Summary Bullets:
• Verizon’s Data Breach Investigations Report (DBIR) uncovered exploitation of vulnerabilities nearly tripled last year, up 180% from 2022.
• The DBIR underscores the need for end-user education, with non-malicious human interactions associated with 68% of breaches.
Verizon’s 2024 DBIR paints a complex and challenging picture of the global threat landscape. Studying 30,458 security incidents and 10,626 confirmed breaches, the report saw a huge jump in vulnerability exploitations versus the prior year. Fourteen percent of all breaches involved the exploitation of vulnerabilities with Verizon assigning responsibility for this to the targeting of unpatched systems and zero day vulnerabilities. Verizon noted threat actors used MOVEit and other zero day exploits to launch their ransom demands.
Credential theft is a significant factor in breaches, resulting in 38% of all incidents. Phishing is another route into the enterprise, associated with 15% of all breaches. The most frequently used entry point for phishing is Web applications, followed by email.
The report, which analyzes incidents offered by third-party contributors including the US Secret Service and dozens of other organizations and companies; publicly-known data breaches; and security events mitigated by its own Verizon Threat Research Advisory Center (VTRAC), emphasized the critical role the human element plays in introducing risk into the equation. Nearly 70% of all breaches involve a staff member, contractor, or partner who, with no ill intent, contributed to an incident. To this end, the DBIR noted that just under one-third of all security incidents incorporate an extortion technique. Twenty-four percent of all profit-driven breaches over the last two years applied pretexting, the use of fictional narratives to win the targets’ trust to get them to offer up sensitive information, transfer money, or in some other way hurt the victim or their organization.
Preying on a target’s trust is not a new technique. Over the last ten years, credential theft is associated with 31% of all incidents, and techniques like pretexting are a prime way to capture these keys to unlock other data. The issue is the frequency and severity of incidents involving the human element are escalating.
While most enterprises of any significant size conduct end user awareness training, this exercise tends to be an annual activity rather than an ongoing program. It seems a more effective path forward would be to create engaging and accurate cybersecurity educational content. This should be delivered throughout the year, not just as a one-off check-the-box training-to-the-test.