Every year Verizon releases its Data Breach Investigations Report, an in-depth analysis of the breaches and incidents it has analyzed. The report is considered the most highly anticipated cybersecurity report of the year and the 2016 edition does not disappoint, shedding new light on the evolving landscape. The information presented, if you have the time to read it (and you really should make the time!) gives you for free, some of the key statistics and lessons learned from over 100,000 security incidents and 2,000 data breaches. This report helps professionals and newbies stay on top of the most useful insights into how it all happens.

Between the latest facts and figures on malware, phishing, vulnerability exploits, and more, there are some super nuggets in the 80-page report. However, for those who need a quick overview (and in particular one with a hospitality industry slant), we're pleased to share a few key points this week and next, to whet your appetite. And, in keeping with the speed theme of this story, let's go!

The headline for this week's recap says it all...it's not the big that eat the small, it's the fast that eat the slow. The No. 1 takeaway is the speed at which this is happening. 

No. 1:  It happens faster than you think.
In 93 percent of data breaches Verizon analyzed, the compromise occurred in minutes or less. Breaking it down, 81.9 percent of the breaches involved a compromise that took minutes, and another 11 percent happened in seconds. Phishing as you will read in a few moments, is up. Why? It is a quick and easy way for attackers to steal credentials, which might explain why in 81.9 percent of incidents, the initial compromise took minutes.

No. 2: Phishing is phenomenally a top factor in breaches. 
According to this year's data set, 30 percent of phishing messages were opened by the target across all campaigns; 12 percent of targets clicked on the malicious attachment or link, which is "a significant rise from last year's report in the number of folks who opened the email (23 percent)," but not much of a change in the number who clicked on the attachment (11 percent). However, speed counts and here's why: Verizon highlights it found that it took a recipient an average of  only one minute and 40 seconds to open the email and three minutes, 45 seconds to click on the malicious attachment.  That is an increase in success ratio compared to the stats from the prior year. 

No. 3: The attacks are effective.
The sad thing is most marketers would kill for this open rate. The even sadder thing is it explains why phishing continues to be so popular among attackers. It's a delivery tactic that works and it works FAST!  Need more proof?  Weed through the report and another key stat pops out. Verizon saw confirmed data breaches rise 48 percent year-over-year to 3,141. Tied to Verizon's analysis of actual phishing incidents (9,576) the organization found 916 (almost 10 percent) resulted in a breach of data.  The reason it is mentioned is simple. If there were 3,141 data breaches and 916 of the phishing incidents resulted in a breach, the quick and obvious stat is that about one-third of all breaches appear to have relationship with a successful phishing campaign.

No. 4:  Malware morphing is a rapidly evolving threat.
Unfortunately, much of their success has to do with the tactics attackers are using, which are designed to work quickly and get the data out as fast as possible. Verizon found typically in a phishing scenario, the dropping of malware via malicious attachments occurs within seconds. In particular, this year's report shed some light on the morphing capacity of malware. The DIBR found just how quickly hackers are modifying their malware code to avoid detection. The Verizon team combined its intelligence with data collected from other contributors, coming to the conclusion that the "life span" of malware is typically very low.  In fact, the report found that “99 percent of malware hashes are only seen for 58 seconds or less,” lending credence to the critical need for constantly updated protections deployed back to the network, lest organizations risk being infected by rapidly changing malware. In plain language, a single piece of malware could be subtly altered to produce an endless stream of variants, all of which would evade traditional signature-based detection.  That's bad news for companies relying solely on traditional signature-based security solutions like antivirus.  In other words, with signature based detection methodology, somebody has to get infected by a piece of malware so that it can be identified, analyzed and other folks protected against it. And in the meantime the malefactors can create new malware that signature-based defenses can't defend against. Signature-based defenses are simply not enough to defend against today's rapidly evolving malware threat.

No. 5: The bad guys get in and get out – fast.
In keeping with the theme of the FAST who eat the slow, Verizon found in 68 percent of breaches, data exfiltration occurs within days (time to exfiltration). While it doesn't clearly state it, the increase is due to ability for the criminals get in and get out before detection. Of course, there’s plenty of variety in terms of what hacking techniques and kinds of malware attackers are using, and that has changed over the years. In terms of hacking techniques, the top three are the use of stolen credentials, the use of backdoors and C2, and the use of brute force attacks. Speaking of credentials, for the first time in the history of Verizon’s DBIR, the topic of credentials received its own section. There were 1,429 incidents of credential theft last year. In those instances, attackers made off with credentials via hacking and malware, and they in turn used the stolen credentials more than three quarters (77 percent) of the time. And to wrap up the circle of this post, remember, Phishing is a quick and easy way for attackers to steal a victim’s credentials, which might explain why in 81.9 percent of incidents, the initial compromise took minutes.

That's one of the key messages this year  in order for phishing to work, a person needs to take an action. There are two people involved in order for the breach to happen. The first is the attacker, and then the second is the insider falling for the attack ruse. The key recommended actions to reduce phishing are to provide more training, be more vigilant with email filtering, and in the worst case scenario, where both of those precautions fail, make it more difficult for attackers to pivot "by segmenting the network and implementing strong authentication between the user networks and anything of importance."

In summary, the majority of data breaches just featured good old fashioned attacks designed to take advantage of the one thing we can never seem to get right  stronger password management. In fact, 63 percent of all of the breaches in the new DBIR involved the use of stolen, weak or default credentials.

That’s a depressingly high number, given how long we’ve known that the use of usernames and passwords as primary authenticators is a bad idea. This last point should help drive adoption of the recent PCI DSS 3.2 revision related to two-factor authentication. 

In case you missed it, 3.2 will require an individual to present a minimum of two separate forms of authentication (such as a password, a smart card or a fingerprint) before access to the cardholder data environment is granted. This extra layer of authentication means that a password alone is not enough and provides additional assurance that the individual attempting to gain access is who they claim to be. Authentication weaknesses leave systems highly vulnerable. The need for multifactor authentication and the risks of not employing it are so concerning that your organization should be moving as quickly as possible to implement it, regardless of the compliance requirement.

Next week we look at the multi-vector attack analysis from DIBR and why you should care.
To read the 2016 Data Breach Investigation Report please click here.