Current Trends in Data Breaches Video (Episode#002). We discuss the current trends in data breaches from unsecure web application design, cloud misconfigurations and phishing email attacks; as reported in Verizon’s 2020 Data Breach Investigation Report (DBIR). And Kyle gives recommendations on how to develop strategy to mitigate those risks.
The Verizon Data Breach Investigation Report (DBIR)
The Verizon data breach investigation report, the DBIR, was released in May. This marks the report’s 13th year of publication. Its scope continues to grow: The 2020 report analyzes 30,202 security incidents with 3,950 confirmed breaches as reported by the 81 countries who contributed to the study. The DBIR has risen in prominence to become a leading barometer for data security professionals in their fight to battle cyber-crime. Today I’m talking with Kyle about three threat areas trending on the rise: Vulnerabilities in web applications, system misconfigurations, and social engineering with a focus on phishing please join us.
Key Takeaways from 2019 and 2020 DBIR
22% of all breaches involved social engineering and phishing is majority of the social engineering attacks. 60% of all successful phishing resulted in stolen credentials. And C-level executives are 12 times more likely to be the target in identified incidents and 9 times more likely in breaches.
FBI’s Business Email Compromise Study
The FBI did a business email compromise study in 2019 that determined financial loss from BEC was 1.7 billion dollars in 2019.
Data Breaches From Errors
Misconfiguration and miss-delivery of information to authorized third parties is the only threat action type consistently increasing every year over the last seven years. Misconfiguration for all errors was 18% in 2019 and it’s close to 40% in 2020.
Increasing Complexity Drives Up Breaches from Errors
IT environments are becoming more and more complex. There are cloud container technologies, there are more and more cloud features, and there are DevOps environments trying to push things out as fast as companies can.
Cloud solutions aren’t secure when they’re misconfigured!
Migration to the cloud is a paradigm shift. Business organizations believe they’re more secure but it’s pretty common that we see instances where clients aren’t connecting to it securely.
Complexity of modern authentication
Application implementation is increasingly complex: Modern authentication for example, oAUTH technology. Single sign-on API management, and devops as well. It’s very difficult to put security into DevOps. Also, there’s a growing heavy reliance on third party software. Companies are using more third party software. It is difficult to learn and implement secure configuration for the complex software being used. So for those reasons there are more and more vulnerabilities and more and more misconfigurations in their software as well. I predict we will see a higher number in this misconfiguration category next year.
Data Breaches from Hacking
Hacking consists of 45% of all the data breaches. 85% of hacking related breaches use “brute force”. Stolen credentials can very easily be found for sale on the Internet and the dark web. You know there are many previous major data breaches from large companies and there are hundreds of millions of records out there.
43% of all breaches involve web application and of all the hacking related breaches, 90% involved web applications. Why do hackers choose web applications? We mentioned a little earlier that web applications and web API’s have a lot of vulnerabilities. The number of web applications and web API’s [on the internet] have grown exponentially in recent years. They too have become more and more complex.
New Technology and Open Source Libraries
We already mentioned the newer technologies such as cloud containers and modern authentications involving DevOps. And also the use of open source libraries. Open source library security is not easy to manage because there are so many open source components that are being utilized by developers. And there are a lot of new vulnerabilities being found in the open source communities. With all that, it’s very difficult to find all the vulnerabilities in open source programs.
Challenges of Patch Management
Patch management for new software vulnerabilities is difficult to manage. Especially for software development companies: Every time they apply a patch or fix the vulnerability they have to look back to ensure the patch or the vulnerability fix is not breaking others other parts of the software. So, there are a lot of challenges that software development companies need to figure out.
Data Breaches from Malware
17% of breaches involve malware: 46% of small companies report a breach from malware while only 20% of large companies did. I believe is because larger companies have spent more money on the anti-malware technology.
Data Breaches from Ransomware
Ransomware is about 27% of all the malware attacks. It has increased from 2019, it is a big threat that’s not going away. It seems like companies are still experiencing ransomware attacks. We hear reports about some of the big cities in the U.S. also experienced it. So I predict ransomware attacks are probably going to increase next year too. And last week we witnessed a ransomware attack: Snake, that shut down operations of one of the largest Japanese automakers for two days
Our Recommendations to secure web applications and API’s
- Web application developers need more security built into their secure web applications and API’s (although it’s not easy to do).
- Implement better secure coding practices and make them available for developers to use. And help them write more secure code.
- They also need to implement secure code review process, whether it’s automated or manual code review. Automated obviously is easier to implement.
- We also highly recommend performing vulnerability assessment on a web application and web API’s because it’s better for you to find vulnerabilities internally rather than the hacker find them out in the public.
Our Phishing Recommendations
- Provide training for their employees to identify phishing emails.
- Instruct them about what to do when they click on a phishing email by mistake.
- Implement anti-phishing technology and integrate that with the email system.
We Provide FREE Phishing Email Training Videos!
Please visit our channel on for other free resources and cybersecurity discussion topics, and LIKE and SUBSCRIBE!
Thank you for visiting our website!