Verizon finds increases in financially motivated data breaches and attacks on web applications

Most breaches are now for financial gain, according to Verizon's report, with web application attacks also on the rise. Find out more about the alarming statistics in this analysis.

How to make high security standards a competitive advantage
2:39

The latest Data Breach Investigations Report (DBIR) from Verizon Business highlighted a number of alarming statistics about the data breach landscape and the actors behind attacks, finding two-fold increases in web application breaches as well as growth in the number of data breaches conducted for financial gain.

This is Verizon's 13th edition of the report and researchers pored through more than 32,000 security incidents, of which nearly 4,000 were confirmed as breaches, almost double the 2,013 breaches analyzed the year before.

Nearly 90% of data breaches are now done for financial gain, up from 71% in last year's report. Cloud platforms are particularly at risk, with web application attacks doubling to 43%. Almost 70% of all breaches are caused by either credential theft, errors, and social attacks. 

One positive aspect from the report is that increased patching is having a noticeable effect, with fewer than one in 20 breaches exploiting vulnerabilities. But with millions now working digitally more than they ever have, phishing and other kinds of attacks will become far more prevalent, according to the report. 

"As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount," said Tami Erwin, CEO of Verizon Business. "In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious."

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic Premium)

The 100-page report included hundreds of insights into the current cybersecurity landscape and a significant portion of the report is spent analyzing threat actors. The report downplays the notion that insider threats are a problem and instead highlights that most attacks are done with financial gain in mind. 

"Organized crime is the top variety of actor for the DBIR. After that, we see a roundup of the usual suspects: State-aligned actors who are up to no good, internal end users and system admins making errors as though they were paid to do it, and, at the very bottom, the unaffiliated," the report said.

"Based off of computer data breach and business email compromise complaints to the FBI Internet Crime Complaint Center (IC3), 85% of victims and subjects were in the same country, 56% were in the same state and 35% were even in the same city. In part, this is driven by many of the complaints coming from high-population areas such as Los Angeles, CA and New York City, NY. So, the proverbial call is almost coming from inside the building."

External actors were the source of 70% of the breaches and organized crime was involved in 55% while just 30% involved internal actors.

Alex Pinto, lead author of the Verizon Business Data Breach Investigations Report, said security headlines often talk about spying, or grudge attacks, as a key driver for cybercrime but their data shows that is not the case. 

"Financial gain continues to drive organized crime to exploit system vulnerabilities or human error. The good news is that there is a lot that organizations can do to protect themselves, including the ability to track common patterns within cyberattack journeys--a security game changer--that puts control back into the hands of organizations around the globe," Pinto said. 

But one of the biggest problems cited in the Verizon report are the misconfiguration errors. In an interview with ZDNet's Larry Dignan, Verizon's senior information security data scientist Gabe Bassett said it isn't that enterprises are making more errors, but that they are reporting them more often. 

A graph included in the report shows how the number of misconfiguration errors has grown steadily since 2015 and increased nearly 5% compared to last year's report. 

"The only action type that is consistently increasing year-to-year in frequency is Error. That isn't really a comforting thought, is it? Nevertheless, there is no getting away from the fact that people can, and frequently do, make mistakes and many of them probably work for you," the report said. 

"Since 2017, misconfiguration errors have been increasing. This can be, in large part, associated with internet-exposed storage discovered by security researchers and unrelated third parties. While Publishing errors appear to be decreasing, we wouldn't be surprised if this simply means that errors formerly attributed to publishing a private document on an organization's infrastructure accidentally, now gets labeled Misconfiguration because the system admin set the storage to public in the first place."

In terms of the top threat action varieties in incidents, Denial of Service, phishing, and ransomware all feature prominently on the report's list. Almost 50% of breaches featured hacking and 22% involved social attacks while another 22% involved malware.

More than 80% of breaches were discovered in days or less and 72% involved large business as victims. Nearly 60% of victims had personal data compromised.

Security experts had a number of different takeaways from the report. Most highlighted the study's examination of cloud security and ransomware. 

Staff research engineer at Tenable Satnam Narang said cybercriminals often set their sights on low-hanging fruit and foundational cyber hygiene issues enable most breaches. Cybercriminals go after the multitude of unpatched vulnerabilities because it's a cost-effective measure that provides the most bang for their buck and does not require the capital needed to acquire zero-day vulnerabilities, Narang added.

Narang also highlighted that the 43% of breaches involving web applications are often fueled by exploitation of some of the most common vulnerabilities, such as SQL injection or PHP injection flaws. 

"As more and more businesses have migrated to the cloud, their attack surface increases, especially with respect to web applications. The DBIR notes that web applications along with email application servers were involved in 73% of cloud breaches, while most of those were the result of breached credentials," Narang said. 

Balaji Parimi, CEO of CloudKnox Security said managing cloud infrastructure is very complex and the unprecedented levels of automation leaves a lot of room for mistakes, but the report "validates something we've been seeing for a long time--that cloud storage misconfigurations are on the rise and emerging as one of the top threats to cloud infrastructure." 

Joseph Carson, chief security scientist and Advisory CISO at Thycotic, added that the increase in cloud data breaches involving breached credentials indicated that "we must move away from allowing humans to select and create passwords." 

"This requires a move to password managers, multi-factor authentication (MFA) and strong privileged access security. The less we allow humans to create passwords, the less likely it is for an attacker to steal and abuse them," he said. 

Narang and other analysts noted that the security landscape has changed a bit since much of the study was conducted at the end of last year and beginning of this year. In recent months, ransomware attacks have taken on a new prominence and Carson said ransomware will continue to be the biggest threat in the future, not only for companies, but celebrities, governments, and others.

Narang said ransomware isn't solely devoted to encrypting files anymore now that cybercriminals have escalated their attacks to another level, siphoning off sensitive information from organizations whose files they've encrypted. 

"These cybercriminals threaten to publish this sensitive information publicly, often publicly sharing a teaser of files from organizations they've compromised. The belief is that naming and shaming these victims would encourage them to pay the ransom demand, and in many cases, that's proven to be true," Narang said. 

Murali Palanisamy, chief solutions officer of appviewX, said the report should prompt every organization, especially now, to beef up their security and find ways to automate considering the ever growing number of endpoints cybercriminals are using to attack organizations. 

"Drilling down into Verizon's 2020 version of the DBIR tells us two things: One, the number of incidents and data breaches is snowballing year-on-year, confirming the trend that digital transformation will result in threat vectors compounding and growing in number. And two, hacking for financial gain has taken precedence over malware and other low-impact techniques as the primary motivator for malicious actors," Palanisamy said. 

"There are simply too many endpoints today to be protected individually by security teams--given that hackers are actively gunning to exploit even the tiniest weak link in the system. Automation of security systems is the name of the game here, which will not only reduce the manual effort involved and eliminate human error, but also allow for enterprises to scale security along with business growth at every level, without having to expend time and effort on implementing it from scratch when it is needed."

Also see

Cyber security lock. Security computer Data Internet protection with lock, key on microscheme chip. Hacker attack and data breach, information leak concept.

Image: Nature, Getty Images/iStockphoto