Nothing feeds the cyber security news mill quite like fresh figures on data breaches – or how cyber criminals and state-affiliated espionage campaigns are altering their approaches to accomplish them. The Verizon RISK Team recently released a report that will certainly be essential reading for information security specialists and CIOs across federal government agencies as they continue to grapple with being on the frontlines of cyberattacks.
Of the many noteworthy findings in the 2013 Data Breach Investigations Report, perhaps one of the most significant for agency CIOs is the fact that 76 percent of network intrusions exploited weak or stolen credentials to maintain a presence on the victim’s networks. The report goes on to note that the number of breaches involving phishing was four times higher in 2012 compared to the prior year.
Phishing tactics typically involve emails or web offers which dupe users into providing information with what appear to be trusted individuals or websites. While this type of activity affects a wide range of industries, the implications for federal agencies are perhaps more worrisome simply because of the types of information they are responsible for protecting. From state secrets to personally identifiable information of both agency employees and users, access to government information systems is the jewel in the crown for most cyberattackers.
“The perception is that phishing threats are horrible (because they are hard to thwart). But there are other threat vectors that are even more important,” said a senior Defense Department IT security official in response to the report’s findings. However, of greater concern at the DoD “are the level of advanced persistent threats and the degree of penetration many hackers continue to achieve. It’s really scarier than we imagined.” Overall, the investigations found that the direct installation of malware by an attacker who has gained access to a system continues to be the most frequent vector of attack. But among large organizations, in which espionage played a larger motive, email attachments are more prevalent.
The study noted that in many cases, breaches may go undiscovered for months or even years, and in 69 percent of them, it was a third party that detected the data breach.
If there was some positive news in the report’s findings, it was the fact that only a very small number of breaches involved mobile devices, despite how insecure mobile devices can be. Similarly, there were few incidents of breaches involving cloud computing systems, and when they did occur, the breach would have taken place regardless of whether the system was hosted in the cloud or not.
So how might a federal CIO mitigate highly targeted and persistent attacks? Here are some recommendations:
Focus on the kill-chain approach. Highly targeted attacks typically require attackers to progress successfully through multiple stages in a chain before they can achieve their objective. Mitigation disrupts the chain, and shifts an agency’s security approach from pure reaction to proactive anticipation, making it more costly for attackers.
Use more comprehensive prevention tools that block entire classes of exploits instead of only specific exploits.
Use better reconnaissance to identify social tactics like phishing, doxing, and watering hole attacks that seek to compromise people, not just computers. The authors also stressed the importance of switching to two-factor authentication and to move away from the reliance on passwords.
Follow the 20 Critical Security Controls maintained by the Consortium for Cybersecurity Action and the SANS Institute.
