*This is, uh, pretty bad. It's like we've built an infrastructure of cheesecloth.
the raw simplicity of it, oh dear
Hackers so far ahead of defenders it's not even a game
Crims using multiple exfiltration points26 Apr 2016 at 04:01, John Leyden
Cybercriminals are way ahead of the game against defenders without having to try anything new, according to the latest edition of Verizon's benchmark survey of security breaches.
The study shows that miscreants have no need to switch up, because the same old tactics are still working fine. Security defenders are still performing poorly in their attempts to defend against hacking or malware-based attacks. This isn't for a lack of trying or skills on their part, but almost completely down to the fact that the game is rigged against them.
Verizon's ninth annual Data Breach Investigations Report (DBIR) provides an analysis of over 100,000 security incidents and 2,260 confirmed data breaches last year, drawing on real-world data breach caseloads handled by either Verizon or around 50 other contributing organisations.
Those involved include the US Secret Service, the European Cyber Crime Center (EC3), UK CERT and the Irish Reporting and Information Security Service (IRISS CERT), amongst others.
Hackers are getting faster whilst defenders are treading water. Over 99 per cent of attacks compromise systems within days (four out of five do it within minutes), and two-thirds of those siphon off data within days (a fifth do it in minutes). Whilst there was an improvement in the number of breaches detected in 'days or less' noted in the last DBIR, that turned out to be a temporary blip. This year, less than a quarter of breaches were detected within the same timeframe – meaning attackers have almost always gotten away with the goods before anyone notices.
Worse yet, it's usually not the victim that notices the breach, but a third party (normally either a security researcher or law enforcement).
Nearly two-thirds of all breaches are still traced back to weak or stolen passwords – a basic security failure.
"People are not sitting in front of consoles, looking for SQL Injections before running a manual attack," Dave Ostertag, global investigation manager at Verizon told El Reg. "They are stealing credentials, planting malware, pivoting and exfiltrating data."
