The number one way hackers are gaining access to information on computer networks continues to be the misuse of usernames and passwords, according to the 2014 Data Breach Investigation Report from Verizon.
Two out of three breaches exploit weak or stolen passwords, making a case for strong two-factor authentication, says Jay Jacobs, co-author of the report and a principal at Verizon Business. “Across the board, there is a focus on compromising identities,” he explains.
Now in its seventh year of publication, the 2014 data breach report analyzes more than 1,300 confirmed data breaches as along with more than 63,000 reported security incidents. For the first time, the report includes security incidents that don’t result in breaches, in order to gain a better understanding of the cybersecurity landscape. Over the entire 10-year range of this study, the tally of data breaches now exceeds 3,800.
Weak or default passwords led to many of the point-of-sales attacks last year. Most of these devices are open on the Internet and small merchants either don’t password protect them, use weak passwords or leave the default ones in place.
“The big problem was that the same password was used for all organizations managed by the vendor. Once it was stolen, it essentially became a default password and the attackers also gained knowledge of the customer base. Armed with this information, the familiar modus operandi of installing malicious code that captured and transmitted the desired data began,” the report states.
Verizon recommends that merchants make sure all passwords used for remote access to point-of-sales systems are not factory defaults, the name of the vendor, dictionary words, or otherwise weak. If a third party handles this responsibility they need to make sure they are adhering to this requirement. Also, two-factor authentication must be considered.
Another area where credentials were targeted was with web app attacks. These attacks happen in one of two ways: by exploiting a weakness in the application — inadequate input validation — or by using stolen credentials to impersonate a valid user.
Within the financial industry, hackers focus on gaining access to the user interface of the web-banking application because the application grants access to money. “This means they target user credentials and simply use the web applications protected with a single factor — password — as the conduit to their goal. The tactics used by attackers are all the usual suspects: a) phishing techniques to either trick the user into supplying credentials or installing malware onto the client system, b) the old stand-by of brute force password guessing, and c) rarer cases of targeting the application through SQL,” the report states.
Verizon again knocks the single-factor password for these attacks and recommends that that enterprises mandate alternate authentication mechanisms.
Overall, Verizon security researchers found that 92% of the 100,000 security incidents analyzed over the past ten years can be traced to nine basic attack patterns that vary from industry to industry (Fig. 19). This finding, the highlight of Verizon’s “2014 Data Breach Investigations Report,” will enable a more focused and effective approach to fighting cyberthreats.
The report identifies the nine threat patterns as: miscellaneous errors such as sending an email to the wrong person; crimeware — various malware aimed at gaining control of systems; insider/privilege misuse; physical theft/loss; Web app attacks; denial of service attacks; cyberespionage; point-of-sale intrusions; and payment card skimmers.
This year’s report found that, on average, just three threat patterns cover 72% of the security incidents in any industry.