Verizon’s Data Breach Investigation Report is essentially the infosec report card.
He comes out just before summer vacation and gives us a ~120 instant pages security status.
The results, like my report cards at the time, are rarely surprising and always a bit disappointing. At least Verizon’s reports are well written and after 15 years of publishing, this one was no different.
Reading the report, a few statistics and trends emerged that are worth exploring because they tell us something important about where we are in the evolution of cloud work and where we need to go if we want to stay. safe.
It will come as no surprise that credentials remain the number one cause of breaches
For the millionth year in a row, credentials continue to top the pack, taking credit for a whopping 63% of breaches in the study.
The reason the powers continue to rule is quite simple. Using stolen/compromised credentials impersonates a legitimate user and frankly saves a lot of time and effort for attackers to break in.
Credentials are worth access, and privileged or not, they give attackers a first foot in the door. They can use the access granted to them from those credentials to access their targeted information or try to escalate privileges to access more important and better data.
Once attackers are inside their target systems, they naturally seek to steal more credentials.
According to researchers, there has been an almost 30% increase in stolen credentials since 2017, making stolen credentials the gift that keeps on giving and a clear fan favorite for hackers when looking for gifts to steal. Credentials are even more popular than payment information, placed alongside personal information that can be used for ransom or fraud.
Indeed, the only thing a hacker loves more than finding something valuable is having access to more valuable bits and bytes.
Insider threats remain rare but very impactful
Organizations are constantly concerned about the insider threat. It’s a deeply troubling feeling that someone in your business might be planning to cause harm. And when stories of a particularly vicious incident hit the papers, it’s always messy.
The report contains both good and bad news on this front.
On the negative side, while the overall median number of stolen records has dropped dramatically, down to 80,000, this shows that insider incidents have much larger thefts when they occur.
Fortunately, the researchers say malicious insider attacks, which they call “abuse of privilege,” are far less common than those from outside actors.
What they haven’t addressed as much is that a benign legitimate user can be compromised, usually with stolen credentials or phishing, and essentially become an insider threat.
The more access the compromised identity has, the more damage it can cause.
The security controls of your suppliers and partners are important
Supply chain attacks are believed to be responsible for 62% of system intrusions, showing how vulnerable we are to factors beyond our direct control.
While we may not think about how another organization manages their security directly impacting our security, in this age of hyper interconnectivity and reliance on multiple vendors, it should be a priority. for us.
Asking vendors what components they use in their software products has become much more common, but we’re still a long way off when it comes to verifying whether our vendors take identity security seriously.
Just as we are exposed to compromises and breaches, and must defend ourselves accordingly, our suppliers and partners must take similar measures not only to protect themselves, but also to protect us.
It is then up to us to find out about their security measures, and understand if they are sufficient to minimize the risk to a tolerable level.
5 tips to mitigate the risk of compromised credentials
Looking at these trends above, we need to take steps to reduce our risk of significant damage in the event of a compromise.
Below are some good starting points.
Configure your cloud properly and securely
13% of breaches were from misconfigured cloud storage, highlighting the challenge of good posture management. AWS makes S3s private by default, but they can still be misconfigured quite easily to grant too much access.
Ensure that only intended people or machines have access to your easily accessible cloud resources.
Enable multi-factor authentication
MFA is always a good first step, and a must for all least privileged identities.
This technology is far from foolproof as hackers get smarter with social engineering MFA codes from well-meaning users. However, according to Microsoft, MFA should stop over 99% of attacks, so be sure to enable it for your users.
If you can, avoid text messages and codes. Instead, opt for push notifications to a “trusted” device like the user’s cell phone, or better yet, opt for the Yubikey option.
Achieving a Secure Baseline of Least Privilege
Limit access by adhering to the principle of least privilege. It’s the concept that we want to grant users only the access they need to do their job. No more no less.
By keeping access restricted, we can prevent an attacker who has compromised an identity from getting too deep into our organization’s assets.
The way to achieve least privilege is through access reviews where each identity (human and machine) has their access privileges reviewed by their application managers and owners. Any excessive privileges, such as those for which they have no justification in their role or which they simply do not use, can be revoked, reducing the threat surface open to attackers.
Continuously monitor to maintain security and compliance
Once you reach a state of least privilege, the challenge is to maintain it over time.
That’s quite the mission when users move in and out of the organization, grant new access privileges to their colleagues or external partners, and take other actions that, while legitimate, may put their security at risk. danger.
Continuously monitor changes in access privileges. This may include an identity suddenly receiving administrator access, being able to assume new roles, or other incidents and activities that may indicate risk.
Secure your IAM infrastructure
The identity and access management systems such as identity providers (IdPs) that we use to manage our identities and access must be secured like any other solution.
Attackers are increasingly looking to undermine IAM tools as part of their attack due to their central role in granting access to resources.
We need to monitor our IAM tools using a separate mechanism, looking for attempts to exploit these solutions. The reason why using an independent solution is so important is for the same reason that we separate tasks between, for example, the person who processes payments and the person who approves transfers.
While our IAM tools themselves may be compromised, we need to monitor them externally if we want to ensure their security and integrity.
Compromise is a matter of timing, so start preparing
The authors give readers an important reminder with one of the best quotes from the report, writing that “Unfortunately, if you can access the asset directly on the internet simply by entering the credentials, so can the criminals.”
And in the increasingly cloud-centric way of working, identities and their associated credentials are both the perimeter and the key to accessing all the valuable and sensitive assets your organization is trying to protect.
Credentials can and will be compromised. The more identities your organization has, the more opportunities there will be for those credentials to be displayed.
So in order not to be fatalistic about this, we need to think of trade-off as a matter of when, to be quickly tracked by how we limit damage.
The first step is to understand who has access to which assets and how that access is used. Once we are able to visualize and contextualize our access data, we can make smarter decisions about how to secure it.
For more information on how Automize’s Cloud Identity and Access Security Platform enables organizations to mitigate risk and secure their IAM, please visit us and request a free evaluation.
The post 3 Trends from Verizon’s 2022 Data Breach Investigations Report appeared first on Automize.
*** This is a blog syndicated by Automize’s Security Bloggers Network written by Gabriel Avner. Read the original post at: https://www.authomize.com/blog/3-trends-from-verizons-2022-data-breach-investigations-report/