Web applications are targeted with availability attacks as well as leveraged for access to cloudbased organizational email accounts.
1,094 Incidents, 155 with confirmed data disclosure
Top 3 Partners
Miscellaneous Errors, Web Applications, and Cyber- Espionage
represent 83% of breaches within Information
External (56%), Internal (44%), Partner (2%) (breaches)
Financial (67%), Espionage (29%) (breaches)
Personal (47%), Credentials (34%), Secrets (22%) (breaches)
The Information Society
The Information industry is a veritable pantechnicon (look it up) that is chock-full of organizations that have to do with the creation, transmission and storing of information. One might think that with so wide an array of victims, the attacks would be all over the place, but, in fact, it is our duty to inform you that much of what we saw in this category for the 2019 report mirrors last year’s results. As was the case in 2018, most of the incidents in this industry consists of DoS attacks (63%). In fact, it is perhaps fitting that this industry covers both TV and motion pictures, since it is in many ways a rerun of last year’s programming when viewed from an incident point of view.
With regard to confirmed data disclosure, two of the top three patterns remain the same as last year (albeit in a different order) and we have one newcomer. In order of frequency, the patterns are Miscellaneous Errors (42%), Web App attacks (29%) and Cyber-Espionage (13%). Let’s take a quick look at the most common errors below.
- 2019 DBIR
- A couple of tidbits
- Summary of findings
- Results and analysis
- Unbroken Chains
- Incident Classification Patterns and Subsets
- Data breaches: extended version
- Victim demographics and industry analysis
- Accommodation and Food Services
- Educational Services
- Financial and Insurance
- Professional, Technical and Scientific Services
- Public Administration
- Wrap up
- Appendices (PDF)
No one is perfect, but when you are a system administrator you are often provided with a better stage on which to showcase that imperfection. Figure 52 illustrates how errors are put in the spotlight. Our data indicates that misconfiguration (45%) and publishing errors (24%) are common miscues that allowed data disclosure to occur. When looking at the relationship between actions and assets in Table 6, 36 percent (24 of 67) of error-related breaches involved misconfigurations on databases, often cloud storage – not good. Obviously, those buckets of data are meant to store lots of information and if your bucket has a (figurative) hole in it, then it may run completely dry before you make it back home from the well and notice. Often these servers are brought online in haste and configured to be open to the public, while storing non-public data. Publishing errors on web applications offer a similar exposure of data to a much wider than intended audience. Just for cmd shift and giggles, we will mention that programming errors were committed on web servers and a couple of databases.
It’s not only Charlotte’s Web (apps) you can read about
Even if your IT department doesn’t make big mistakes like the poor unfortunate souls above, there is no need to worry. You still have more excellent chances to get your data stolen. Criminals do love a tempting freshly baked (or half baked) web application to attack. The illicit use (and reuse) of stolen creds is a common hacking action against web applications regardless of industry. The malware action variety of capture app data is more commonly associated with e-retailers, the application data being captured is the user inputting payment information. While not as common, any internet portals or membership sites that sell content as opposed to a physical product would fall into the Information sector. And payment cards used to purchase content are just as good to steal as ones used to buy shoes online.
I spy with my little eye, something phished
The third pattern in Information breaches we highlight is Cyber-Espionage. An eye opening 36 percent of external attackers were of the state-affiliated variety, statistically even with organized crime. As we have pointed out many times in the past, most Cyber-Espionage attacks begin with a successful phishing campaign and that goes some way to explain why 84 percent of social attacks in this industry featured phishing emails.
Sir Francis Bacon once famously stated "knowledge is power." Perhaps a better definition for 2019 would be "to gain and to control information is power." Therefore, we should probably not be shocked that the organizations that own and distribute that information are the target of such attacks.
Things to consider
Whether intentional web attacks or erroneous actions, both databases and web application servers are oft-compromised assets, especially for this industry. Many will complain about "checklist security" but a standard protocol regarding bringing up cloud servers and publishing sensitive data on websites – if implemented and followed – would go a long way to mitigate human error/carelessness.
While breaches were at the forefront of this section, DDoS protection is an essential control for Information entities given the percentage of Denial of Service incidents. Guard against non-malicious interruptions with continuous monitoring and capacity planning for traffic spikes.
It bears repeating
Knowledge is power, and the increase in state-affiliated attacks is a data point we will keep an eye on. It could very well be a spike and not indicative of a trend, but Information organizations have desirable data and these motivations would not be likely to disappear in a year. Understand that these attacks are often “phishy” in nature and start with a compromised workstation and escalate from there.