The bottom line: Test email filtering and get a better one if too many phishing attacks are getting through. Defend against employees click on links by segmenting the network to make it harder to move around. Use layered authentication rather than static passwords to move from one to the other.
What happens after a successful phishing attack? Often, credential theft, which Verizon detected as having occurred in 1,474 incidents of data disclosure. Armed with user names and passwords from phishing, spyware or keylogging, attackers can often roam networks at will and undetected, looking for further targets including, ironically, systems secured with default passwords.
The weakness here is simply that too many organisations rely on the brittle security of password systems when two-factor authentication (2FA) is now needed to raise the bar. "Your average organisation using that would be less likely to be breached," argues Dine.
The bottom line: two factor authentication is no longer optional
Hand in hand with phishing is the dogged issue of software flaws, which Verizon estimates take a media time of 30 days to be exploited by criminals after they become public or although many are being used after only ten days. There are some interesting patterns here. Adobe flaws are exploited in around 30 days on average, Microsoft in perhaps 100, and Mozilla flaws in more than 200 days.
The problem is that organisations have to patch new flaws in some order and this isn't always easy to prioritise. But one point jumps out and that is that old flaws are still the most commonly wielded. Analysing exploited CVEs (Common Vulnerabilities and Exposures), Verizon found that those from 2007, 2010 and 2011 were greater in number than those form 2015.
This is because it's simple for attackers to try every flaw in an automated way until the hit on one that hasn't been patched in possibly a small number of machines at one company. At the same time, nearly nine out of every ten successful exploits are based on a core hit parade of only ten vulnerabilities.
"People don't know their environments 100 percent. They forget about the old machines in the corner that's not on any patch schedule," says Dine.
The bottom line: security teams should pay attention to the flaws attackers are actually targeting and not simply worry about the fact a given flaw exists.
Web application attacks
Accounting for 908 confirmed data breaches, attacks that break into websites probably fit the image of a lot of incidents. Large numbers of these were reported to the firm but many turned out to be simple defacements or repurposing for some other criminal task such as launching DDoS attacks. Dridex botnet seems to be a big player.
Sign up for Computerworld eNewsletters.