Verizon DBIR 2014: Stolen Credentials to Blame, Again and Again
One notable difference between last year’s Verizon Data Breach Investigations Report (DBIR) and this year’s is the repeated references to two-factor authentication as a major security recommendation to protect against all types of threats.
The reasoning behind that is pretty simple: the use of stolen credentials was the top threat action identified in the report, as an article by Threatpost emphasized. Even an author behind the report called out two-factor as a solution to the results of their analysis:
“One recommendation we repeat is the implementation of two-factor authentication because credentials are such a sought-after data variety,” Verizon DBIR co-author Marc Spitler said as reported by Threatpost, referring to the widespread use of credentials across the different types of attacks.
This year’s DBIR classified nine different types of threats to a diverse range of industries and organizations. Just a few of those include:
Point-of-Sale (POS) Intrusions
For a number of POS intrusions, including remote attacks against environments with retail transactions (food services and retail industries) many of the threats can be attributed to “truly awful passwords.”
The report details how attackers used stolen POS vendor credentials to access the internal network of a victim company, then installed malware that transmitted stolen data offsite. In one particular case, a breached POS vendor was using the same password for many different organizations they managed, meaning it was essentially a default password that attackers were able to use against their entire customer base.
When it came to hacking, the top three methods included brute force (53 percent), the use of stolen credentials (38 percent) and offline cracking (9 percent).
Two-Factor to Protect Against Point-of-Sale (POS) Intrusions
As one of their top recommended controls for POS intrusions after analyzing the data, Verizon singled out two-factor authentication as a secure way to authenticate third-party and internal users for larger, multi-store (franchise) companies.
Other recommendations for larger companies include segmenting the POS environment from the corporate network, conducting only POS-related activities on POS systems, and deploying antivirus software on POS systems.
Crimeware is defined by Verizon as any malware that didn’t fit any other profile in the report, with the primary goal of gaining control of systems as a platform for illicit uses such as stealing credentials, DDoS attacks, spamming and more.
Two-Factor To Protect Against Crimeware
Verizon reports their results link crimeware to stolen credentials more often than any other type of data. That makes it more important than ever to employ two-factor authentication to prevent attackers from successfully using stolen credentials to commit fraud.
Other recommendations to protect against the threat of crimeware include keeping browsers up-to-date, disabling Java in browsers, configuration change monitoring and leveraging threat feeds (activity logs).
For cyber-espionage, these incidents include any unauthorized network or system access by state-affiliated hackers, affecting industries like transportation and manufacturing. Verizon found that phishing accounts for 67 percent of the top threat action varieties in cyber-espionage attacks, and the use of stolen credentials ranks at 30 percent.
Two-Factor to Protect Against Cyber-Espionage
In order to stop the spread of espionage-related breaches, that is, lateral movement inside the network once breached, Verizon recommends employing two-factor authentication to help contain the unchallenged reuse of user accounts.
Web Application Attacks
Web app attacks include either the exploitation of an app weakness or the use of stolen credentials to impersonate valid users. And most of these attacks target off-the-shelf content management systems (CMS), like Joomla!, Wordpress and Drupal, as attackers gain control of their servers to use in DDoS campaigns.
When it comes to financially-motivated crimes, attackers typically target the user interface of the banking web app, rather than the web app itself, according to Verizon. And in the retail industry, attackers focus on payment card information obtained by exploiting the web application.
Two-Factor Authentication to Protect Against Web Application Attacks
Verizon recommends protecting against “single-password fail” by using an alternate authentication mechanism to protect against anything Internet-facing, which could include using two-factor authentication to create a layered defense solution.
As can be seen across the many different types of attacks listed here, stolen or exploited credentials are often indicators of attack success, allowing attackers to gain access to networks or enabling them to move laterally throughout systems to steal sensitive data.
In every scenario, two-factor authentication can help prevent the success of these attacks. But not every two-factor solution is created equal - download and review our Two-Factor Evaluation Guide to find out which solution works for your organization.