People Weak Link in Security Chain, Says New Report

If you pay any attention to infosec headlines, you’ve likely seen it’s once again that time of year when Verizon releases its Data Breach Investigations Report (DBIR). The 9th annual report was released yesterday and while much of it isn’t surprising, it is entirely disheartening.

A quick review of the findings show cybercrime continues to target what hackers obviously deem the weakest link in the chain, me and you. Again, nothing new here but the stats are disturbing. Sixty three percent of confirmed data breaches involve using weak, default or stolen passwords; thirty percent of phishing emails were opened and thirteen percent of those clicked to open the malicious attachment and the one that completely frustrates me and my colleagues (see earlier post) most attacks exploit known vulnerabilities that weren’t patched, but could have been.

There are of course other interesting facts in the report but what screams out at me is the need for better user training and please, people, better patching. Doing your due diligence here can mean the difference between a devastating breach and business as usual.

Phishing continues to be one of the favorite attack methods – 30% of phishing messages were opened, according to Verizon. It is a ‘tried and true’ way to take advantage of you and me. As such:

  • Bait and Cast  Send a phishing email with a link pointing to the malicious website, or a malicious attachment.
  • Catch One  Malware is downloaded onto an individual’s PC that establishes the initial foothold.  Additional malware can be used to look for secrets and internal information to steal or encrypt files for ransom.
  • Catch a Few More  Many times the malware steals credentials from multiple applications through key logging.  These can be used for further attacks, for example, to log into third-party websites like banking or retail sites.

This scary scenario again begs for better user training and patching, but also better management of user access. Limiting who has access to what isn’t a cure-all but it sure makes things much more time consuming for the bad guys.

The DBIR is one of the many depressing security research reports out there. Unfortunately, bright spots are hard to find. The bad guys keep coming and, as anyone in pursuit of something would, they take the path of least resistance.