Cybercriminals are using their same old bag of tricks when it comes to launching attacks, and they continue to succeed despite advances in cyber detection.

That’s according to the Verizon 2016 Data Breach Investigations Report, which analyzes more than 2,260 confirmed data breaches and more than 100,000 reported security incidents, the highest since the report’s inception in 2008. Verizon is among 67 global organizations that contributed data and analysis to this year’s report.

Jonathan Nguyen-Duy, Verizon Enterprise Solutions’ chief technology officer – global security solutions, tells Channel Partners the bad actors are succeeding with the “same old tools, tactics and procedures, and the same type of attack methodologies, and they’re not changing.”

“That suggests that IT and security teams are still overwhelmed, and here’s why,” he said. “Your typical team today has a much larger security mandate. They have more devices that they have to manage as we become more IP-enabled, the IoT, the industrial Internet, when everything that we have from consumers to corporate, from IP systems to OP systems, all become connected. The security teams have to monitor a much more expanded threat surface. That expanded threat surface means more places where an attacker can attack. Security teams are literally trying to plug the holes in the dike as they appear, but we are not making ground.”

Because there’s so much stolen data for sale out there, profits associated with individual credit-card data have gone down, according to the report.{ad}

This year’s report points to repeating themes in prior-year findings and storylines that continue to deepen, including: Eighty-nine percent of all attacks involve financial or espionage motivations; most attacks exploit known vulnerabilities that have never been patched despite patches being available for months or even years; and 63 percent of confirmed data breaches involve using weak, default or stolen passwords.

Also, 95 percent of breaches and 86 percent of security incidents fall into nine patterns, and basic defenses continue to be sorely lacking in many organizations. The nine patterns include: Web app attacks (5,334 total incidents); point-of-sale intrusions (534 total incidents); insider and privilege misuse (10,489 total incidents); miscellaneous errors (11,347 total incidents); physical theft and loss (9,701 total incidents); crimeware (7,951 total incidents); payment-card skimmers (102 total incidents); cyberespionage (247 total incidents); and denial-of-service attacks (9,630 total incidents).

“When you take a look at the top two recommendations from the (report), they are multi-factor authentication and rigorous vulnerability management around Web applications,” Nguyen-Duy said. “If organizations were to rigorously approach those two controls, they would effectively mitigate almost 48 percent of the attacks that lead to data breaches.”

Other recommendations include …

{vpipagebreak}

… reviewing all logs to help identify malicious activity, encrypting all data, training staff and limiting access to data.

By understanding the playbook that the “bad guys are using, we can take those nine patterns that they’re using and deploy security solutions that mitigate that,” Nguyen-Duy said.

“That’s why when you see a statistic that says 75 percent of all the attacks we see can be addressed through simple to intermediate controls, that’s what we’re talking about,” he said.

One area that has jumped significantly since the prior year is phishing, where end users receive an email from a fraudulent source. Some 30 percent of phishing messages were opened, up from 23 percent in the 2015 report, and 13 percent of those clicked to open the malicious attachment or nefarious link, causing malware to drop and a foothold gained by cybercriminals.

In prior years, phishing was a leading attack pattern for only cyberespionage and has now spread to seven of the nine incident patterns in the 2016 report.

“Crime still pays, and when you take a look at the 2016 report, we found that the criminals are always seeking the easiest way to make money at the lowest possible risk,” Nguyen-Duy said. “It is, generally speaking, a relatively high-reward, low-risk approach about making money.  At the heart of this, until you disrupt that cycle – meaning you’ve got to raise the barriers for entry, make the attacks harder to launch, make the attacks actually harder to successfully execute and then make it harder to actually exploit the ill-gotten gains, the personally identifiable information if you will – we’re not going to see significant changes in the cyber landscape.”

Of increasing concern is the speed in which cyber crime is committed, according to the report. In 93 percent of cases, it took attackers minutes or less to compromise systems, and data exfiltration occurred within minutes in 28 percent of the cases.

Web application attacks climbed to the No. 1 spot for data breaches, and 95 percent were financially motivated. Ransomware attacks also are on the rise, where attackers encrypt the contents of a device, rendering it useless and then demand a ransom to unlock the data.

The report also highlights the rise of a new three-pronged attack that is being repeated over and over again. It involves: sending a phishing email with a link pointing to the malicious website or mainly a malicious attachment; malware is downloaded onto an individual’s PC that establishes the initial foothold, and additional malware can be used to look for secrets and internal information to steal or encrypt files for ransom; and then use of credentials for further attacks, for example, to log into third-party websites like banking or retail sites.

“One of the practical realities that we’ve seen is that most of these attackers are pretty normal people,” Nguyen-Duy said. “They are financially driven, some of them are really, really smart, the vast majority are not, and because they’re humans, in the vast majority of the time we can beat them and that’s why when you look at those recommendations, they’re pretty basic, but they’re highly effective.”