Criminals get busy while security sleeps…
Ransomware attacks are up 50 per cent, while patching vulnerabilities still woefully inadequate, according to new report.
Ransomware attacks have increased by 50 per cent compared to last year, while cyberespionage is the most common type of attack seen in manufacturing, the public sector and education. Meanwhile, Just 10 vulnerabilities accounted for 85 per cent of successful exploitations in 2015.
The figures are from the annual breach report from Verizon, and make damning reading, as the report summarises: “Many organizations still rely on out-of-date security solutions and aren’t investing in security precautions. In essence, they’re opting to pay a ransom demand rather than to invest in security services that could mitigate against a cyberattack.”
Ransomware came in for particular technical attention from criminals, with considerable resource being directed towards improvements such as master boot record locking, and partial and full disk encryption, as well as a variety of methods to avoid detection by security sandboxes. Cybercriminals also experimented with different ransom demand techniques, including time limits after which files would be deleted, and also aimed to increase ransoms over time based on how sensitive the filename was. Public administration organisations were the top target for ransomware attacks followed by healthcare and financial services.
Although ransomware overall has surged in volume, one of the most significant trends in ransomware as a whole has been to move away from infecting individual consumer systems toward targeting vulnerable organisations, according to the report.
Ilia Kolochenko, CEO of High-Tech Bridge agreed with this assessment: “It’s certainly a major trend. Cybercriminals understood that organization are better payers than individuals, and thus do their best to maximize profit. Companies usually have more sensitive data that they need to recover without a delay, and usually are more familiar with Bitcoin to pay the ransom. I even know IT security teams that purchase bitcoins within their organization's cybersecurity budget to pay a ransom. We will undoubtedly see ransomware targeting the most solvent payers soon.”
Unfortunately, the role of enterprise in actively defending against attacks is impressively poor, with low patching metrics for the public sector and financial sectors in particular, with the public sector patching 30 per cent of findings, 33 per cent being completed on time, while the financial sector patching an even poorer 25 per cent, and a timeliness rating of 33 per cent. Timeliness is of course a key factor here, with 50 per cent of exploitations happening between 10 and 100 days after the vulnerability is published, with an average of 30 days.
In fairness to these sectors, the Verizon report found that only a single-digit percentage of overall breaches involved exploiting a vulnerability.
Kolochenko continued: “I think this highlights the extreme complexity of modern information systems. Our "crown jewels" can be stored in several clouds on different continents, while the access to these clouds can be stored on dozens of computers and mobile devices across the world. Modern targeted attacks involve complicated chained attacks, including social engineering, password re-usage and other not very technical techniques.”
As an aside, the top 10 exploited vulnerabilities in 2015 were: CVE-2001-0876, CVE-2011-0877, CVE-2002-0953, CVE-2001-0680, CVE-2012-1054, CVE-2015-0204, CVE-2015-1637, CVE-2003-0818, CVE-2002-0126, CVE-1999-1058, just in case you wanted to check.
The main theme of the report agreed with this non-technical point, however, finding that phishing techniques are still topping the charts in popularity terms, with 43 per cent of data breaches utilising phishing. There’s an excellent reason for this too, as Verizon calculates that phishing campaigns have a 30 per cent open rate, astonishingly good compared with legitimate marketing newsletters, for example.
On a final, somewhat brighter note, 90 per cent of the data breaches in 2015 followed one of nine common patterns, making them slightly easier to predict and/or prevent than if they were all unique. Analysing 1,935 confirmed breaches and more than 40,000 incidents across the globe, the bellwether Verizon DBIR report is now in its tenth year.