Analysis: Simple repeat cyber attacks are paying dividends for criminals year on year because victims ignore basic security.
Enterprises are facing huge numbers of repeated simple cyber attacks because they are profitable for criminals and enterprises are failing to fix basic vulnerabilities, warned a major report just days after more high-profile data hacks were reported.
The warning comes as the latest high profile successful attack was made public with the dating web site beautifulpeople.com having 1.1m records stolen and put up for sale on the dark web.
(For more on how criminals buy and sell data see Beheading the hydra: Is infiltration the only way to stop dark web cyber criminals?and Is cybersecurity losing the battle?)
According to Verizon’s 2016 Data Breach Investigations Report, due to the poor state of enterprise cyber security, the most lucrative investment model for cyber-criminals has been simply to continue doing the same thing year after year.
The report, which analysed 2260 confirmed data breaches and over 100,000 reported security incidents, found that the same types of attack still dominate.
According to Symantec research released last year, in 2007, stolen email accounts were worth between $4 and $30, whereas by 2015, a batch of 1,000 stolen emails cost $0.50 to $10.
This means that hackers have had to up the quantity and quality of data that they steal from enterprises in order to stay afloat.
However, this hasn’t meant developing new techniques to carry out attacks but simply ramping up their deployment of basic techniques, largely because the state of enterprise security is so poor, according to the report.
It found that 90 percent of breaches still fit into nine patterns and the top 10 vulnerabilities accounted for 85 percent of successful exploit traffic.
Miscellaneous errors were responsible for 17.7 percent of breaches, while insider and privilege misuse followed at 16.3 percent.
Physical theft and loss at 15.1 percent was slightly ahead of denial of service at 15 percent.
The report also found that in most industries, the number of patterns involved was even less. In accommodation, entertainment, professional services and retail, 90 percent or more of incidents used only three basic patterns.
In financial services, 88 percent of breaches involved three patterns: in this case, web app attacks, crimeware and denial of service.
The report revealed just how low the boundary is to an attack; in 93 percent of cases, it took just minutes to get access to a network.
These are not breeds of master-attacks that can’t be stopped, but basic methods of attack for which basic methods of defence exist.
Setting up a low hurdle that would stop most of these easy attacks would take only a minor investment from enterprises.
“We need to get better at detecting whether we have a problem and we need to make the investment cost of a breach higher,” Lorenz Kuhlee, ?Incident Response/Forensic Consultant, Verizon RISK Team, told CBR.
“If he can use the same tool and it’s working, why should he change it?”
For example, since credential theft is still such a huge factor in breaches, Kuhlee suggests that companies employing remote workers implement two-factor authentication.
However, Kuhlee says that the report mainly reveals how inadequate adoption of such technology has been.
“Stolen credentials is a big thing in cyber crime, and companies know two-factor authentication can break this, so we should have seen that stolen credentials is no longer a major incidence pattern.”
Protecting a web server is another area where Kuhlee says that there is an easy fix available: file integrity monitoring.
“You install software that makes a fingerprint over your internet access files, and if somebody changes a file you know immediately.”
The point is that these are very basic remedies, and might just tip the cyber criminals into the red.
What has slowed adoption? Kuhlee notes that many organisations may have been looking too much in terms of weighing up the cost of a fine versus the cost of investment in cyber security.
However, this ignores the fact that the cost of a hack can go much deeper than this, as the fall-out from the beautifulpeople.com hack goes to show.
Additionally, as the report itself notes, “often even a half-decent defense will deter many cybercriminals — they’ll move on and look for an easier target. Sadly, many organisations fail to achieve even that modest ambition.”
The starkest warning, though, is Kuhlee’s statement that “it will get harder for a company every year if they don’t start to change anything now.”