This blog was written by Bruce Snell.
Every year Verizon releases their Data Breach Investigations Report (DBIR), sharing a wealth of information about incidents throughout the year. Verizon compiles this report with information from 70 organizations (including McAfee), analyzing almost 80,000 individual incidents, over 2000 confirmed data breaches across 61 countries. For professionals in the security industry, this information is invaluable as it gives a big picture view into what people are seeing across the globe. I always look forward to the release of the DBIR. In fact, I loaded it up on my iPad first thing this morning, put my feet up and dug in. Now the question I am sure you are asking is how does this report impact people outside the security industry? Or as I put it, “why would my parents care about this?”
Passwords are something most people deal with on a daily basis. And not just once, either. According to our research, the average person has 27 logins and passwords. With this many passwords to remember, even the best of us can find that we end up reusing a password or two for different accounts. The Verizon DBIR found that 63% of data breaches involved a weak password. This means that over half of the breaches that took place didn’t require any advanced hacking or exploits. A stolen password, a weak password or even a default password allowed attackers to get in and steal data. Thinking about how often stolen passwords are posted online or someone connects a webcam with a default password, it shouldn’t be a surprise that this number is so high. If the bad guys are this successful against organizations with information security teams and advanced security tools in place, how easy is it to attack someone at home? So how are they getting these passwords?
What’s the easiest way to get at someone’s sensitive information? Send them an email that looks like an official request from their bank or credit card company or maybe an email from a friend or family member. Phishing emails use social engineering to trick people into clicking on a link and downloading malware or sending them to a fake website to collect sensitive information. The reason why phishing continues to be such a persistent pain is because it works.
Verizon reported that 30% of phishing emails were opened by the target and 13% of those people went on to click on an attachment or link. They found on average that it took less than 4 minutes for a phishing attempt to get its first click.
So how are the bad guys coming up with all this cutting edge malware to use in their phishing campaigns? While new exploits make the news, it’s older exploits that get the job done.
A lot of attention is focused on the latest vulnerabilities and it’s certainly important that people are protected against them. However, Verizon found that 85% of the successful exploits were targeting the top 10 vulnerabilities. This means that most of the attacks that successfully landed were using vulnerabilities that everyone knew about and most likely already had patches available. Don’t get me wrong, that other 15% is still important and needs to be covered. In fact, that 15% makes up over 900 known vulnerabilities. However, a lot of headache could have been avoided by proper patching and updating procedures.
So How Can I Use This Information?
The great thing about this report is that you don’t have to have a huge budget and a room full of information security professionals to take advantage of these findings. There are a number of basic steps that you can do at home to keep the bad guys at bay.
- Step up your password game: Use a complex and unique password for every one of your online accounts. Keeping track of all these logins can seem daunting at first, but take advantage of one of the many password management tools that are available online. Look for a tool that includes a password generator as well as the ability to easily sync your passwords across all your devices.
- Be suspicious: Phishing continues to reel in victims and there are no signs that it will slow down anytime soon. With such a high success rate, it’s important that you keep an eye out for suspicious emails with links or attachments. If a family member sends you a link to download a new app, take a moment to contact them directly to see if that was actually them or someone pretending to be them.
- Update and protect: Keeping your system up to date will help you stay safe from older viruses, but you should also install anti-virus on your system to protect against new threats or older threats that haven’t yet been fixed by OS or application updates. Our McAfee Labs team currently sees an average of 5 new threats every second and there is no indication that the bad guys are slowing down. Installing anti-virus is a simple step you can take to help your system from becoming a tool for cybercriminals.
The sheer amount of threats can seem overwhelming for even a seasoned pro, but with a little bit of diligence you can keep yourself from becoming another statistic.