Why? Hundreds of security threat reports come out every year from all kinds of IT security companies. Most of these reports focus on a single type of threat that the author of the report conveniently offers protection against, and basically are thinly veiled marketing pieces.
Verizon's Data Breach Investigation Report is different. They create it together with 67 other organizations. To name a few well-known participants: the U.S. Secret Service, the U.S. Emergency Computer Readiness Team, the Anti-Phishing Working Group, Kaspersky Lab, Cisco Security Services, EMC and many others. The 85-page report covers many areas of security for which Verizon doesn't sell products. I'm highlighting their insights about phishing.“This year’s study underlines that things are not getting better,” said Laurance Dine, managing principal of investigative response at Verizon Enterprise Solutions. He deadpans:
"Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff. The median time for the first user of a phishing campaign to open the malicious email is 1 minute, 40 seconds. The median time to the first click on the attachment was 3 minutes, 45 seconds, thus proving that most people are clearly more on top of their email than I am."
One area that has picked up dramatically over the prior year is phishing. Alarmingly, 30 percent of phishing messages were opened – up from 23 percent in the 2015 report – and 13 percent of those clicked to open the malicious attachment or nefarious link.
Dine said: “User security awareness continues to be overlooked as organizations fail to understand that they need to make their employees the first line of defense,”
“Organizations should be investing in training to help employees know what they should and shouldn’t be doing, and to be aware of the risks so they can alert security teams if they spot anything suspicious,” he said.
For this reason, Dine said it is important for organizations to have the processes in place that make it easy for employees to report security issues. Here is a no-charge tool that you can download to do just that:
https://www.knowbe4.com/free-phish-alert
The Rise Of The Three-Pronged Attack
This year's report calls out the rise of a new three-pronged attack that is being repeated over and over again by cybercriminals. Many organizations are falling prey to this type of attack. The three-prongs are:- Sending a phishing email with a link pointing to the malicious website, or a malicious attachment.
- Malware is downloaded onto an employees' PC that establishes the initial foothold, and additional malware can be used to look for secrets and internal information to steal (cyber-espionage) or encrypt files for ransom. Many times the malware steals credentials to multiple applications through keylogging.
- Use of the credentials for further attacks, for example, to log into third-party websites like banking or retail sites.
2016 Report Reiterates The Need For The Basics
The researchers note that basic, well-executed measures continue to be more important than complex systems. Organizations should check to make sure they are taking care of these things:- Know what attack patterns are most common for your industry
- Utilize two-factor authentication for your systems and other applications, such as popular social networking sites.
- Patch promptly.
- Monitor all inputs: Review all logs to help identify malicious activity.
- Encrypt your data: If stolen devices are encrypted, it's much harder for attackers to access the data.
- Know your data and protect it accordingly. Also limit who has access to it.
- Train your staff: Developing security awareness within your organization is critical especially with the rise in phishing attacks.
The full "Verizon 2016 Data Breach Investigations Report," is available on the DBIR Media Resource Center, and again as said is excellent budget ammo. You need to register but it's worth it:
http://news.verizonenterprise.com/2016/04/2016-data-breach-report-info/