The 2020 Verizon DBIR: Is it the humans, stupid, or the stupid humans?
You could be forgiven for wondering if the organizers of the most recent RSA Conference and the research team behind this year’s Verizon Data Breach Investigations Report (DBIR) were in cahoots.
The RSA theme was “The Human Element.” And one of the major findings of the DBIR, which dropped a couple of weeks ago, was that phishing, stolen credentials and human error are consistently among the top attack vectors resulting in data breaches. As in, the human element.
This should not be a stunning revelation. It is humans, after all, who design, build and use technology systems, networks and products.
If those are built with vulnerabilities or are used incorrectly or carelessly, they can put people and organizations at risk. Also, if the humans managing those digital assets fail to keep track of them or to update them, they are asking for trouble as well.
Not that malware has gone away — regular ransomware attacks are proof enough of that. But the report noted that in 2019 “trojans and malware scrapers declined. As time goes on, it appears that attackers become increasingly efficient and lean more toward attacks such as phishing and credential theft.”
Indeed, one of the core messages of the report is that “other attack types such as hacking and social breaches benefit from the theft of credentials, which makes it no longer necessary to add malware in order to maintain persistence.”
“So, while we definitely cannot assert that malware has gone the way of the eight-track tape, it is a tool that sits idle in the attacker’s toolbox in simpler attack scenarios.”
It’s important to note, however, that the “human element” is not one-dimensional. While the primary human attack vector is average users, who are generally not tech savvy, there are also technology managers, who by definition require some tech expertise.
Average users generally don’t need tech expertise, just as most people are perfectly good at driving their cars without being good mechanics. They have no trouble using technology at home or in the office without needing to understand everything behind it.
Still, information technology (IT) is trickier than driving a car. Average users don’t need to be able to build or repair software, but they do need to be savvy to cyberattacks — especially the most common ones like phishing and other social engineering techniques.
If they aren’t, they are more prone to click on a malicious link, send money to the account of an attacker posing as an executive or give up their password or other authentication information.
And as daily headlines remind us, and as the DBIR reported, that happens thousands of times a year. For 2019, the Verizon team logged 3,950 data breaches. That means data were not only compromised but also exposed, not just put at “potential” risk. That’s an average of 11 per day, just from the data pool Verizon used.
The template is here
The irony is that for at least as long as the DBIR has been around — 13 years — there has been an effective template to counter those attacks on human users.
The umbrella term is “security awareness” and it means putting time and money not just into training your “human element,” but also into making it easier and instinctive for them to be more secure.
Jonathan Knudsen, applications engineer at Synopsys, said that training is important, but it has to be much more frequent than holding a session or two every year and then forgetting about it until next year. Because your trainees will forget too. The reality is that “users won’t retain the training,” he said, “so you need to do live practice phishing on your own users to reinforce it.”
And because it only takes one click on a link or downloading of an attachment to open the door to attackers, “provide additional protection for links and attachments,” he said.
Lance Spitzner, director at SANS Security Awareness, who has been doing security awareness training for more than a decade, agrees that humans are the primary attack vector. But he continues to insist that people are an organization’s greatest security asset if they are properly trained.
“As for what to do, it’s the same as before,” he said. “Make security simpler for people. The problem with passwords is not people but what we teach them about passwords,” which is to make them long and complex and to change them every few months.
He and other experts have been saying for a few years now that the “change your password regularly” mantra needs to be retired. The reason? When people are forced to do that, they tend to use weaker passwords, which ends up making security weaker.
The good news on the password front is that finally there is technology available to render them obsolete. Just this past week, the FIDO (Fast IDentity Online) Alliance launched a website for consumers to help them move into passwordless authentication.
The alliance’s “I-Mark” standard (like WiFi, or Bluetooth) displays an icon if a website uses it. It works on any web browser and on all devices — smartphones, desktop or laptop computers, tablets or smartwatches. It lets the user authenticate with a biometric, security key or local PIN.
And it makes stealing credentials vastly more difficult, because those credentials remain on the device and are never stored on a central server.
Managing means keeping track
But as noted above, the human element goes beyond average users. While it is not a top attack vector, it also applies to those who manage the software that powers their business. Most organizations of any size use hundreds to thousands of apps. Those apps are built with thousands of software components assembled from multiple sources. Some of it is proprietary — the company builds it internally. The rest is either commercial or open source.
And if nobody is keeping track of all those components, it could put a company at even more risk than one that doesn’t keep track of its supply chain for the parts used in the machines it builds.
But that is sometimes the case, the DBIR found.
The researchers looked at “two sets of servers hosted on public IP addresses: ones vulnerable to an Exim vulnerability discovered in 2019 and randomly chosen IPs.”
They found that hosts vulnerable to the Exim vulnerability “were also vulnerable to 10-year-old SSH vulnerabilities much more frequently than the random sample.”
“The takeaway is that it wasn’t just the Exim vulnerability that wasn’t patched on those servers. NOTHING was patched.”
They got similar results looking at vulnerability scan data of organizations with the Eternal Blue vulnerability present on their systems and those without it.
“The systems that were vulnerable to Eternal Blue were also vulnerable to everything from the last decade or two.”
In other words, some humans were pretty good at tracking and keeping their digital assets up to date, while others were really lousy at it.
The fix for that is not easy, but it is obvious. Keep an inventory, or bill of materials (BOM), of your digital assets. And keep those assets up to date. That means applying patches to vulnerabilities as soon as they are available. As the mantra from security experts puts it, you can’t protect what you don’t know you have.
You can’t do it manually unless you can afford to hire a team to do nothing but hunt through software components all year. But there are automated tools to get you most of the way.
One of the most effective tools — software composition analysis (SCA) — can help find and fix both security vulnerabilities and potential licensing conflicts in open source software components, which are in many cases more than 90% of the software in web applications.
Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center (CyRC), said the chances of an attacker succeeding in exploiting a vulnerability are “directly related to both a patch management strategy and how accurate the software asset management list matches what’s currently deployed. The exploit becomes actionable if there is any software that isn’t part of the asset manifest (or BOM), which then means it’s likely missing patches.”
Or as his colleague Knudsen puts it, “You cannot take a piecemeal approach to cybersecurity; it doesn’t do any good to get steel-reinforced doors with titanium deadbolts if you leave your windows unlocked.”
Bottom line, as the Verizon DBIR lays out in 119 pages (including appendices) of exhaustive detail: Security is enabled by technology, but it succeeds or fails based on humans practicing basic “security hygiene.”
“We could see a material reduction in breaches if basic principles such as securing S3 buckets, applying password security to databases, having a patch management strategy and applying reasonable malware protections were in place,” Mackey said.