“We’re not mad, just disappointed.” This summarizes a lot of the conclusions made in the 2016 Verizon Data Breach Investigations Report (DBIR).
This comprehensive report covers 100,000+ incidents, including 2,260 analyzed breaches across 82 countries (if you don’t have time to read the full report, you can check out the executive summary). Most of these breaches can be attributed to human error, and mostly not the active kind of human error, such as misconfiguration or inappropriate behavior. Rather, these errors are mostly due to failing to notice or inaction when it comes to the most basic security efforts such as patching, encryption and multi-factor authentication.
“In 93% of cases, it took attackers minutes or less to compromise systems. Organizations, meanwhile, took weeks or more to discover that a breach had even occurred — and it was typically customers or law enforcement that sounded the alarm, not their own security measures.”
Yes, the report paints a grim picture as to our current collective state of cybersecurity readiness. However, after digging into this year’s report, the news was not too fatalistic. In fact, there are some clear and significant steps that can be taken immediately and that are very much within the capacity the typical organization. Here are some of the highlights from the report:
“The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge, is not glamorous, but boy howdy it works.”
63% of confirmed data breaches involved weak, default or stolen passwords.
Unfortunately, according to this year’s report, the password situation has not improved much. “All those efforts to get users to use special characters, upper/lower case numbers and minimum lengths are nullified by this ubiquitous malware functionality.” And to make matters worse, “[Organizations] are leaving well-known vulnerabilities open and letting employees use easy-to-guess passwords—and often even the default [passwords] that devices come with.”
In other words, passwords are not very secure to start with; and, even when they are well implemented in terms of strength and uniqueness, they represent only a minor inconvenience to the determined attacker.
“Don’t get us wrong—passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own.”
Use two-factor authentication: This can limit the damage that can be done with lost or stolen credentials.
The report is quick to recommend protecting “the rest of your network from compromised desktops and laptops by … implementing strong authentication between the user networks and anything of importance. Static passwords are adorable, but sophisticated attackers don’t just bypass them, they utilize them to advance their attack.” And, while they are quick to admit that “we know that implementation of multi-factor authentication is not easy,” they nevertheless point out that there is really no other choice:
“We also know that implementation of stronger authentication mechanisms is a bar raise, not a panacea. Even with all of that, 63% of confirmed data breaches involved leveraging weak/default/stolen passwords. This statistic drives our recommendation that this is a bar worth raising.”
Multi-factor authentication is currently the best way to mitigate stolen or compromised credentials. But it doesn’t have to be a nightmare, nor does it have to be a burden on users. That is one of the reasons that Centrify launched the MFA Everywhere initiative. Centrify delivers one of the industry’s easiest-to-use context-based MFA solutions that supports all types of enterprise users — including employees, contractors, outsourced IT, partners and customers — across a broad range of enterprise resources — including cloud and on-premises apps, VPNs, network devices, and cloud and on-premises servers.
“The disgruntled insider—we all have an idea in our minds of what this person looks like…is inside our carefully constructed defenses and they are wreaking havoc with our data.”
70% of breaches involving insider misuse took months or years to discover.
The report shows that misused privileged access is at the center of a significant portion of breaches — and not just from malicious insiders. We know from a recent Centrify survey that 52% share their access credentials at least somewhat often with contractors and vendors. The 2016 DBIR makes these clear recommendations for managing privileged access:
- Ensure that access is limited to those who really need it and “make sure that you are aware of exactly where your data is and be careful who you give privileges to and to what degree.”
- Track system usage — particularly access to data that can be used for financial gain. In other words, “monitor the heck out of their authorized daily activity”
- Revoke access immediately when employees leave.
This year’s DBIR is the ninth annual report. While the data collected is fresh, many of the conclusions remain the same. Both vigilance and diligence for the essentials including user training and basic common sense application of patching, encryption and multi-factor authentication. Certainly security leaders should read and digest this valuable insight and should encourage their IT leadership to do the same.
To learn more about defending your security perimeter against the #1 point of attack of data breaches (according to Mandiant) check out Securing Enterprise Identities for Dummies.