Web applications are increasingly under attack as valuable enterprise data moves to the cloud, according to Verizon’s annual Data Breach Investigations Report.
Web application attacks doubled from last year, to 43%. In terms of actual breaches, cloud assets were involved in about 24% of breaches, while on-premise assets were involved in 70% of breaches. Cloud breaches involved an email or web application server 73% of the time, Verizon’s analysis found, and 77% of cloud breaches also involved breached credentials.
“This is not so much an indictment of cloud security as it is an illustration of the trend of cybercriminals finding the quickest and easiest route to their victims,” the report concluded.
Most cyberattacks are for financial gain and committed by outsiders, the report said, and actual breaches are often the result of mistakes such as misconfiguration — not necessarily the scenarios which might first come to mind when you think of hacking.
“When many people think of how hacking attacks play out, they may well envision the attacker dropping a Trojan on a system and then utilizing it as a beachhead in the network from which to launch other attacks, or to expand the current one,” the DBIR says. “However, our data shows that this type of malware peaked at just under 50% of all breaches in 2016, and has since dropped to only a sixth of what it was at that time (6.5%).” Instead, threats such as social phishing and the use of ransomware and password dumpers are increasing, as are error-based vulnerabilities such as misdelivery and misconfiguration.
The DBIR says that “as time goes on, it appears that attackers become increasingly efficient and lean more towards attacks such as phishing and credential theft.”
Verizons’ analysts looked at records of 157,525 incidents, of which around 32,000 met its quality standards and 3,950 were confirmed data breaches. The data came from 81 organizations in 81 countries around the world.
Among the findings:
-86% of data breaches were for financial gain, up from 71% last year.
-67% of actual data breaches were due to credential theft, errors and social attacks.
Mobile continues to represent only a small portion of overall incidents, but there was an interesting mobile-related anomaly in the data this year: more than a thousand cases of loss showed up in the data set after data collection protocols were updated with some data contributors.
“They were basically your device being left behind. What most of the mobile problems were, it’s talking about securing the end-point,” said Suzanne Widup, one of the five co-authors of this year’s DBIR.
“We would make this incredible spike in incidents one of our key findings, but we are pretty sure ‘forgetting your work mobile phone in a hipster coffee shop’ is not a new technique invented in 2019,” the report authors wryly noted in the report.
Those mobile “error” cases related to loss made up about 97% of mobile security incidents. But that remaining 3% was “split almost evenly between espionage and financial motives, which is incredibly significant when our overall breakdown of motives is of 64% financial and only 5% espionage,” the report continues. “And while the financially motivated ones vary from theft to the use of the device as a vessel for pretexting, the espionage-related cases are exclusively malware-based compromises of mobile devices to further persistence and exfiltration of data by advanced state-affiliated actors.” In other words, most of the mobile-related security risk comes from lost or stolen mobile devices, but there’s a very small chance that mobile devices could be used as a vehicle for more targeted and determined incursions.
Most cyber attacks, Widup said, are very short: fewer than five steps involved to accomplish them. If companies can add more hoops that attackers have to jump through, that’s a solid strategy for reducing or preventing breaches.
“The long it takes them, the more chances you have of stopping them or detecting them,” she said. The other way to use the DBIR report data, she added, is that if malware is detected in a system, it is indicative of an earlier breach — malware doesn’t just occur on its own, someone put it there. On the other hand, if there is a social engineering attempt, that is usually indicative of the beginning of an attack and activity can be traced from there.
Read the Verizon DBIR for 2020 here.