Passwords Aren’t Enough: 76% of Breaches Exploit Stolen Credentials
The latest 2013 Verizon Breach Report found that 76 percent of network intrusions exploited weak or stolen credentials, putting passwords squarely in the limelight.
When it comes to social engineering attacks, phishing emails make up the majority of attack methods targeted at large companies, coming in at 82 percent. Phishing attacks aren’t new at all, but they are very effective when it comes to stealing passwords in order to access internal networks. With 92 percent of breaches being perpetrated by outsiders, protecting user logins is critical to maintaining data security.
Who’s Being Targeted?
Additionally, the retail industry is a prime target victimized by these breaches, coming in as the top industry at 22 percent, with another 38 percent affecting financial organizations at large. We’ve seen an example of this in the recent financially-motivated attacks at large retailers, namely Target, Neiman Marcus and Michael’s. Read about other retail breaches in 3 Retail Breaches, 1 Solution: 2 Factor Authentication.
Manufacturing and Information follow at 12 and 10 percent of organizations victimized, respectively. Another 38 percent of breaches impact large organizations, which often have complex business models, with many vendors and third-parties that may have user access to networks.
Threat Actors: Who’s Stealing What
The Verizon Breach Report also includes “threat actor” profiling, that is, breaking down what kind of hacker goes after what kind of organization in order to steal certain types of data.
For organized crime, that is, primarily financially motivated, hackers go after payment cards, credentials and bank account info stored at POS terminals and databases by using many different types of malware and hacking methods.
For state-affiliated crime, hackers target manufacturing, professional and transportation organizations seeking credentials, internal data and trade secrets stored on file, mail or directory servers by using malware, hacking and phishing to steal credentials.
For activist crime, attackers target web apps, databases and mail servers containing personal info, credentials, and internal data from information, public and other services by using malware and stolen credentials.
Another type of attacker includes insiders - more than half are former employees who were able to access systems via backdoors or corporate accounts that were never disabled; they also attempted to gain passwords through exploitation of a trusted relationship, falling under the social engineering umbrella.
All of these types of threat actors have one thing in common: they exploit stolen credentials to get the data they’re after.
As Verizon stated eloquently:
Passwords: the supreme ruler in the world of authentication. If we could collectively accept a suitable replacement, it would’ve forced about 80 percent of these attacks to adapt or die. - 2013 Verizon Breach Report.
So what would count as a “suitable replacement?” Perhaps the answer is to add a second factor to the first in order to create a layered security defense. Using out-of-band authentication, that is using two separate networks or channels to identify a user can provide a sufficient amount of security.
With the first channel being the use of username/password, by using a second channel that requires something you have (a device or personal phone), you can defend against an attacker that has stolen credentials remotely.
Find out more in Why Two-Factor?