Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

Articles

Home  >  Articles  >  Information Assurance  >  Key Lessons from 2020 Data Breach Report
NextPrevious

Key Lessons from 2020 Data Breach Report

Articles, Information Assurance | 24 June, 2020 | 0

Verizon has published their 13th annual Data Breach Investigations Report – and it focuses on security incidents and breaches that occurred during 2019. The 2020 DBIR analysed 157,525 incidents, 32,002 in detail and confirmed 3950 breaches in 81 countries.

Although the scope is global, half of the incidents in the data come from North America and only 13% from Europe.

The DBIR differentiates between a breach (where data is confirmed to have been stolen) and an incident (where data disclosure was not confirmed but the confidentiality, integrity or availability of the data was compromised).

The DBIR reports incidents and breaches that took place (succeeded in other words) – so it paints a somewhat different view of the world compared to reports from security vendors who also include data about failed attacks which were blocked by their security systems.  For example, Cryptocurrency mining malware was present in just 1.5% of incidents – yet 10% of organisations received (and blocked) Cryptocurrency mining malware during the year.

The full report can be obtained from the Verizon website

Contents

  • 1 Why breaches happen
  • 2 What is being targeted
  • 3 Vulnerability Management is only the start
  • 4 Practice Makes Perfect
  • 5 Key takeaways

Why breaches happen

Knowing your enemy helps you defend your network.  When it comes to understanding the motivation of threat attackers the adage to ‘follow the money’ proves true:

86% of breaches were financially motivated and Organised Crime was behind 55% of breaches.

70% of breaches were perpetrated by external actors and they were prepared to work for their money – 45% of breaches featured active Hacking whereas Malware was involved in only 17% of breaches.

However, a growing trend in the report this year is the own-goals scored by in-house teams. Errors and Misconfigurations were causal events in 22% of breaches

When considering just breaches: all types of threat actions are trending down over the last five years (including Hacking, Social engineering and Malware) except for Errors and Misconfigurations which is slowly on the rise.

 

What is being targeted

Web applications were involved in 43% of breaches and 37% of breaches stole or abused credentials.  So, when it comes to data theft, not surprisingly threat attackers are focusing on the main exposed attack surface – which is the internet facing web application servers in most networks.

Criminals don’t want to have to work for a living any more than anyone else -so they start with the low hanging fruit and try to brute force or steal credentials where they can. The primary means for obtaining credentials is Phishing (present in 22% of breaches) or credential theft by other means (in another 20% of breaches).

The next two most prevalent threat actions in breaches are based on Errors – with either misdelivery of confidential information or misconfiguration of access controls accounting for another 20% between them.  We don’t know how much of this growth in the Errors category is a result of more transparent and honest reporting by organisations when they make a mistake and how much is down to the increased use of cloud and SaaS systems and staff are making errors with unfamiliar new tools.

Over 70% of attacks are focused on servers (as opposed to personal computers or kiosks/terminals etc). The attacks on servers are biased with 40% of total attacks  being against web application servers, 20% against mail servers and 10% against database servers – reflecting both where the weaknesses lie and how exposed the different types of server are to the internet.

Hacking that resulted in successful breaches is focused on Brute Force of use of Stolen Credentials (in 80% of breaches that involved Hacking) – and over 80% of those attacks were focused on Web Applications.

 

Vulnerability Management is only the start

Identifying and patching vulnerabilities occupies a lot of time and effort in security teams.  Perhaps because (regulatory mandates aside) Peter Drucker was right: ‘what gets measured gets managed’ and it is easy to measure vulnerabilities and patching thanks to the existence of automated vulnerability scans.   The exploitation of vulnerabilities was a factor in only 5% of breaches.

Patching is important but once it is in place there are other things that will have a much greater impact on your network’s security that need to be addressed.

Dominant themes in the DBIR report suggest it will be prudent to invest in steps that will: Enhance the security of Web Application servers – these are the main target of attacks and reduce the number of Errors performed by your staff.

 

Practice Makes Perfect

SIEM systems and a well-rehearsed Security Incident Response Plan will help you spot and contain incidents more quickly.  Generally, organisations have made great strides in recent years to spot and contain incidents much more quickly.

Breaches are being spotted and contained more quickly – practicing the Incident Response Plan really pays off.  In 2016 over 60% of breaches went undetected for several months, but in 2019 over 60% of breaches were detected and contained in ‘days or less.’

 

Key takeaways

Web Application servers were the primary target in most breaches – first using stolen credentials or credential stuffing and secondly by hacking the application server software.  Invest in enhancing the security of the network components which are the target of most attacks – validate your network security through Web Application Penetration Testing.

Credential theft and Phishing is implicated in over 40% of breaches – Security Awareness Training will help your team improve their password hygiene and protect their credentials.

Misconfiguration of Cloud Services and Network Devices is increasingly mentioned in data breach reports – it was a factor in over a fifth of breaches in 2019.  A External Network Penetration Test will identify problems in your network infrastructure.

 

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
Security operations, SIEM, vulnerability management, web applications

Related Post

  • Hackers target Oracle WebLogic vulnerability

    By Mark Faithfull

    Oracle patched a vulnerability in their WebLogic server in October 2020 – eight days later working exploit code was published online and now it is being used by criminals. CVE-2020-14882 allows an attacker to performRead more

  • Ghostcat leaves Tomcat vulnerable

    By Mark Faithfull

    A serious vulnerability, dubbed Ghostcat, has been discovered in Apache Tomcat and criminals are already trying to exploit it. Tomcat is one of the most popular Java application servers, with over 800k active installations visibleRead more

  • Two thirds of cyber-crimes repeated within 12 months

    By Mark Faithfull

    According to a new report, 68% of organisations that suffered a network breach are the victim of a repeat attack within a year.  Cyber-criminals assume that organisation will not learn a lesson from the firstRead more

  • VMWare warns of critical zero-day vulnerability

    By Mark Faithfull

    VMWare has issued a security advisory warning of a command injection vulnerability that could allow someone with access to the VMWare Configurator admin account to issue command with unrestricted privileges on the underlying operating system.Read more

  • NCSC alerts over MobileIron vulnerability

    By Mark Faithfull

    The UK National Cyber Security Centre has issued an alert warning that multiple actors are attempting to exploit a MobileIron vulnerability to compromise the networks of UK organisations. MobileIron issued a security patch in JuneRead more

NextPrevious

Recent Posts

  • CISA Warns of Pass-the-Cookie attack
  • Microsoft Patches Critical Bugs
  • Flash is dead – now delete it from your system
  • 100000 Zyxel firewalls have hardcoded backdoor exposed
  • When Good Employees Go Bad

Tags

Android blockchain Bluetooth Chrome Cisco credential stuffing cyber crime cyber essentials cyber security cyber security news Data Protection DNS Ethereum Exchange Server exim fileless formjacking GDPR Intel IoT Linux MacOS Meltdown microsoft ncsc patching penetration testing phishing ransomware RDP Row Hammer security breach Security operations security testing SIEM Spectre supply chain attacks Sysinternals Tomcat TPM VNC vulnerability management web applications web browsers wireless

Archives

  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • July 2018
  • June 2018
  • April 2018
  • January 2018
  • October 2017
BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
information. secured.
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us
SecureTeam
SecureTeam use cookies on this website to ensure that we give you the best experience possible. If you continue to use our site we will assume that you are happy with cookies being used.OkRead more