Verizon’s Data Breach Investigations Report (DBIR) has once again hit the streets with much fanfare. The 2017 report is Verizon’s tenth DBIR and details findings from over 42,000 security incidents analyzed by the company in 2016. As expected, the report is packed with information absolutely critical to the success of information security industry.
A major data point stands out in the 2017 DBIR report: the percentage of hacking related breaches involving the misuse of stolen or weak credentials has reached 81%, effectively putting it front and center in terms of tactics being leveraged by attackers. That is four out of five breaches. No other attacker technique detailed by Verizon comes close to this number. To add some perspective: last year Verizon reported that 63% of breaches involved credential misuse. These numbers only serve to solidify what experts in identity security know to be true – credential misuse is an epidemic and is rapidly getting worse. The technique is particularly damaging to the finance and healthcare industries.
As in the 2016 DBIR report, the 2017 DBIR report makes a point to recommend two-factor authentication as a mitigation that organizations can implement to limit the impact and effectiveness of attackers. Verizon’s recommendations are spot on and organizations should take this advice even further. We know that vanilla forms of two-factor authentication are being circumvented, as detailed in the recent hacks exploiting weaknesses in the SS7 network. Verizon also details breaches that involved the use of key-loggers to capture both the base credentials as well as the second factor one time password, and then replaying those credentials to gain access. The National Institute of Standards and Technology (NIST) has gone so far as to recommend the deprecation of SMS as an out-of-band form of authentication.
It’s also important to note that Verizon’s prescient commentary on reducing the effectiveness of stolen credentials can also be taken further – we can completely nullify the impact of stolen credentials by eliminating the use of passwords altogether, i.e. going “passwordless.” A passwordless authentication involves the use of a device (something you have) and a biometric (something you are), along with the analysis of multiple risk factors around the transaction.
Verizon also recommends, when discussing attackers undertaking cyber-espionage, that organizations focus on reducing the impact of these attackers once they are in. This means limiting privilege escalation and lateral movement. Verizon makes a direct claim here that username and password is not enough and that multi-factor authentication should be applied. This also brings to the forefront the idea of identity based threat detection. Identity is a plane of security that spans network and endpoint, and should be a first class citizen. It is the third pillar of security.
A final note of interest in the report comes during the discussion of Distributed Denial of Service (DDoS) attacks, which have seen a resurgence in recent years. Again, this issue touches on the tactic of credential misuse. Evidence presented by multiple sources in the past year show that many of the botnets used in massive scale DDoS attacks are comprised of Internet-of-Things (IoT) devices that have been compromised. This is often because they have weak default credentials. One could make an argument that eliminating the password and implementing stronger authentications schemes for IoT devices is vital to the survival of the Internet.
If you can take one thing away from this report, it’s that identity security is key to today’s security lifecycle. Organizations must move towards the deployment of adaptive authentication techniques and adopt identity based threat detection into their security operations. The risk analysis provided by adaptive authentication can prevent the misuse of stolen credentials with little burden to the end user. I hope that the fantastic research provided by Verizon will further convince organizations re-evaluate their security posture before they become the next breach.
Contact us to see how SecureAuth prevents the misuse of stolen credentials