For the last 14 years, Verizon has been releasing its report into the most common forms of cyberattacks. The 2021 edition, which was published recently, showed a significant rise in the number of breaches, which were up a third on the previous year. The researchers argue that the huge numbers working remotely have resulted in a spike in ransomware and phishing attacks, with instances of misrepresentation also significantly up in the past year.
What’s more, it’s increasingly likely that stolen data will include vital credentials, with nearly all organizations suffering some kind of credential stuffing attack in the last year. Indeed, the report reveals that up to 3.3 billion malicious login attempts were made during the year.
The report goes on to highlight the difficulties organizations face as they migrate more of their key business functions to the cloud. Indeed, attacks on cloud-based web applications represent nearly 40% of all breaches in the year. It’s a problem that the researchers believe is only going to get bigger as more of our business-critical functions migrate to the cloud.
A universal challenge
In total, 12 sectors were assessed, and the report reveals that security is a challenge for all of them. There are, however, some important distinctions that managers need to be aware of. For instance, in financial services, the researchers found that 83% of the data compromised in cyberattacks was private information. This proportion fell to just 49% in professional and scientific services. The financial sector was also a frequent target for ransomware attacks.
Interestingly, the public sector was an increasingly attractive target for cybercriminals and was the second most attacked industry. Indeed, the researchers tracked 3,236 incidents across 885 breaches in the public sector.
The majority of these attacks were initiated after a social engineering campaign, but attacks on government agencies utilized email phishing attacks. The rise in remote working led to a rise in phishing and ransomware attacks on public agencies of 11% and 6%, respectively.
Whereas some sectors suffered from internal attacks, most of the attacks on public agencies were from external actors, who were predominantly motivated by financial gain. Many of the attacks aimed to obtain credentials, such as logins and passwords, that would allow the attackers to compromise networks and systems of key resources.
What is perhaps most notable of all, is how differences emerge even within industries, with attackers looking to exploit whatever vulnerability the attack service presents to them.
"A large organization whose business model focuses entirely on mobile devices, where customers use an app on their phone, will have different risks than a small mom and pop shop with no internet presence, but who uses a Point of Sale vendor to manage their systems," they explain. "The infrastructure, and conversely the attack surface, largely drives the risk."
There were also some interesting differences in cyberattacks in different regions of the world. For instance, in the Asia Pacific region, most breaches were financially motivated phishing attacks, with stolen credentials then used to access things like email accounts and web applications.
By contrast, in Europe, attacks tended to focus more heavily on system intrusion and basic web application attacks. Indeed, basic web application attacks were found to make up 54% of all breaches in Europe.
"Sometimes these attacks are aimed at obtaining the data within the application itself, but in other cases, it is simply a means to an end in order to perpetrate other forms of badness," the researchers say.
In North America, attackers would also be financially motivated, but they would generally be looking either directly for money or for data that could be easily monetized. Such attacks would often be driven by hacking and malware, with social engineering as another commonly used approach.
The authors hope that the findings will help organizations and their security teams understand the threat landscape. While it's not always easy to predict what the coming months will bring, they expect the findings to provide a degree of guidance as to the areas currently under siege and those most in need of reinforcements.
"We believe it is fair to say that one of the primary lessons that 2020 had to teach us was that it is often futile to attempt to predict the future," the authors conclude. "However, not trying to predict it is not the same thing as giving up on scenario planning and preparing your organization for probable outcomes to the best of your ability."