2017 Verizon Data Breach Investigations Report from the Perspective of Exterior Security Perimeter

The 10th annual Verizon Data Breach Investigations Report is out now with more than 70 pages of insights and about 60 charts and graphs, based on more than 40,000 incidents and almost 2,000 confirmed breaches. Our very own Tin Zaw, Director of Security Solutions, and Richard Yew, Senior Product Manager — Security Solutions, offer their perspectives on the five key takeaways from the perspective of exterior perimeter or “edge” security.

Content Delivery Networks (CDNs) have evolved from the days when they only delivered static web content, such as images and video files. Today, they also act as an accelerator for dynamic web and mobile transactions. As more security technologies, such as DDoS mitigation and Web Application Firewalls, are integrated into the CDNs, they become extended security perimeters for corporate data centers and core cloud infrastructure. Attempts to exploit or interrupt web services can now be detected and mitigated by the CDNs at the edge of the internet.

From that perspective of security at the edge, we analyzed the 2017 edition of the Verizon Data Breach Investigations Report (DBIR). Here are our key takeaways:

Patterns of incidents and breaches vary by industry verticals. Payment card skimmers love retail kiosks (where money is) while cyber-espionage focuses on manufacturing (where trade secrets are). Credential stuffers love retail websites and DDoS extortionists focus on the finance industry. The DBIR highlights the need for a tailored defense strategy and helps you focus your security efforts based on threats relevant to your industry.

Denial of Service (DoS) attacks affect many industries. But finance, retail and information/technology are the most affected and are the leading cause of all incidents. Our experience shows that network layer DoS attacks are often blended with web application attacks. When your adversary uses multiple tools, you need a layered defense with best-of-breed technologies. When your attacker uses botnets of thousands of compromised machines, you need a cloud large enough to handle it.

Web application attacks are responsible for breaches more than any other method. While DoS attacks disrupt websites (affecting A in CIA triad, for those who studied for CISSP), web exploits leak data (causing I in STRIDE, for those who have done threat modeling). Our own experience in managing Web Application Firewalls (WAFs) show that the oldest tricks in the book — like SQL injection — are still abound, and new weaknesses — like Apache Struts2 vulnerability — come to light on a regular basis. WAF must be a part of standard web application architecture.

Outsiders are the troublemakers. For three industries — finance, retail and information/technology — external threat actors are responsible for more than 90% of incidents, with 75% of breaches caused by outsiders. This data speaks for itself on where to focus your defenses.

Weak or stolen passwords are responsible for more than 80% of hacking related breaches. Combine it with the fact that there are armies of botnets with millions, or perhaps billions, of stolen credentials to reuse against websites. It’s not enough to just stop these attempts to exploit vulnerabilities. We need to protect against abuse of legitimate features — such as the login page — as well.

Figure 1. Leading causes of breaches and incidents in 2016

One last thing
Money is at the root of the evil here. Most of the breaches (about three in four) and incidents in the report are financially motivated, whether they originate externally (from the bad, old internet) or internally (from your “trusted” office network). It is also evidenced by rise of ransomware along with ransom notes, perhaps the most profitable form of writing. Our experience shows that ransom notes can prelude DoS attacks as well.

Fortunately you can hide behind the clouds. Verizon’s Edgecast CDN offers multiple layers of security filtering, from stopping volumetric DDoS attacks and mitigating web application exploits to managing more contemporary threats, such as those generated by unwanted web automation.

Eager to learn more about the threats discussed in the DBIR? Check out perspectives from Jay Yanko, our resident expert on the retail, travel and hospitality industries.

Tin Zaw, Director of Security Solutions, Verizon Digital Media Services
Richard Yew, Senior Product Manager — Security Solutions, Verizon Digital Media Services