The Same Old Targets, The Same Old Tricks and The Same Old Attacks ... Will Things Change With GDPR?

Introduction

With Uber paying hackers to keep quiet about a data hack, many companies are now examining their data infrastructure, in order that they are not the next to be targeted. So, the 2017 Data Breach Investigations Report is always an interesting or depressing read, depending on which side of the fence you are on.

One of the depressing things is that industry doesn't seem to be improving that much, and the results still receive that the same old methods are still the most successful. The typical attack is a phishing email and then for a user to give away their credentials, or for them to have a weak or crackable password. This still works in the majority of data breaches [link].

To be able to define how to articulate a data breach, we can define an incident taxonomy:

We thus need to under the objectives, the threats, the attack tools, and our vulnerabilities. In the report, the attack vectors defined are:

• Crimeware. The report outlines that this is now the 5th most common form of malware, and locks files for ransom.
• Cyber-Espionage. This involves nation-state activity or others who wish to spy or steal IP from companies.
• Insider and Privilege Misuse. While most of this involves stealing data that could be used in the future for financial gain, there is an increase in employees moving data or new companies or a new start-up company.
• Payment Card Skimmers. This includes ATMs fitted with card skimmers.
• Physical Theft and Loss. In many protects digital content, but cannot protect physical copies of documents. The majority of breaches still involve physical documents.
• Web Application Attacks. This normally involves stealing user credentials or compromising the code running on servers.
• Point of Sale Intrusions. This is one of the most successful attacks and often targets the retail industry and small businesses.

2017 Results

Overall the main motivation for breaches is still financial (accounting for 73% of all the breaches). In the past few years, retail and healthcare have been particular targets, but it is still the finance industry which has the largest majority (24%), followed by healthcare (15%), 15% for retail and accommodation, and the public sector (12%).

While the news headlines often concentrate on large companies such as Yahoo and Equifax, the majority (61%) of data breaches are within organisations with less than 1,000 employees.

For those that undertake the breaches, outsiders were the most popular (75%) with insiders involved in the rest. Human errors still account for about 18% of all breaches. Organised crime is the most popular outsider threat (51%), followed by state-affiliated actors (18%).

The most popular attack vector for malware is still email (66%). With 95% of phishing attacks were followed-through with some sort of software installation. And the report estimates that 1-in-14 users are still fooled into opening a link or opening an attachment.

Over half of the breaches involve malware (51%), closely followed by social engineering at 43%. In most of the hacks, a stolen password or weak password was used (81%). And, companies need to watch physical access to data too, as it is still responsible 8% of breaches.

Conclusions

It's small companies that are just as much as risk as large ones. The attack vectors stay the same as they have over the years ... typically to trick users to click on links and install malicious software, or to crack passwords. Data-stealing is now seen as a lucrative industry for organised criminal gangs, and are identified in over half of the hacks.

The industry still isn't learning, but it will have to learn soon, as GDPR is coming to a country near you. In conclusion, the report revises the same old advice:

• Be vigilant!
• Setup logging!
• Make staff aware of the warning signs!
• Restrict access to the minimum level required for a role!
• Patch!
• Encrypt!
• Use 2FA!
• Implement physical security!