BeyondTrust Contributes Vulnerability Statistics to 2018 Verizon Data Breach Investigations Report
April 2018 by BeyondTrust
BeyondTrust announced today that the 2018 Verizon Data Breach Investigations Report (DBIR) leverages anonymous vulnerability statistics from BeyondTrust. Data was provided to help classify threats that have not been mitigated on the Internet. This data was classified by business vertical, platform, age and vulnerability, and was created from BeyondTrust’s BeyondSaaS cloud-based vulnerability management solution based on Retina vulnerability assessment technology and hosted in Microsoft Azure.
Key findings of the report include:
• Breaches based on External actors are on the decline ( 73% this year), and threats based on Insiders are increasing ( 28% this year). While the gap is still wide, the trend has been consistent for the last four years, indicating organizations need to more seriously consider the insider threat as an attack vector.
• Healthcare breaches increased 81%—from 296 in 2016 to 536 in 2017—with a greater insider threat than external threat. Digging deeper into the data, the report shows privilege abuse accounting for 74% of cases. This confirms that privileges are the primary method to conduct a successful attack and that the methods to get them are primarily through hacking techniques (#1 action variety in breaches).
• Breaches related to privilege misuse in the Accommodation industry vertical jumped from 5 in last year’s report to 302 in the 2018 report, a 5,940% increase. Threat actors are following rich data to the money. As with Healthcare, the Accommodation vertical is ripe with personal information, including payment, preferences, rewards and more.
“This year’s Verizon DBIR makes it especially clear that organizations need to focus on the security basics like vulnerability management and do better with proactive measures within their control,” said Morey Haber, Chief Technology Officer, BeyondTrust. “Proactive measures such as privilege and password management and the removal of administrator rights lead to meaningful improvements in data breach protection that no one should ignore.”
Following are BeyondTrust’s Top five recommendations organizations can take immediately to strengthen their security postures:
1. Deploy patches for known vulnerabilities as soon as possible to mitigate the attack surface of external parties seeking to become insiders by leveraging credentials to move laterally throughout an organization. Lateral movement can lead an attacker to exfiltrate data from a file server or database, which the report tells us, is much more damaging than owning a single user device.
2. Deploy a password management solution that discovers every account in the environment, securely stores and manages credentials, requires an approval process for check-out, monitors activity while checked out, and rotates the credential upon check-in. Look for a workflow-based process for obtaining privileges. If requests happen during normal business hours and within acceptable parameters, set auto-approval rules to enable access without restricting admin productivity. But, if time, day, or location indicators point to something out of band, secure workflows can ensure the access is appropriate.
3. Segment your network or implement a secure enclave to ensure all privileged accounts (employees, contractors, and third parties) do not have direct access to manage devices. This model ensures that only approved devices and restricted network paths can be used to communicate with sensitive resources.
4. Enforce least privilege across your entire environment by removing local admin rights from end users, and restricting the use of admin and root account privileges to servers in your datacenter. Elevating rights to applications on an exception basis, and employing fine-grained policy controls once access is granted can further limit the lateral movement of would-be attackers.
5. Implement multi-factor. Multi-factor authentication raises the bar given the number of breaches that involve weak, stolen, or default credentials. As the report says (page 28), “… passwords, regardless of length or complexity, are not sufficient on their own.” Attackers need credentials to move laterally and multi-factor authentication makes that movement more difficult. When reviewing the need for multi-factor authentication, the only right answer is every user, every account.