3 Trends from Verizon’s 2022 Data Breach Investigations Report
Originally published by Authomize here.
Written by Gabriel Avner, Authomize.
The Verizon Data Breach Investigations Report is essentially infosec’s report card.
It comes out right before summer vacation and gives us an ~120 page snapshot of the state of security.
The findings, much like my report cards back in the day, are rarely surprising and always a little disappointing. At least Verizon’s reports are well written and after 15 years of putting them out, this one was no different.
In reading through the report, a couple of statistics and trends stood out that are worth exploring as they tell us something important about where we are in the evolution of working in the cloud and where we need to go if we want to remain secure.
Surprising Nobody, Credentials Still The Leading Cause of Breaches
For the millionth year running, credentials continue to lead the pack, taking credit for a whopping 63% of breaches in the study.
The reason for why credentials continue to reign is pretty straightforward. Using stolen/compromised credentials makes it easy to pass as a legitimate user and frankly saves the attackers a lot of time and effort to break in.
Credentials equals access, and privileged or not, they give the attackers their first foot in the door. They can use the access granted to them from those credentials to either reach their targeted information or try to escalate privileges to reach bigger and better data.
Once the attackers are inside their target systems, they naturally look to steal more credentials.
According to the researchers, there’s been an almost 30% increase in stolen credentials since 2017, making stolen credentials the gift that keeps on giving and an obvious fan favorite for hackers when they are looking for goodies to steal. Credentials are even more popular than payment information, placed alongside personal information that can be used for either ransom or fraud.
This is because the only thing that a hacker likes more than finding something valuable is gaining access to more valuable bits and bytes.
Insider Threats Remain Rare but Highly Impactful
Organizations are constantly concerned about the insider threat. It’s a deeply unsettling feeling that someone in your company could be planning to cause harm. And when stories of a particularly vicious incident hit the papers, it is always messy.
The report has some good and bad news on this front.
On the negative side, while the overall median number of records stolen has fallen dramatically, down to 80k, it shows that insider incidents have significantly larger thefts when they occur.
Thankfully, the researchers say that malicious insider attacks, which they refer to as “Privilege Misuse” are far less common than the type that comes from external actors.
What they did not touch on quite as much is that a benign legitimate user can be compromised, usually with stolen credentials or phishing, and essentially become an internal threat.
The more access that the compromised identity has, the more damage they can do.
Your Vendors and Partners’ Security Controls Matter
Supply chain attacks were reportedly responsible for 62% of system intrusions, highlighting how vulnerable we are to factors not under our direct control.
While we may not think about how another organization manages their security having a direct impact on our security, in this era of uber interconnectivity and dependence on multiple vendors, it should be top of mind for us.
Asking vendors about which components they use in their software products has become much more commonplace, but we are still far from there when it comes to verifying if our vendors are taking identity security seriously.
Just as we are exposed to compromise and breaches, and should defend ourselves accordingly, our vendors and partners need to take similar steps not just to keep themselves protected but us as well.
It is then up to us to ask about their security measures, and understand if they are sufficient for minimizing the risk to a tolerable level.
5 Tips for Mitigating Credential Compromise Risks
Looking at these trends above, we need to take steps to reduce our risk of significant damages when a compromise occurs.
Here below are a couple of good places to start.
1. Configure your cloud correctly and securely
13% of breaches came from misconfigured cloud storage, highlighting the challenge of proper posture management. AWS makes S3s private by default, but they still can be misconfigured pretty easily to grant too much access.
Make sure that only the intended folks or machines have access to your easily accessible cloud assets.
2. Enable Multi-Factor Authentication
MFA is always a good first step, and a must for any privileged identities at a minimum.
This technology is far from foolproof as hackers get smarter at social engineering MFA codes out of well intentioned users, However, according to Microsoft, MFA should stop upwards of 99% of attacks, so make sure that you enable it for your users.
If you have the option, avoid SMS and codes. Opt instead for push notifications to a “trusted” device like the user’s mobile phone, or better yet, go for the Yubikey option.
3. Achieve a Secure Baseline of Least Privilege
Limit access by adhering to the Principle of Least Privilege. This is the concept that we want to grant users only as much access as they need to do their jobs. No more, no less.
By keeping access restricted, we can keep an attacker who has compromised an identity from reaching too deeply into our organization’s assets.
The way to achieve Least Privilege is via Access Reviews where every identity (both human and machine) have their access privileges reviewed by their managers and app owners. Any excessive privileges, like those that they have no justification for in their role or simply are not using, can be revoked, narrowing the threat surface open to attackers.
4. Continuously Monitor to Maintain Security and Compliance
Once you have achieved a state of Least Privilege, the challenge is to maintain it over time.
This is quite the mission as users move around in and leave the organization, grant new access privileges to their colleagues or external partners, and take other actions that while legitimate, may put their security at risk.
Continuously monitor for changes in access privileges. This can include an identity suddenly receiving admin access, being able to assume new roles, or other incidents and activities that may be indicative of risk
5. Secure Your IAM Infrastructure
Identity and Access Management systems like Identity Providers (IdP) that we use for, well, managing our identities and access, need to be secured just like any other solution.
Attackers are increasingly looking to undermine IAM tools as part of their attack because of their pivotal role in granting access to resources.
We need to monitor our IAM tools using a separate mechanism, looking for attempts to exploit these solutions. The reason for utilizing an independent solution is so important is for the same reason that we segregate duties between say the person who processes payments and the one that approves the transfers.
If our IAM tools may themselves be compromised, then we need to monitor them externally if we want to ensure their security and integrity.
Compromise is a Question of When, So Start Preparing
The authors give readers an important reminder with one of the best quotes in the report, writing that, “Unfortunately, if you can access the asset directly over the internet simply by entering the credentials, so can the criminals.”
And in the increasingly cloud-driven mode of work, identities and their associated credentials are both the perimeter and the key to accessing all of the valuable, sensitive assets that your organization is trying to protect.
Credentials can and will be compromised. The more identities your organization has, the more opportunities there will be for those credentials to get popped.
So not to be fatalistic about it, we need to think about compromise as a question of when, to be quickly followed up with how do we limit the damage from it.
The first step is understanding who has access to which assets, and how is that access being used. Once we are able to visualize and contextualize our access data, we can make smarter decisions about how to secure it.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.