The annual Verizon Data Breach Investigations Report (DBIR), released April 26, provides visibility into the state of security and why breaches occur. The 2016 report is based on Verizon's analysis of more than 100,000 security incidents, of which 2,260 were confirmed as data breaches. In contrast, the 2015 report received data from 79,790 security events, with 2,122 confirmed data breaches.
As was the case in the 2015 report, Verizon once again has found that little has changed in the breach landscape, with attackers using the same tactics and organizations failing in the same basic areas of security.
Known vulnerabilities continue to be a root cause for many breaches, explained Suzanne Widup, senior consultant, Network and Information Security, Verizon RISK Team and a co-author of the DBIR. According to the DBIR, 85 percent of all successful exploits in the last year can be attributed to 10 already-patched vulnerabilities. In some cases, the patches have been available for years and there are vulnerabilities from 1999 that can still show up as root causes of breaches.
"Attackers are still exploiting old vulnerabilities really well, and they don't have to use zero-days," Widup told eWEEK. "There are a lot of things that really should have been patched a long time ago."
The older vulnerabilities are typically "weaponized" in an exploit toolkit, which makes it easier for attackers to execute. Widup emphasized that there are no good reasons why organizations should not patch their systems.
"Organizations that don't patch will continue to be vulnerable from tried-and-true exploit kit tools," she said. "So, certainly, you want to make it harder for the bad guys than simply running an exploit kit to breach your organization."
Unpatched systems aren't the only common flaw. The DBIR also reported that 63 percent of data breaches made use of either weak, default or stolen passwords. The DBIR also notes that phishing remains a problem.
"We're seeing quite a bit more phishing and impersonation fraud where attackers are going after businesses and attempting tax fraud," Widup said. "If you get an email from your CEO, you're going to give them what they want, you're not going to go and ask for a confirmation."
According to the DBIR, 30 percent of phishing messages were opened by organizations, compared with 23 percent in the 2015 report.
Companies need to train their staff to be able to verify the integrity of emails and information, Widup said.
The fact that so little changes from year to year in the ways organizations behave to reduce breach risk is disconcerting, as is the fact that most organizations still do not detect breaches on their own, Widup said. "We'd really like to see this getting better. If you have to wait for a third party to tell you that you have been breached, you've got a problem with your security."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.