BeyondTrust Contributes Vulnerability Statistics to 2019 Verizon Data Breach Investigations Report
May 2019 by Morey Haber, Chief Technology Officer & Chief Information Security Officer at BeyondTrust
Findings point to continued increase of insider threats targeting data.
BeyondTrust, the worldwide leader in Privileged Access Management, has announced that the 2019 Verizon Data Breach Investigations Report (DBIR) leverages anonymous vulnerability statistics from BeyondTrust. Data was provided to help classify threats that have not been mitigated on the Internet. This data was classified by business vertical, platform, age and vulnerability, and was created from BeyondTrust’s BeyondSaaS cloud-based vulnerability management solution based on BeyondTrust vulnerability assessment technology and hosted in Microsoft Azure.
Key findings of the report include:
• Nearly one third (29%) of successful data breaches in 2018 used stolen credentials. Cyberattacks need privileged credentials to accomplish their objectives. These credentials grant the high-level access that attackers require. In many large organizations, credentials are shared amongst employees and systems. This means that just one stolen credential can potentially be leveraged to move laterally throughout the network as the intruder searches for the information he wants.
• Privilege abuse is the top misuse variety in breaches, and it’s also the sixth most common threat action in data breaches. The report defines misuse as “the malicious or inappropriate use of existing privileges.” What this really refers to is privilege abuse by the people who either accidentally or intentionally misuse their privileged access in a manner that leads to a security incident.
• While no industry is immune to cyberattacks, the hardest hit in 2018 were public sector entities (16% of all breaches), healthcare organizations (15% of all breaches) and the financial industry (10% of all breaches). The report shows that different industries are more likely to be victims of different types of incidents. For example, the education industry was more than three times susceptible to phishing attacks than the retail sector. There are some commonalities though. For instance, credentials are among the three most common types of compromised data across every industry.
“The results of the report make it exceedingly clear to us that organizations need to focus on security basics and be persistent with disciplines under their control,” said Morey Haber, Chief Technology Officer & Chief Information Security Officer at BeyondTrust. “Good security hygiene, privilege and password management, intelligent patching, and continuous vulnerability management lead to meaningful improvements in data breach protection based on the findings in this year’s report.”
“Many findings in this year’s Data Breach Investigations Report substantiate what we saw in our own 2018 Privileged Access Threat Report,” continued Mr. Haber. “We look forward to the findings of our 2019 report which will be released later this year.”
Following are BeyondTrust’s top five recommendations organizations can take immediately to strengthen their security postures:
1. Deploy patches for known vulnerabilities as soon as possible to mitigate the attack surface of external parties seeking to become insiders by leveraging credentials to move laterally throughout an organization. Lateral movement can lead an attacker to exfiltrate data from a file server or database, which the report tells us, is much more damaging than owning a single user device.
2. Deploy a password management solution that discovers every account in the environment, securely stores and manages credentials, requires an approval process for check-out, monitors activity while checked out, and rotates the credential upon check-in. Look for a workflow-based process for obtaining privileges. If requests happen during normal business hours and within acceptable parameters, set auto-approval rules to enable access without restricting admin productivity. But, if time, day, or location indicators point to something out of band, secure workflows can ensure the access is appropriate.
3. Segment your network or implement a secure enclave to ensure all privileged accounts (employees, contractors, and third parties) do not have direct access to manage devices. This model ensures that only approved devices and restricted network paths can be used to communicate with sensitive resources.
4. Enforce least privilege across your entire environment by removing local admin rights from end users, and restricting the use of admin and root account privileges to servers in your datacenter. Elevating rights to applications on an exception basis and employing fine-grained policy controls once access is granted can further limit the lateral movement of would-be attackers.
5. Implement multi-factor. Multi-factor authentication raises the bar given the number of breaches that involve weak, stolen, or default credentials. Attackers need credentials to move laterally and multi-factor authentication makes that movement more difficult. When reviewing the need for multi-factor authentication, the only right answer is every user, every account.