New threats, old tricks

Verizon's latest Data Breach Investigations Report finds hackers using old techniques to compromise corporate IT and steal data

Inside the Enterprise: In the IT security world, as in so much of technology, there is a fascination with the new. Identifying new and emerging threats is an obsession, and a business, for plenty of people in the industry. CIOs need to be kept abreast of any new risks their organisations might face.

Hackers, though, appear less fixed on new techniques. According to the latest Data Breach Investigations Report, compiled by Verizon, criminals are relying on phishing and hacking methods that have been around for years, if not decades.

Verizon which carries out this research annually says that 70 per cent of cyberattacks are now combined or blended attacks, using a mix of methods to overcome enterprises' defences. These include social engineering and phishing as well as hacking.

As many as 70 per cent of the attacks also use a secondary victim, making defence and attribution harder.

But Verizon is also warning that too many attacks are able to make use of vulnerabilities and exploits that could and should have been patched some time ago. Researchers found significant numbers of vulnerabilities that dated back to 2007. Even in a busy IT department, there are few excuses for leaving a vulnerability unpatched that long.

Simple errors or oversights of this type such as failing to apply patches, update security software or hardware, or to keep up employee training only serve to make cybercriminals' work easier.

It also allows hackers to exploit another trend: for malware to sit on systems, undetected, for long periods of time. So-called "advanced persistent threats" set out to be stealthy, so they can avoid the attention of security teams and extract data over an extended period of time.

Hackers are also hiding malware on organisations' networks, often using known vulnerabilities, or be activated to attack networks later, at will.

As Verizon's researchers point out, the fact that hackers are exploiting known and often old vulnerabilities means that many of the current attacks could be stopped.

The company points to some fairly measures to do this, including raising security awareness, using two-factor authentication and encryption, prompt patching and paying attention to both physical and virtual security.

Financially, this also makes sense. One interesting part of this year's Verizon DBIR is the attempt to quantify the cost of breaches.

The firm has reviewed almost 200 cyber insurance claims, and found that a breach involving the loss of 10 million records ranges between $2.1 million and $5.1 million and could even cost as much as $74 million. "We now know that it's rarely, if ever, less expensive to suffer a breach than to put the proper defence in place," said Verizon's Mike Denning.

If that's not an incentive to review security policies, then it is hard to know what is.

 Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

Five lessons learned from the pivot to a distributed workforce

Delivering continuity and scale with a remote work strategy

Download now

Connected experiences in a digital transformation

Enable businesses to meet the demands of the future

Download now

Simplify to secure

Reduce complexity by integrating your security ecosystem

Download now

Enhance the safety and security of your people, assets and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now

Recommended

How to protect against a DDoS attack
Security

How to protect against a DDoS attack

17 Sep 2020
Fitness Depot notifies customers of data breach
data breaches

Fitness Depot notifies customers of data breach

8 Jun 2020
Printing company exposes 343GB of sensitive military data
data breaches

Printing company exposes 343GB of sensitive military data

20 Mar 2020

Most Popular

Accenture ploughs $3 billion into cloud migration support group
digital transformation

Accenture ploughs $3 billion into cloud migration support group

17 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google takes on Zoom with launch of Meet hardware
video conferencing

Google takes on Zoom with launch of Meet hardware

16 Sep 2020