The Verizon 2017 Data Breach Investigations Report (DBIR) is out in all its pithy and witty glory, and yet given the actual content, Verizon missed an opportunity to quote Clark Griswold from his European Vacation: “Hey look kids, there’s Big Ben, and there’s Parliament… again.”
The biggest takeaway from my review of the DBIR is that organizations are stuck on a great big roundabout passing the same risks and bad guys again and again. Financially- and espionage-driven hackers and insiders are not going away . These actors continue to take advantage of loose access controls, malware, compromised credentials and phishing attacks to steal—in a matter of minutes or days—personal and financial data, corporate proprietary information and other sensitive files.
In our recently released 2017 Varonis Data Risk Report, we found that overly permissive access to files and stale data expose organizations to the same issues uncovered in the DBIR. On average, 20% of all folders on a corporate network are open to every employee, and in 47% of cases, 1,000 or more sensitive files are exposed to everyone!
Insider and Privilege Misuse…Again
Every year we’ve seen this category hold prominence in the DBIR, and we don’t have to search the news too far back to find an example of a financially- or espionage-driven case of insider attack. Just look at the ongoing case of Google’s Waymo vs. Uber and Otto where a former employee is accused of taking more than 14,000 files of proprietary designs to a competitor.
In 2016 70% of insider breaches took months or years to detect, and while today that number went down to 63% – it’s still months and years to detection!! When 71% of those attacks are accessing personal information of employees, customers and patients, that’s a big head start on those of us whose personal data has been compromised. This should serve as a major motivator for all those organizations needing to meet the upcoming EU GDPR that regulates the protection, access and disposal of personal information.
Ransomware Received a Promotion
Last year Verizon labeled ransomware as a high-frequency, low-impact annoyance; we’re glad to see they are taking this one more seriously this year by recognizing its move from 22nd place as the most common malware to 5th. Ransomware has upped its game to become a $1 billion industry with more than 100,000 infections a day and an as-a-service model to rival its legitimate counterparts. Ransomware is now a board-room discussion, causing major productivity outages and even data loss.
Verizon makes good recommendations for malware detection technologies and education, but, as they note, people get clicky-clicky when it comes to emails and ads and therefore payloads circumvent their defenses. If this were the SAT, we’d write this analogy:
Bugs Bunny is to Elmer Fudd as ransomware is to endpoint protection.
Malware will get past endpoint security and malware detection, so organizations need to minimize an attack’s footprint by reducing access rights and monitoring the unique behavior of each individual.
We found that users have way more access to data than they need to do their jobs. Remember the 20% stat from the 2017 Varonis Data Risk Report I mentioned earlier? Imagine if ransomware encrypted 20% of your file shares simply because of global access and a single infected user!
Just as Cerber has gotten around these perimeter defenses by sending the executable from a Dropbox location, future ransomware variants will continue to outsmart outer defenses. When access rights are reduced and behavior is monitored, this malware is spotted and stopped every time.
Password Hygiene Still Stinks
It’s 2017 and yet our password hygiene follows the same bathing practices that preceded the Black Plague – non-existent! 81% of hacking-related breaches involved weak or stolen credentials, that’s an 18% increase from last year. Password reuse is as common as a baby’s first babbles, or Facebook CEO’s social media password, “dadada.”
We’ve seen billions of breached records across thousands of Internet services. These mega breaches have a ripple effect. Hackers take exposed usernames and passwords and try them with other services, like LinkedIn and Gmail. Even if a site itself hasn’t been breached, an inordinate amount of users re-use the same username and password for every service, making them very susceptible to being badly hacked.
Disposal Errors Will Create a Mess for GDPR
The report’s classification of disposal errors is spot on! While it’s third on the list, the fact that it’s actually on the list and accounts for 10% of miscellaneous errors (up from 6.5% in 2016) is a major palm-in-face moment. That’s like throwing out your old tax returns in a box marked tax returns instead of shredding and placing them in the dirty diaper bag.
With new regulations like the upcoming GDPR, there’s no room for “oops” in the safe disposal of EU citizen data that has been requested to be removed or outlived its original purpose. Failure to properly identify and dispose of EU citizen data can increase an organization’s chance of a data breach and result in a major fine. In the 2017 Varonis Data Risk Report, we found that 71% of all folders contain stale data; that means we’re feeding and caring for a lot of data that isn’t useful and could pose a liability if lost or stolen.
If you feel you’re stuck on this roundabout, passing the same risks and cyber bad guys again and again, then let us help you find your exit so you can keep driving your security and business needs forward. Take a (free) risk assessment to find out what vulnerabilities lurk in your environment.