Cybersecurity

Risky clicks continue to keep too many hackable

cyber attack button

Meet the new hacks, same as the old hacks.

In the forthcoming 2016 Data Breach Investigations Report, Verizon's team breaks down more than 100,000 cybersecurity incidents, including 2,260 confirmed and closely examined data breaches.

There's a lot of continuity with last year's report: Same sparkling prose, same depressing content.

"A lot of trends and patterns that we've seen are continuations of what we saw last year," Dave Ostertag, global investigations manager with the Verizon Investigative Response team, told FCW.

Focusing on actual breaches -- meaning thieves got away with something, so an incident such as the IRS' Get Transcript attack, wherein scammers took sensitive taxpayer information out the system's front door, counts -- the Verizon team studied 193 confirmed incidents impacting the public sector. Targeted espionage, misuse of privileges and miscellaneous errors were the top causes of public sector breaches.

Targeted espionage often relies on phishing emails to establish a beachhead. Privilege misuse covers insider threats, coerced or otherwise. The miscellaneous errors include face-palm moments like databases being accidentally published on the open web.

In all cases, the best defense involves both educating and monitoring people.

"At the end of the day, keep up a healthy level of suspicion toward all employees," Verizon's report advises. "While we would like to think they will never give you up, let you down, run around or desert you, we simply can't (tell a lie, and hurt you)."

The continued importance of phishing emails in public sector attacks is especially telling.

"Phishing has continued to trend upward (like spawning salmon?) and is found in the most opportunistic attacks as well as the sophisticated nation state tomfoolery," the report notes.

Ostertag told FCW that last year, as in years prior, a stubborn percentage of government employees will click on suspicious email links, despite organizational exhortations against risky clicking.

He advised running tests and, if an employee fails by clicking a meant-to-look-suspicious link, immediately launching them into a training module, rather than waiting days or weeks to address the failure.

Other important security steps that government agencies especially need to take: keeping endpoints protected and updated, shoring up email protections, guarding networks with multi-factor authentication and segmentation and logging everything religiously.

And in all things, vigilance is crucial.

"Rome wasn't built in a day," Verizon's report notes, "but data breaches frequently were."

With ever-faster breaches and exfiltrations of sensitive data, government security folks need to throw down every obstacle they can to slow the adversary who breaches the walls, and watch carefully to detect when the breaches come.

Verizon's 2016 Data Breach Investigations Report is due to be publicly released April 27 here.

About the Author

Zach Noble is a former FCW staff writer.

Featured

  • Cybersecurity
    CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019

    Shared services and the future of CISA

    Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

  • Telecom
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA softens line on looming EIS due date

    Think of the September deadline for agencies to award contracts under the General Services Administration's $50-billion telecommunications contract as a "yellow light," said GSA's telecom services director.

  • Defense
    Shutterstock photo id 669226093 By Gorodenkoff

    IC looks to stand up a new enterprise IT program office

    The intelligence community wants to stand up a new program executive office to help develop new IT capabilities.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.