Risky clicks continue to keep too many hackable
- By Zach Noble
- Apr 26, 2016
Meet the new hacks, same as the old hacks.
In the forthcoming 2016 Data Breach Investigations Report, Verizon's team breaks down more than 100,000 cybersecurity incidents, including 2,260 confirmed and closely examined data breaches.
There's a lot of continuity with last year's report: Same sparkling prose, same depressing content.
"A lot of trends and patterns that we've seen are continuations of what we saw last year," Dave Ostertag, global investigations manager with the Verizon Investigative Response team, told FCW.
Focusing on actual breaches -- meaning thieves got away with something, so an incident such as the IRS' Get Transcript attack, wherein scammers took sensitive taxpayer information out the system's front door, counts -- the Verizon team studied 193 confirmed incidents impacting the public sector. Targeted espionage, misuse of privileges and miscellaneous errors were the top causes of public sector breaches.
Targeted espionage often relies on phishing emails to establish a beachhead. Privilege misuse covers insider threats, coerced or otherwise. The miscellaneous errors include face-palm moments like databases being accidentally published on the open web.
In all cases, the best defense involves both educating and monitoring people.
"At the end of the day, keep up a healthy level of suspicion toward all employees," Verizon's report advises. "While we would like to think they will never give you up, let you down, run around or desert you, we simply can't (tell a lie, and hurt you)."
The continued importance of phishing emails in public sector attacks is especially telling.
"Phishing has continued to trend upward (like spawning salmon?) and is found in the most opportunistic attacks as well as the sophisticated nation state tomfoolery," the report notes.
Ostertag told FCW that last year, as in years prior, a stubborn percentage of government employees will click on suspicious email links, despite organizational exhortations against risky clicking.
He advised running tests and, if an employee fails by clicking a meant-to-look-suspicious link, immediately launching them into a training module, rather than waiting days or weeks to address the failure.
Other important security steps that government agencies especially need to take: keeping endpoints protected and updated, shoring up email protections, guarding networks with multi-factor authentication and segmentation and logging everything religiously.
And in all things, vigilance is crucial.
"Rome wasn't built in a day," Verizon's report notes, "but data breaches frequently were."
With ever-faster breaches and exfiltrations of sensitive data, government security folks need to throw down every obstacle they can to slow the adversary who breaches the walls, and watch carefully to detect when the breaches come.
Verizon's 2016 Data Breach Investigations Report is due to be publicly released April 27 here.
Zach Noble is a former FCW staff writer.