Attacks/Breaches

5/22/2013
06:22 AM
Dark Reading
Dark Reading
Quick Hits
50%
50%

The Eight Most Common Causes Of Data Breaches

Why do bad breaches happen to good companies? Here's a look at the most frequent causes

[The following is excerpted from "The 8 Most Common Causes of Data Breaches -- And How You Can Prevent Them," a new report published this week on Dark Reading's Attacks and Breaches Tech Center.]

Data breaches have dominated headlines recently. Whether it's nation-state spies intent on stealing information, cyber pranksters and hacktivists looking for attention, or cybercriminals out to make a buck, there are plenty of adversaries intent on breaking into networks and databases and carrying away whatever pieces of information they can grab.

"And from pubs to public agencies, mom-and-pops to multinationals, nobody was immune," the Verizon RISK Team writes in its "2013 Data Breach Investigations Report."

Verizon investigators analyzed information from 621 data breaches and more than 47,000 security incidents in 2012 that the company or one of its 19 partner organizations had investigated on the behalf of customers.

Motives for the data breaches are diverse. Hacktivists and those looking to make some money generally go after the low- hanging fruit -- the insecure systems in the enterprise -- to carry out their plans. Organized crime may be a bit more willing to spend the time going after better-protected systems in hopes of a bigger payoff. Then there are those targeting a specific individual or organization -- these adversaries are stealthy and persistent enough to slowly chip away at defenses until they get what they are looking for.

Even as the list of victims gets longer, it's increasingly clear that some of these breaches could have been prevented. Of the breaches included in the report, 78% had initial intrusions Verizon's investigators rated as "low difficulty."

Many of these attacks could have been prevented by adopting security controls, switching authentication schemes and adopting best practices, Verizon suggested.

While Verizon investigators cautioned against trying to treat all the breaches in the same way, they identified several ways in which organizations have been compromised. Understanding these categories can help organizations figure out how best to boost their defenses.

Several of the most common attack methods in the report fall into two broad categories: hacking and malware. The report identifies hacking as the most common method, at 52%, followed by malware, at 40%, and physical attacks -- such as adding skimming hardware on ATMs -- at 35%. Social engineering is also a serious problem, at 29%. "Misuse," which includes activities such as privilege abuse and using unapproved hardware and correlated strongly with insider attacks, was observed in 13% of the breaches. User error rounded out the list with 2%.

"Treating our adversaries as random and unpredictable is counterproductive. We may be able to reduce the majority of attacks by focusing on a handful of attack patterns," Verizon researchers write in the report. Following are eight ways that enterprise systems and data are being targeted.

1. Weak And Stolen Credentials, a.k.a. Passwords
Hacking remains the single biggest cause of attacks don't depend on finding vulnerabilities in the application or network protocol to tunnel through. For years, experts have warned about the risks of relying on weak credentials to restrict who has access to the data, and this is still a problem.

About 76% of network intrusions involved weak credentials, according to Verizon's data breach report. Authentication-based attacks, which includes guessing passwords, cracking using specific tools or trying out passwords from other sites on the target system, factored into about four of every five breaches that was classified as a hacking incident in 2012, Verizon says.

Stolen passwords played a role in 48% of the data breaches that involved hacking, Verizon found. This could have been accomplished by using stolen password lists from previous data breaches, keylogging malware or phishing attacks.

If that number isn't eye-popping enough, Verizon estimated that 80% of data breaches would have been stopped or forced to change tactics if a "suitable replacement" (such as multifactor authentication) to passwords had been used.

2. Back Doors, Application Vulnerabilities
Considering that Verizon's system identifies more than 40 types of hacking, the fact that nearly all the hacking activity was accounted for by five methods is "remarkable," the researchers wrote. Along with use of stolen credentials and brute-force methods, both of which deal with the issue of weak credentials, other common hacking actions include the use of back doors (44%) and SQL injection (8%). Exploiting buffer overflow vulnerabilities made the top 10 common hacking actions, but was observed in only 1% of the incidents.

"Security teams have to use tools that sift through tens or hundreds of thousands of vulnerabilities continuously, finding the most likely attack routes and the vulnerabilities that need to be blocked to prevent the breach," says Gidi Cohen, CEO and founder of Skybox Security.

Attacks exploiting vulnerabilities in Web applications increased from previous years but are no longer the leading attack vector among larger organizations, Verizon found.

To read about the other six most common causes of data breaches -- and what your organization can do about them -- download the full report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
7 Ways to Keep DNS Safe
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Locked device, Ha! I knew there was another way in.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-15137
PUBLISHED: 2018-07-16
The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed.
CVE-2017-17541
PUBLISHED: 2018-07-16
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.4 and below versions, FortiAnalyzer 6.0.0, 5.6.4 and below versions allows inject Javascript code and HTML tags through the CN value of CA and CRL certificates via the import CA and CRL certificates feature.
CVE-2018-1046
PUBLISHED: 2018-07-16
pdns before version 4.1.2 is vulnerable to a buffer overflow in dnsreplay. In the dnsreplay tool provided with PowerDNS Authoritative, replaying a specially crafted PCAP file can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution. This buffer overflow ...
CVE-2018-10840
PUBLISHED: 2018-07-16
Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image.
CVE-2018-10857
PUBLISHED: 2018-07-16
git-annex is vulnerable to a private data exposure and exfiltration attack. It could expose the content of files located outside the git-annex repository, or content from a private web server on localhost or the LAN.