Taking a multi-layered approach to cyber security – including authentication – is likely the most important single thing to help combat access that then results in data breaches, David Ostertag, global investigation manager for Verizon’s investigative response unit, advised last week during a media briefing in downtown Toronto.
Ostertag is often asked about the single most effective way to stop data breaches, he told reporters at the Verizon Enterprise Solutions briefing for the recent release of the Verizon 2017 Data Breach Investigations Report (DBIR). “Probably multi-factor authentication access into the network would be the number one,” he said.
“Too often we have data breaches that involve single usernames and passwords. If everyone were to implement true multi-factor authentication, we would stop probably 50% of the breaches – or more – that we see these days,” Ostertag said.
“Multi-factor authentication at the perimeter is absolutely vital,” he emphasized.
But there are also other very simple measures that would have a big positive impact, he said, citing as examples limiting data on end-user devices and timely patching.
There have been plenty of cyber attacks and data breaches in the news recently, he reported, but “most of those exploits involve vulnerabilities that have patches that have existed for a while.”
If these proper patches are in place, Ostertag pointed out, the attack will not work. “So patching is still as vital as before,” he emphasized.
And, of course, there are the ongoing vulnerabilities around phishing. Yet again, the DBIR identified phishing as a concern.
“A set rule that we have in business and in government today is that 7% of people who receive a phishing email will always open the attachment or click on the link,” Ostertag said. “So no matter how much training we do, how much protection, it’s a fact that you’re going to get systems affected because 7% of employees will always open them,” he added.
Said Ostertag, “Phishing leading to installation of malware is typically the methodology we are seeing. It’s a common playbook, whether it’s espionage or financial motivation.”
The general approach used is the perpetrator will footprint the organization, choose desired data, identify the executive or manager with control of that information and kick off a social engineering attack with staff, making sure to mimic the language of the particular organization.
“So when they create the phishing email, it’s going to bypass all of that training,” Ostertag explained. Opening the attachment or clicking on the link will deposit the malware on the end-user’s device, thereby leading to access to the command and control point, creating a back door, loading more malware and stealing credentials.
“The initial command and control point will pivot across the network with 20 or more different command and control points. Each one of those will have multiple data aggregation and data exfiltration points, spread across the network, and steal data (24-7) over a period of months,” Ostertag explained.
“It’s low and slow, it doesn’t stand out and it’s difficult to detect because it looks like legitimate business,” he pointed out.
Beyond phishing, it is important to remember that malware delivered through hyperlinks is the second most common method of gaining access and leading to potential data breaches. The hyperlink will “lead you to a site that will exploit a browser vulnerability,” Ostertag pointed out.
“The fact that we know the majority of breaches involve phishing emails and we know that in those phishing emails the bad guys are going to make it appear like they’re an employee, let’s put an identifier on them (email) when it comes from the outside,” he recommended, saying that the measure has proved “very simple and very effective.”
“If the first contact with the company is going to be social engineering attacks on those social networking channels or a phishing email, that’s the point where we need to focus detection: our employees,” Ostertag said.
Noting that “training isn’t enough,” his recommendation is to incentivize – perhaps through internal competitions of who reports suspicious, potential phishing attempts – as one means of getting employees engaged and involved.
This is important given that the 93% of employees who are are not clicking on that link or opening that attachment “can give you a warning or detect that something is going on,” he emphasized.