BeyondTrust Contributes Vulnerability Statistics to the 2017 Verizon Data Breach Investigations Report
May 2017 by BeyondTrust
BeyondTrust announced that the 2017 Verizon Data Breach Investigations Report (DBIR) leverages anonymous vulnerability statistics from BeyondTrust. Data was provided to help classify threats that have not been mitigated on the Internet. This data was classified by business vertical, platform, age and vulnerability, and was created from BeyondTrust’s BeyondSaaS cloud based vulnerability management solution hosted in Microsoft Azure.
Key findings of the report include:
• Breaches based on External actors is on the decline ( 75% this year), and threats based on Insiders is increasing ( 25% this year). While the gap is still wide, the trend has been consistent for the last three years indicating organizations need to more seriously consider the insider threat as an attack vector. When considering outsiders, 62 percent used hacking techniques targeting misconfigurations, vulnerabilities and exploits.
• The theft of credentials (i.e. usernames and passwords) in 2016 represents a 5x increase verses previous peak years (2012). With potential issues like password re-use a factor, threat actors have easy-to-use methods to exploit personal and business accounts. Further, 81 percent of breaches leveraging hacking techniques (misconfigurations, vulnerabilities or exploits) leveraged stolen or weak passwords, up from 63 percent last year. This confirms that privileges are the primary method to conduct a successful attack and that the methods to get them are primarily through hacking techniques.
• In addition, this year’s report tells us that 14 percent of breaches were the result of privilege misuse, and it’s taking months to even years to detect the breaches. Privilege misuse was the #3 breach pattern, and #2 incident pattern in 2016, and although the number of privilege misuse incidents dropped 26 percent year over year, the number of confirmed data losses increased by 61 percent to 277 breaches.
“The results of the report make it exceedingly clear to us that organizations need to focus on security basics and do the proactive things within their control,” said Brad Hibbert, Chief Technology Officer, BeyondTrust. “Good security hygiene, including intelligent patching, privilege and password management, lead to meaningful improvements in data breach protection.”
Following are recommendations all organizations can take immediately to strengthen their security postures:
1. Vulnerability and patch management needs to leverage intelligence to become more effective – and not just to prevent external attackers targeting vulnerable systems, but to mitigate the real risks of external parties seeking to become insiders by leveraging credentials to move laterally throughout an organization.
2. Targeting administrators and partners is not enough. With only 3 percent of breaches coming from partners, organizations must enforce least privilege internally across their environments. Following compliance mandates to protect against admins and partner-leveraged attacks isn’t enough.
3. Deploy a password management solution that discovers every account in the environment, securely stores them, requires an approval process for check-out, monitors activity while checked out, and rotates the credential upon check-in.
4. Adaptive access control – better controls to enforce appropriate use should be part of a multi-layered approach that includes a gateway to the data center, workflow approval for sensitive access, fine-grained privileges to the target machine, context-based access controls, multi-factor authentication for the user and more to prevent that one account from being compromised
5. Enforce least privilege across your entire environment by removing local admin rights from end users, and restricting the use of admin and root account privileges to servers in your datacenter. Elevating rights to applications on an exception basis, and employing fine-grained policy controls once access is granted can quickly limit the lateral movement of would-be attackers.
6. Implement a workflow-based process for obtaining privileges. If requests happen during normal business hours and within acceptable parameters, set auto-approval rules to enable access without restricting admin productivity. But, if time, day or location indicators point to something out of band, deny it and investigate.
7. Employ network segmentation or implement a secure enclave that ensures all privileged accounts (employees, contractors, and third parties) do not have direct access to manage devices.
8. Implement user behavior monitoring to ensure appropriate use and to detect misuse and/or activities of a compromised account to reduce detection times and minimize breach impact.
9. Enable privilege quarantine – implement technologies and processes to quickly respond to suspect or malicious activities including manual and automated processes to restrict or deny access of suspect devices and accounts.