New threats, old tricks

Verizon's latest Data Breach Investigations Report finds hackers using old techniques to compromise corporate IT and steal data

Inside the Enterprise: In the IT security world, as in so much of technology, there is a fascination with the new. Identifying new and emerging threats is an obsession, and a business, for plenty of people in the industry. CIOs need to be kept abreast of any new risks their organisations might face.

Advertisement - Article continues below

Hackers, though, appear less fixed on new techniques. According to the latest Data Breach Investigations Report, compiled by Verizon, criminals are relying on phishing and hacking methods that have been around for years, if not decades.

Verizon which carries out this research annually says that 70 per cent of cyberattacks are now combined or blended attacks, using a mix of methods to overcome enterprises' defences. These include social engineering and phishing as well as hacking.

As many as 70 per cent of the attacks also use a secondary victim, making defence and attribution harder.

But Verizon is also warning that too many attacks are able to make use of vulnerabilities and exploits that could and should have been patched some time ago. Researchers found significant numbers of vulnerabilities that dated back to 2007. Even in a busy IT department, there are few excuses for leaving a vulnerability unpatched that long.

Advertisement - Article continues below
Advertisement - Article continues below

Simple errors or oversights of this type such as failing to apply patches, update security software or hardware, or to keep up employee training only serve to make cybercriminals' work easier.

It also allows hackers to exploit another trend: for malware to sit on systems, undetected, for long periods of time. So-called "advanced persistent threats" set out to be stealthy, so they can avoid the attention of security teams and extract data over an extended period of time.

Hackers are also hiding malware on organisations' networks, often using known vulnerabilities, or be activated to attack networks later, at will.

As Verizon's researchers point out, the fact that hackers are exploiting known and often old vulnerabilities means that many of the current attacks could be stopped.

The company points to some fairly measures to do this, including raising security awareness, using two-factor authentication and encryption, prompt patching and paying attention to both physical and virtual security.

Advertisement - Article continues below

Financially, this also makes sense. One interesting part of this year's Verizon DBIR is the attempt to quantify the cost of breaches.

The firm has reviewed almost 200 cyber insurance claims, and found that a breach involving the loss of 10 million records ranges between $2.1 million and $5.1 million and could even cost as much as $74 million. "We now know that it's rarely, if ever, less expensive to suffer a breach than to put the proper defence in place," said Verizon's Mike Denning.

If that's not an incentive to review security policies, then it is hard to know what is.

 Stephen Pritchard is a contributing editor at IT Pro.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now


data breaches

Printing company exposes 343GB of sensitive military data

20 Mar 2020

How to protect against a DDoS attack

25 Oct 2019
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular

application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020
operating systems

17 Windows 10 problems - and how to fix them

26 Mar 2020