Verizon DBIR: Attackers Still Successful With Phishing, Other Well Worn Types of Attack


People continue to be the weakest link when it comes to cybersecurity, according to the findings of the latest Data Breach Investigations Report (DBIR) from Verizon. The company analyzed 100,000 incidents for this year’s report, of which 3,141 were confirmed data breaches.

“Year after year, people to continue to fall for phishing attacks,” says Verizon Global Investigation Manager Dave Ostertag in an interview with CivSource. Phishing and the use of single-factor authentications continue to lead the list of ways adversaries are able to get into organizations. Single-factor authentication amounts to a single login prompt where a user enters a name and password. The more secure version of this is two-factor authentication which requires users to receive a code or provide a second credential before being fully logged into the system.

Phishing is one of the oldest and most persistently successful lines of attack for would-be hackers. Often, all it takes is the inclusion of a link or a document that looks just enough like the real thing to get people to fall for it. According to the report, the majority of adversarial logins to a system came from people who had legitimate credentials procured through phishing, weak passwords, or simply by guessing the default password that came with a device.

“A lot of the clients we speak to think they have to spend a lot of money up front to lock down a system, and the reality is you can fix a lot of this by making your passwords stronger,” Ostertag says. “Folks use the default passwords that come with devices and everyone already knows those. Or, they don’t change passwords once they pick one. Simply changing your password more often can make it harder for attackers to get in. It’s not that hard, but it does require more effort.”

The annual data breach report is compiled from Verizon’s own security services data along with contributions from 65 partner organizations.

Data shows that the top sector for attacks was financial services, followed by accommodation services like hotels. Attackers appear to be after information that will lead to some type of financial gain for them. The public sector also made it high on the list of targets. According to Ostertag, public utility systems are becoming more popular as potential attack points but government at all levels has been taking steps to lock down grids, meters, and other aspects of this critical infrastructure.

“Securing utilities is definitely high on the priority list,” he says. “Governments are starting to recognize and respond to the vulnerabilities of those systems.”

Even though organizations may be getting better at recognizing the need for security, they’re still slow to discover when they’ve been attacked. Report data shows that attackers are getting better at getting into and out of systems quickly, while organizations are taking weeks if not months to figure out that someone has gotten in.

When it comes to where these attacks hit, that too is a well-worn path. Adversaries are still primarily coming in through web applications, content management systems, and login pages. Recent worries over mobile security and the Internet of Things have barely made it on the list in comparison, although we’re sure it’s only a matter of time.