I really like the annual Verizon Data Breach Investigations Report. The Verizon team succeeds at making the report detailed enough to be helpful, but also easy to read. The 2022 DBIR report is now out and it is a good read (see the link below to get the report). Here are just a few of my take-aways on the new report.
Phishing and stolen credentials are still the most common pathways to a ransomware infection and a data breach. Cybercriminals use phishing emails with poisoned links or attachments to break into your local system, and then worm their way into the IT infrastructure of your company or organization. Also, cybercriminals leverage the gains of past work to use compromised credentials to break into your systems. Because we humans tend to re-use our passwords, or use weak passwords, stolen credentials are one of the main ways criminals get access to our systems. There are other methods of compromise, but phishing and compromised credentials are the most common ways of gaining access. More on what you can do below.
We are still very much reliant on email to conduct our work. Yes, we use other messaging methods like Slack and Microsoft Teams, but we still tend to use a lot of email. Cybercriminals know they can target us through phishing emails. And we shouldn’t be naïve. These emails are now very sophisticated and can be hard to recognize. They look like the come from a colleague, or business partner, or vendor, or even our family members. But they contain deadly links and attachments.
What can we do thwart phishing emails? Here are a few of the ways we can protect ourselves:
- Conduct employee training on how to detect phishing emails. It is amazing how effective this can be. We do this at Townsend Security on a regular basis. And there is a bonus for acing the test! Full disclosure – I did not ace the test the last time, but I learned a lot from the exercise and we will do it again.
- An overlooked way to minimize the threat is to use an email service that builds in phishing email protection. Here at Townsend Security we use commercial Google Gmail infrastructure which helps in this area, but other email systems also provide this. If you are on an older email server infrastructure, it makes sense to migrate now.
- You should also disable macros in Word and Excel. Never allow code to execute from an untrusted party, and always be suspicious even if you think you know the person sending the email to you. If you are not expecting the email with an attachment or link, do not trust it. I’ve often just picked up the phone and called the sender to check.
Stolen credentials are also a big problem. Here are a few steps you can make to minimize this threat:
- Activate Multi-Factor Authentication (MFA) on all of your important accounts. This will go a long way to preventing the use of stolen credentials. Applications like Authy or Google Authenticator can make this easier.
- Use strong passwords and avoid re-using a password. This is incredibly hard without the use of a password manager. There are many password managers that you can use. LastPass and 1Password come to mind. But there are others.
- Periodically check to see if your credentials have leaked. Use the “Have I Been P0wnd” website to check your email address. If you use the Google Chrome browser you can use the built-in feature to show you where your passwords may have been leaked.
When it comes to analyzing who the main targets are, the report is very helpful. Many of the industries come as no surprise. Banks and financial services are high on the list. And healthcare providers are right up there, too. But did you know that schools are a target? And technology companies? And manufacturers? It turns out that almost everyone is a target! The report breaks these vertical segments out in some detail and it is enlightening to research your own industry segment for helpful pointers on how attacks are likely to play out.
Here are a few other items in the report that I found interesting:
The SolarWinds attack was a supply chain attack that was surprising and new. It made the news because of its devastating and rapid spread. It represented a relatively new attack vector with a high level of sophistication. Related to this is a new focus by attackers on MSPs and ITSOs. MSPs represent a valuable target as they often provide access to a large number of downstream end customers. Perhaps because of the SolarWinds attack the federal government is trying to strengthen the security posture of its suppliers. The new CMMC regulations are a part of this.
Ransomware is still on the rise. In spite of the fact that we are now quite aware of ransomware and how it works, it is increasing in terms of the frequency and number of attacks. This is probably because the attackers find it easy to execute and because it is so profitable. While the Verizon report does not talk much about data exfiltration due to ransomware, this is now a part of most ransomware attacks. If you don’t pay the ransom you will be threatened with the release of your sensitive data. That’s why we here at Townsend Security have been talking about encrypting all of your sensitive data.
In the past the health industry was a target due to the availability of patient medical information. Now the health industry is a target because of Personally Identifiable Information (PII). Perhaps this is because medical records systems are better at protecting patient medical information, but have not yet extended protections to good old PII?
Manufacturers are an increasing target. In the past manufacturers were the target of espionage efforts for IP theft. This is still true, but now the ransomware attackers are looking for quick gains from manufacturers. Espionage attacks are harder to detect as the attacker often does not want to be discovered. On the other hand, ransomware attackers WANT you to know they are there! And manufacturers are motivated to quickly make ransom payments in order to get their facilities back up and running.
If I did not mention your industry segment be sure to read the report. It covers a lot of different segments!
Hey, small businesses – heads up! You are now a prime target of ransomware attacks. You might be thinking that you are small fish and not worth the bother. That’s not true – payment of a small ransom is just fine for attackers. No more putting our heads in the sand. From the Verizon report:
“Contrary to what many may think, very small organizations are just as enticing to criminals as large ones, and, in certain ways, maybe even more so. Threat actors have the “we’ll take anything we can get” philosophy when it comes to cybercrime. These incidents can and have put small companies out of business. Therefore, it is crucial that even very small businesses (10 employees or less) should take precautions to avoid becoming a target.”
Small businesses especially need to improve their security around phishing and stolen credentials. If you are a small business and are being served by an outside Managed Service Provider, contact us. We have a special program that will empower your MSP to deliver encryption of sensitive data at a very reasonable cost.
The Verizon report doesn’t just tell us what happened. It gives some good pointers on what we can actually do to help prevent a data breach. See page 76 of the report for a very practical and achievable set of steps you can start taking right now.
If you are a security professional, this report is well worth a read. It helps us understand the mindset of the cybercriminal and how their techniques are evolving. If you are not a security professional, you might also like to peruse this report. It is very readable and even has some not-so-lame humor!
Patrick
Resources:
The Verizon Data breach report:
https://www.verizon.com/business/resources/reports/dbir/
CISA ransomware prevention guidance:
https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf
Google phishing training:
https://phishingquiz.withgoogle.com/
Have I been Pwnd: