Data breaches are becoming more complex, and causing more damage to the affected organization, according to a new report. The 2017 Verizon Data Breach Digest, published Tuesday, found that the effects of a breach are spreading to even more parts of an enterprise, increasingly causing problems outside of IT.
A press release announcing the report said that the Digest took a look at 16 different cybersecurity scenarios and how prevalent they are, as well as how lethal they are to an affected organization. And, just like the report published in 2016, it found that the human element is the most critical.
"In working with victim organizations, we find that breaches touch every part of an organization up to and including its board of directors," Bryan Sartin, executive director for the RISK Team with Verizon Enterprise Solutions, said in a press release. "Companies need to be prepared to handle data breaches before they actually happen in order to recover as quickly as possible."
SEE: Security awareness and training policy template (Tech Pro Research)
The 16 different scenarios examined in the 2017 Digest were drawn from Verizon's Research, Investigations, Solutions and Knowledge (RISK) Team's investigation of 1,400 breach cases over the past three years. The scenarios were broken up into the following four breach types:
1. The human element
These breaches were ones in which humans had been compromised, had simply made a mistake, or had intentionally acted maliciously. Two of the scenarios—hactivist attack and partner misuse—were labeled as "lethal."
The hacktivist attack occurs when a hacker targets a company in response to a perceived injustice committed by the firm, while partner misuse refers to an attack when an indignant stakeholder attacks the firm from the inside. Another example of this kind of breach would be from a disgruntled ex-employee.
2. Conduit devices
Conduit devices are the point of entry by which an attacker gains access to an organization's network. Mobile assault and IoT calamity were the names given to the lethal scenarios of this breach type.
In the Verizon report, a mobile assault occurred when a business traveler used an unsecure Wi-Fi connection, which led to his phone being compromised. An example of an IoT calamity would be when a major university was breached through its connected vending machines and smart light bulbs.
3. Configuration exploitation
According to the report: "From a system standpoint, misconfigured devices are the vectors of compromise; from a network standpoint, misconfigurations allow for easy lateral movement and avenues for data exfiltration." The two lethal scenarios of this type were a DDoS Attack and ICS onslaught.
One example of a major DDoS attack was the Mirai botnet that took down the DNS provider Dyn, and almost took down an entire country as well. An ICS onslaught occurs when an industrial control system is compromised, which could lead to massive physical damage as well as data leaks.
4. Malicious software
Malicious software is pretty self-explanatory. In the Verizon report, none of the scenarios listed were labeled as lethal. Examples would be traditional malware, RAM scraping, spyware, and keylogger software. The Digest lists the three primary purposes of malware as meant to "establish a beachhead, collect data, and exfiltrate data."
To respond to a breach, the Verizon Data Breach Digest recommends taking the following five actions:
- "Preserve evidence; consider consequences of every action taken."
- "Be flexible; adapt to evolving situations."
- "Establish consistent methods for communication."
- "Know your limitations; collaborate with other key stakeholders."
- "Document actions and findings; be prepared to explain them."
- The 18 most frightening data breaches (TechRepublic)
- Most US firms would pay to avoid data breach shame going public (ZDNet)
- 6 ways to secure air-gapped computers from data breaches (TechRepublic)
- We're told data breaches cost millions on average - but this security study disagrees (ZDNet)
- Forrester: What can we learn from a disastrous year of hacks and breaches? (TechRepublic)
Conner Forrest has nothing to disclose. He doesn't hold investments in the technology companies he covers.
Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.