Authentication-based attacks continue to plague organizations of all sizes, according to the 2013 Verizon Data Breach Investigations Report.
This is the same story we've been telling for years.
regional security architect, ePlus
This year's report, released Monday evening, detailed 621 data breach events that were collected by Verizon and 17 partners over the course of 2012. Among the confirmed breaches, 52% utilized some form of hacking, with approximately 80% of those being authentication-based attacks.
The 2013 Verizon Data Breach Investigations Report (DBIR) emphasized that attackers don't need sophisticated hacks when much easier avenues are exploitable. Stolen credentials were used in 48% of the hacking-based data breaches recorded by Verizon, with brute-force attacks comprising a further 34%.
"Most attacks are not requiring a great deal of sophistication, and we believe that says less about what the attacker is able to do and more about what they need to do to get into the defender's network," said Kevin Maxwell, senior analyst for Verizon. "That is, if all it takes is something simple and easy to get into a network, then they're probably not going to burn a high-value zero-day vulnerability on getting into that organization if they can just get somebody to run their code in the first place."
Tom Bowers, regional security architect (mid-Atlantic) at ePlus, indicted users as the weak link in authentication.
"This is the same story we've been telling for years," he said. "The user is always going to be the weakness. There's no way around it.
"The biggest challenge I'd face over the years is asking users to create unique passwords," Bowers said. "And then what do they do? Write them down."
As for the ever-heated discussion of user security awareness training, opinions seem to be mixed. Bowers highlighted a successful training program that had been implemented to raise awareness around phishing when he was chief information security officer (CISO) of the Virginia Community College System, with phishing rates dropping noticeably at several of the schools in the system.
For Rich Mogull though, user training is ultimately never as effective as properly implemented security technologies.
Check out more coverage of the 2013 Verizon DBIR from the TechTarget network!
Verizon's annual report warns against one-size-fits-all defenses and highlights the failure of most organizations to discover and contain data breaches in a timely manner. Sister site SearchHealthIT also summarized what health care CIOs need to know about the report, including Verizon's emphasis on knowing your attacker.
"Training can only help to a point, but as the DBIR itself shows, eventually you can always fool a user," Mogull said. "Better monitoring, alerting and incident response will be more effective than trying to train users better or rotate passwords more frequently."
Users weren't the only human-related issues that came into play for authentication attacks though. Several of the experts we spoke with indicated that the inability to maintain a full staff and to find qualified infosec candidates plays a major part in organizations falling down on infosec basics. Bowers, for example, was never staffed at more than 50% during his time as CISO of the Virginia Community College System.
Rick Holland, senior analyst for Cambridge, Mass.-based Forrester Research Inc., commented that too much focus is spent on trying to solve problems with technology and not enough is spent on the people that enable those technologies.
"A lot of the failures are operational failures, not having the staff we need, shortages of staff," he said. "Even managed service providers have trouble getting the staff they need, so what does that say of the 'average Joe' company out there?"
Is multifactor authentication the answer?
The 2013 Verizon DBIR provided advice on mitigations for all types of attacks, and in the case of authentication-based attacks, the report argued that moving beyond single-factor passwords would go a long way towards solving issues with stolen credentials and brute forcing.
Bowers indicated that he uses two-factor authentication to keep his personal passwords secure, but that when it comes to defending against brute-force attacks, password complexity is the only real option.
Mogull agreed that multifactor authentication doesn't represent a panacea for every organization's password woes.
"No single-factor authentication scheme is materially more secure than any other. It is only the combination of factors that really starts to address the weaknesses," he said. "But multifactor authentication isn't always viable, leaving gaps even when it is in heavy use. Adding more complexity or changes is about the last thing that will help."
Ultimately, Mogull thinks organizations will just have to make do with the technology they already have for the foreseeable future.
"Passwords are with us for the rest of our lives," Mogull said. "There simply aren't viable alternatives at scale yet. While this is getting better, there will always be some degree of password use." If he's right, Verizon may well have a growing sample set of breaches for years to come.