like this document. Likewise, the decisions you might make after finishing them would probably differ wildly as well. Nevertheless, we hope you gain a certain degree of enjoyment and enlightenment from both."
While not everyone fancies a bottle of Scotch – this closing statement from the 2019 Verizon Data Breach Investigations Report (DBIR) is on point, and surely we as IT and cybersecurity professionals can relate to the challenges of defending our organizations, and the value that this report brings each year to help us stay ahead of evolving threats.
If there’s one security report you should read every year, this is it. It’s not all about the data, though. Besides the free and factual insights this report provides, it’s simply an enjoyable read. From clever anecdotes to stories from a hipster coffee shop, the Verizon DBIR never ceases to entertain.
No doubt you’ll find your own takeaways, but here are just a few that interest me as a cybersecurity professional living in the world of PKI and digital certificates.
The Usual Suspects (Social and Phishing Attacks)
Malware isn’t necessarily used for data theft so much as it is a way to gain entry into an organization’s infrastructure. According to the report, 94% of malware is delivered through email. Once installed, it’s most often used as a foothold for injection of more malicious programs or ransomware commands.
Social attacks are nothing new, but the use of social engineering as a tactic to infiltrate organizations is notably on the rise. Since 2013, the use of social engineering has increased by 18% – and as the report highlights, executive-level accounts are a vulnerable target. If such an attack is successful, it can be leveraged to gain privileged access to business-critical contacts and information, potentially to impersonate a high-level individual to compromise the organization from the top down.
On the plus side, phishing incidents are down from the previous year – though it should be noted that users are more likely to click on a phishing email from their mobile device than their laptop. Increasing user awareness of suspicious messages, and not just the obvious signs like an invalid email address, is something security teams should pursue. Provide ways for users to report phishing attacks, involve them in your cybersecurity strategy, and deliver useful metrics to report back to the organization to ensure everyone is aware of the need to be vigilant.
Attacks from Within (Rogue Insiders)
As I’ve discussed in a previous blog post, rogue users aren’t necessarily malicious. They’re people with a job to do who sometimes cut security corners to get that job done.
The DBIR reveals that more than a third (34%) of attacks are perpetrated by “involved internal actors,” with healthcare as the industry-leader in this type of breach. That comes as no surprise, given the lucrative target that healthcare delivery organizations offer hackers, as well as the comparatively low awareness of cybersecurity best practices amongst medical professionals that handle sensitive patient data on a day-to-day basis.
Mitigation of these attacks – whether malicious or a mistake – must be a top priority. IT and cybersecurity leaders within the organization should ensure complete visibility of their cybersecurity programs, communicating their efforts to track actions, detect malicious activity, and remediate the issue with consequences. Simply the awareness of such programs will help deter malicious intent and encourage employees to report any suspicious activity.
Infrastructure Open Doors (Applications Security)
If your organization builds and maintains its own website, there is strong possibility that your web application servers could act as an open door to your infrastructure. As the report points out, “60% of the time, the compromised web application vector was the front-end to cloud-based email servers.” So even if you only offer web access to email, your organization could be at risk. Phishing links and phony login pages are often the root cause of such attacks.
Again, it starts with awareness. Ensuring your users know what an SSL certificate is and how they should pay attention to the URL, as well as the certificate on your email web portal, can help mitigate this risk. Application owners should also ensure that the digital certificates they present to users are valid, up to industry standard, and not a day past their expiry date.
Certificate management platforms can help automate the lifecycle of these certificates and ensure that your applications stay operational and secure at all times, all with minimal effort from your PKI team.
Check out how our complete and scalable cloud-based certificate management platform (Keyfactor Command) enables you to secure every digital identity – from mobile and IoT devices to back-end applications and web servers.