Verizon's 12th Data Breach Investigations Report (DBIR) is the largest report to date, and therefore chock-full of information, including some nuanced points regarding telcos and smaller organizations.
Verizon's Gabriel Basset, senior information security data scientist, who is also one of the co-authors of the DBIR report, said smaller telcos and organizations need to pick their spots when deciding what cybersecurity threats they need to defend against.
Page 29 of the report illustrates that attackers generally go for quick and easy wins by taking the shortest steps possible in their attacks.
"They can only take one or two actions. If an error occurs, like if someone makes a mistake, that's normally one action that leads to the breach," Basset said. "Misuse is commonly one action, and in many attacks the attackers use very short attack pattern.
"If I were an organization trying to figure out how to allocate my security resources, I would step back and say, 'What do I want to defend against? Do I want to try to get above the majority of these attacks, these short attacks, or do I really want to be able to stop the more advanced threat, the espionage type, nation-state type attacks?' Espionage type attacks are significantly longer. They average five actions rather than averaging two actions for a financially motivated attacks."
For larger service providers, Basset said it more makes sense to invest the amount needed to protect against that more advanced attacker. But, spending more on cybersecurity doesn't always translate into better security.
Tier 2 or Tier 3 service providers, or small to medium-sized businesses, may need to take a different approach because they don't have the budget or IT staff to attempt to protect everything. Smaller service providers should put their security focus on known threats instead of trying to sop nation-state threats, Basset said.
"Can I stop those basic attacks? Can I get just a little bit better at stopping phishing or stopping credentials or preventing errors which lead to breaches? Because those types of actions are known things," he said. "We know what to do about phishing and there's common, straight forward things that people can do. Things like giving sandbox platforms to people that have to receive unknown files from outside, blocking macro enabled office documents and executables by email, filtering links that come in by email, using two factor authentication, having credential stores, and password managers so that employees are less tempted to reuse passwords."
The next steps for smaller service providers include mapping out and patching externally-facing assets.
According to the report, various human errors accounted for a fifth of all data breaches this year. Of those errors, 21% were cloud configuration errors, which was an increase over 17% in 2017.
"While we saw a lot of breaches that occurred based off of logging into cloud services or breaches that occurred due to errors and misconfiguration of the cloud, particularly with the logins, the message here is not that there's something security specific about the cloud," Basset said. "Instead, when you move to the cloud, you don't get to leave behind all the baggage of all of the credential and phishing breaches you had before. That stuff still happens and you need to be aware of it. You need to be protecting yourself against it. If all your emails are in the cloud, well that's where you're going to get phished. That's where attackers are going to try to credential-stuff against your logins."
With attackers looking for the cheapest and quickest routes, Basset said the DBIR team took a look at how often attackers scan for ports, versus ports that actually exist or are in use. Even old services have potential vulnerabilities that attackers would love to find.
"So, Telnet is the number one service that attackers look for," he said. "On the other hand, it is the 15th most common service. I think this gives a good metric for figuring out what things are more valuable to the attacker because if they're looking for it more often than it's being used."
There are roughly 65,535 ports, according to the report, and organizations need to decide which ones to defend.
"Maybe a port has some legacy service that patches really aren't available for anymore," Basset said. "They have to decide, 'Do I really care about trying to patch this?' Maybe that's not necessarily a good choice to invest in patching or fixing or replacing because the attackers aren't actually looking for it. But, if the attackers are looking for it, is it really any value to the attackers? And, if it's not a value to the attackers, is they're really a risk?"
The report also found that C-level executives were increasingly being targeted by social breaches, which correlated with to an increase of social engineering attacks with financial motivation.
According to the report, senior executives are 12 times more likely to be the target of social incidents, and nine times more likely to be the target of social breaches than in previous years. Financially-motivated social engineering attacks (12% of all data breaches analyzed) are a big topic in this year’s report.
Other notable results from the report included:
• 52% of breaches featured hacking
• 33% included social attacks
• Organized criminal groups were behind 39% of the breaches
• 43% of breaches involved small business victims
• 28% of the breaches involved malware
• 32% of the breaches involved phishing.
The FBI contributed to this year's DBIR report for the first time. Analysis from FBI Internet Crime Complaint Center (IC3) looked at Business Email Compromises (BECs) and Computer Data Breaches (CDBs). The findings highlight how BECs can be remedied. When the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank, half of all U.S.-based business email compromises had 99 percent of the money recovered or frozen; and only 9 percent had nothing recovered.
"That means even after the money is stolen there's still something organizations can do," Basset said. "So if I were an organization and I were at risk of this or had had this happen, I would go immediately to this website, IC3.gov. There's a big red button that says report a cyber crime, and report it because the faster you report, the more likely they are going to be to help you. Even if they can't help you, providing the details about the type of crime helps them target their resources."
A record number of organizations (73) contributed to this years DBIR report, The report analyzed 41,686 security incidents and 2,013 confirmed security breaches across 86 countries. The report also included 1.5 billion data points of information, including data from malware research firms.