Verizon: Old Flaws, Weak Passwords Lead to Breaches | eWeek

Verizon: Old Flaws, Weak Passwords Lead to Breaches

state of security
Apr 26, 2016
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

The annual Verizon Data Breach Investigations Report (DBIR), released April 26, provides visibility into the state of security and why breaches occur. The 2016 report is based on Verizon’s analysis of more than 100,000 security incidents, of which 2,260 were confirmed as data breaches. In contrast, the 2015 report received data from 79,790 security events, with 2,122 confirmed data breaches.

As was the case in the 2015 report, Verizon once again has found that little has changed in the breach landscape, with attackers using the same tactics and organizations failing in the same basic areas of security.

Known vulnerabilities continue to be a root cause for many breaches, explained Suzanne Widup, senior consultant, Network and Information Security, Verizon RISK Team and a co-author of the DBIR. According to the DBIR, 85 percent of all successful exploits in the last year can be attributed to 10 already-patched vulnerabilities. In some cases, the patches have been available for years and there are vulnerabilities from 1999 that can still show up as root causes of breaches.

“Attackers are still exploiting old vulnerabilities really well, and they don’t have to use zero-days,” Widup told eWEEK. “There are a lot of things that really should have been patched a long time ago.”

The older vulnerabilities are typically “weaponized” in an exploit toolkit, which makes it easier for attackers to execute. Widup emphasized that there are no good reasons why organizations should not patch their systems.

“Organizations that don’t patch will continue to be vulnerable from tried-and-true exploit kit tools,” she said. “So, certainly, you want to make it harder for the bad guys than simply running an exploit kit to breach your organization.”

Unpatched systems aren’t the only common flaw. The DBIR also reported that 63 percent of data breaches made use of either weak, default or stolen passwords. The DBIR also notes that phishing remains a problem.

“We’re seeing quite a bit more phishing and impersonation fraud where attackers are going after businesses and attempting tax fraud,” Widup said. “If you get an email from your CEO, you’re going to give them what they want, you’re not going to go and ask for a confirmation.”

According to the DBIR, 30 percent of phishing messages were opened by organizations, compared with 23 percent in the 2015 report.

Companies need to train their staff to be able to verify the integrity of emails and information, Widup said.

The fact that so little changes from year to year in the ways organizations behave to reduce breach risk is disconcerting, as is the fact that most organizations still do not detect breaches on their own, Widup said. “We’d really like to see this getting better. If you have to wait for a third party to tell you that you have been breached, you’ve got a problem with your security.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.