Last month, Verizon released its 20th Data Breach Investigative Report (DBIR). This report has long been a valuable product-agnostic resource which looks across multiple verticals for common elements that cause cybersecurity incidents. Over 30,000 real-world security incidents from over 90 countries were evaluated in this report to try to determine the “how” of data breaches. Once we determine the “how,” we can then start to identify the proper solutions and close the gaps in our customer environments. Our cybersecurity expert, James Morrison, is a long-time fan of the annual Verizon DBIR, and has identified his key takeaways from this year’s report.
1.) There has been a rise in vulnerability exploitation as the primary path for infestation.
The most telling new piece of information in this year’s DBIR is the rise in the exploitation of vulnerabilities as the primary path for infestation. In fact, the number of attacks using this avenue almost tripled and are the same risk as phishing for an enterprise environment. This provides an interesting problem going forward. Phishing training has become the standard for protecting an environment from phishing attacks and has shown some success in reducing this threat when used appropriately, but no similar program exists to limit the exponential growth in vulnerability exploitation.
“Our ways-in analysis witnessed a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach when compared to previous years. It almost tripled (180% increase) from last year…” (p. 7)
Review the full report here in Intelisys University or go directly to verizon.com/dbir
2.) A major source of these attacks was the MoveIT and similar zero-day vulnerabilities.
In addition, when digging deeper into the vulnerabilities exploited, the major source of these attacks was the MoveIT and similar zero-day vulnerabilities. Attackers are becoming quicker at identifying these vulnerabilities, especially in Software as a Service (SaaS) products that have thousands of users world-wide. We saw a similar spike when SolarWinds was exploited a few years back. This raises the question about supply chain management and risk mitigation. A question we often ask a customer is “Who connects into your environment and how much access does that connection grant?” SaaS products are one of these connections that must be scrutinized to determine whether the risk of allowing the product is acceptable.
3.) The rise in these types of attacks forced Verizon to add a new concept into this year’s DBIR: Third-Party Breaches.
The concept of third-party breaches is not new. In 2013, the Target attack originated through a third-party who had been exploited and that exploit was turned into a massive data breach. Since 2013, these third-party breaches have continued in limited numbers, but 2023 seems to show that these numbers are increasing at a rapid rate. 15% of breaches in 2023 involved a third-party, including these software vulnerabilities previously mentioned.
15% of breaches involved a third party or supplier, such as software supply chains, hosting partner infrastructures or data custodians
4.) How do we handle third-party threats?
Third-party threats must be handled in a multi-pronged fashion. First, we must identify all those third parties and determine what level of risk we are willing to accept. Secondly, we must contractually start holding third parties accountable when their software or access creates undue risk in our corporate environments. Finally, we must reinforce these contractual requirements as third parties renew contracts or access requirements. This also means that we need to start requiring SaaS companies to perform their own penetration testing and security assessments, then share that testing with their customer base. It is becoming dangerous to allow a SaaS product into an enterprise environment without understanding the risk that product brings. When talking to a customer who has SaaS products connected into their environment, it is important to ask whether that product has been tested and whether the risks of that product have been properly identified.
The concept of evaluating third-party risk is not new. In fact, this is the genesis of the Department of Defense’s (DoD) Cyber Maturation Model Certification (CMMC). Under CMMC, every company that wants to bid on DoD contracts must undergo some level of CMMC evaluation to fall within one of three levels. This includes sub-contractors which feed into the supplier ecosystem and connect into the major DoD suppliers. As CMMC becomes more active, it is the belief of many security researchers that the CMMC model will expand into other governmental agencies. In fact, many large enterprises are already starting to consider ways to evaluate their third-party risk and instituting policies to ensure that these third-parties do not inadvertently cause a data breach in their environments.
The Verizon DBIR offers a detailed analysis of the current cybersecurity landscape, and this year’s edition emphasizes the significant role vulnerability exploitation, zero-day vulnerabilities, and third-party breaches play in today’s threat landscape. Organizations face persistent challenges in securing their systems against increasingly sophisticated attacks, and we want to ensure that YOU are top-of-mind when your customers are thinking about their cybersecurity needs. We hope these insights from the DBIR serve as a crucial resource in helping you guide your customers towards enhancing their cybersecurity strategies. Addressing the rise in vulnerability exploitation, and the new avenues used in these attacks, is sure to catch their attention in today’s cybersecurity environment.
Don’t forget to access these helpful resources in Intelisys University to continue learning and increase your cybersecurity knowledge!
Intelisys University: Marketing & Learning Resources
Don’t forget to access these helpful resources in Intelisys University to continue learning and increase your cybersecurity knowledge! Make sure your clients understand the importance of cybersecurity threats, through the DBIR, and how they can safely shield their company with your managed security solutions. Start that discussion and uncover needs with the following materials.
DBIR Kit:
- Brandable PDF
- Relevant stats and takeaways from the DBIR and how you can reframe them into questions to identify the proper solutions for your customers
- How to Discuss the Verizon DBIR with Your Customers Video:
- How to Discuss the Verizon DBIR with Your Customers Video (Medical) Video: