For all the talk about sophisticated methods hackers are beginning to use, most cyberattacks succeed using basic methods that take advantage of IT mistakes and human errors made by organizations, according to a study of data breaches from 2011 recently released by Verizon.
Hackers used relatively simple methods for 97% of the 855 data breaches examined in the study, Verizon says. The most common methods of attack included:
- using passwords that were stolen, guessed or obtained through dictionary or brute force attacks
- using malware to open network backdoors or transmit sensitive data, and
- installing spyware or keyloggers on user machines to steal credentials.
Also, in 80% of the incidents, hackers attacked “victims of opportunity” — meaning poorly defended sites that caught attackers’ eyes, rather than targets they specifically sought out.
That may go against the thinking of many in management that their organizations won’t be targeted because they’re too small. But the study shows that while organizations such as large financial institutions are often specifically targeted, the majority of data breaches occur because attackers happened to find vulnerabilities that were easy to exploit.
What are most companies doing that leaves their data vulnerable to hackers? Many of the organizations studied in Verizon’s breach report failed to take some basic security precautions. The most common mistakes included:
- Protecting systems with default or easily guessable passwords — The majority (58%) of breached companies said they never changed vendor-supplied defaults for passwords and other security parameters for some of their systems. Also, other studies have shown that many user machines and IT systems are protected by simple, common passwords.
- Giving users access to data they don’t need — Just 36% of the organizations in the study said they restrict access to data on a need-to-know basis. As more users have access to sensitive data, the chance of a data breach caused by an insider threat increases, and outside hackers have more opportunities to steal or guess passwords.
- Failing to install and maintain firewalls — While the majority of large organizations (those with 1,000 or more employees) in the study had installed firewalls, the same can’t be said for other firms. Overall, just 29% of data breach victims used firewalls to protect data. Organizations have many devices that face the Internet, including servers and user machines, and all should be equipped with firewalls.
- Using out-dated procedures and security software — Only 23% of the companies in the study said they regularly update their anti-virus software. Most data breach victims also failed to regularly test their security systems and processes.
- Failing to monitor and detect suspicious network traffic — Many of the breaches in the study were carried out by hackers who used malware to open backdoors on networks or leak sensitive data from the organization’s network. Often, those breaches were able to continue because the company failed to notice data leaving the network. Verizon recommends organizations increase their monitoring and use techniques such as egress filtering to block suspicious outgoing traffic.
To learn more, download Verizon’s data breach report.