- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: Trends in threats against data
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Trends in threats against data
Considering data breaches, the industry sectors suffering the most from internal errors are finance and insurance,
public administration, healthcare and information. In the financial sector, 44% of the breaches are caused by internal actors, whose actions are, most of time, due to errors. It is noteworthy that internal actors have been growing constantly from 2018 in this industrial sector, while external actors have been decreasing at the same rate, to the point where the two are very close. In the public administration sector, social engineering is the primary pattern (70%), with errors the second pattern (15%) where misconfiguration and mis-delivery account for most errors. In the healthcare sector, errors are the primary cause, with the top three specific errors being mis-delivery, publishing errors and misconfiguration. Finally, in the information sector, basic web application attacks, errors and system intrusion are the main patterns, together accounting for 83% of all breaches. Misconfiguration covers the vast majority of all the breaches caused by errors (>70%).
According to Verizon, 85% of data breaches involve a human element. This can be easily explained by considering that both social engineering and miscellaneous errors are among the main patterns.
Surge in healthcare sector data breaches
Healthcare data breaches are increasing rapidly, this can be interpreted in a couple of ways. Due to
the COVID-19 pandemic, the healthcare sector was put on the spotlight and threat actors took advantage of this crisis to hit an already suffering sector. In addition, due to the pandemic, a shift towards the online provisioning of healthcare services, remote eHealth and telemedicine approaches increased and thus the opportunities for adversaries to exfiltrate medical data increased greatly. Moreover, the motivation for adversaries to access and exploit medical data is much higher than other types of data. A credit card for example can be easily cancelled, so the perceived value of having the data related to a card is much lower compared to medical records, which contain information, such as a patient’s medical and behavioural health history and demographics, as well as their health insurance and contact information.
Data breaches in the business environment rise
According to SANS Institute, in the last few years, approximately 74,000 employees, contractors, and suppliers were
impacted by a data breach due to stolen company laptops. This was exacerbated by the fact that data were not encrypted.
Motivations and attack vectors remain the same
During the reporting period, trends related to the motivations of adversaries as well as the main attack vectors remained generally the same. Phishing continues to be on the top causes of breaches (36%), as it has been for the past two years. It is followed by the use of stolen credentials (25%) and ransomware (10%). As in past years, financially motivated attacks continue to be the most common.
Identity theft and synthetic identity
Due to the increase in data breaches in previous years, personal and sensitive data has been easily accessible to malicious actors via online forums and the dark web. This has had a cascading effect on identity theft. According to the US Federal Trade Commission (FTC), complaints of identity theft rose in 2020 compared to the year before. About a third of these involved US government benefits. Scams were geared towards the new COVID-19 reality such as using stolen personal data to apply for and receive government benefits, stealing money by offering to deliver goods to people that were confined indoors due to the lockdowns, or by impersonating government agencies.
Actors taking advantage of bad user behaviour in order to commit identity abuse
The Identity Theft Resource Centre reported in early 2021 that the motivation of cybercriminals has shifted and instead of targeting consumers in order to steal large amounts of personal information they have started taking advantage of bad user behaviour that are then used against organisations. A typical example involves stolen credentials. Observed tactics showed the unprecedented level of sophistication the adversaries leveraged to abuse their victims’ identities for lateral movement and stealthy operations.
Rising Impact of Supply Chain Attacks
As reported in ENISA’s dedicated threat landscape for supply chains, based on the trends and patterns observed, supply chain attacks increased in number and sophistication in the year 2020 and this trend is continuing in 2021, posing an increasing risk for organisations. It is estimated that there will be four times more supply chain attacks in 2021 than in 2020. With half of the attacks being attributed to Advanced Persistence Threat (APT) actors, their complexity and resources greatly exceed the more common non-targeted attacks and, therefore, there is an increasing need for new protective methods that incorporate suppliers in order to guarantee that organisations remain secure.
Recommendations
The following mitigation vectors were mentioned regarding data related attacks and incidents in the reporting period.
-
Develop and maintain a cybersecurity awareness plan. Provide training and simulation scenarios for identifying social engineering and phishing campaigns for employees.
-
Limit user access privileges under the need-to-know principle. Revoke access privileges to anyone who is not an employee.
-
Establish and maintain an incident response team and evaluate incident response plans frequently.
-
Discover and classify sensitive/personal data and apply measures for encrypting such data in transit and at
rest. In other words, deploy data loss prevention capabilities.
-
Increase investments related to detection, alerting tools and ability to contain and respond to a data breach.
-
Develop and maintain strong policies enforcing strong passwords (password management) and usage of multi-
factor authentication (MFAs).
-
Consider models that take the least privileged approach to provide security for both on premises and off
premises resources (i.e. zero-trust).
-
Invest in and create policies and plans for engaging with governance, risk management and compliance teams.
-
Store data only on secure IT assets.
-
Educate and train the personnel periodically.
-
Use technology tools to avoid possible data leaks, such as vulnerability scans, malware scans and data loss
prevention (DLP) tools. Deploy data and portable system and device encryption, and secure gateways.
-
A Business Continuity Plan (BCP) is critical in the event of a data breach. This plan outlines the type of data
being stored, their location and what potential liabilities could emerge when implementing data security and recovery actions. A BCP entails an effective incident response, which aims at addressing, managing, and rectifying the damages due to such an incident.
-
Apply ‘threat hunting’ within a company to strengthen security plans. Threat hunting is conducted by skilled members of the Security Operation Centre (SOC) team to proactively identify vulnerabilities and prevent breaches.
-
Policies such as velocity-based rules can be used to mitigate identity fraud, especially for payment card transactions. The machine data of valid transactions can provide sufficient information for the optimal policy definition.
-
The Single Sign On (SSO) authentication method, when available, allows a user to access several applications with the same set of digital credentials. It is highly recommended to minimise the number of user accounts and stored credentials using SSO.
-
URLs that are sent via e-mail or are randomly visited should first be checked based on their IP address, the ASN that associates with the IP, the owner of the domain and the relation between this domain and others, before any further step is taken.
-
Organisations that are adopting cloud services should have strong cloud security operations and prefer an architecture of on-premises storages, private cloud storages and public cloud storages simultaneously to protect their customer’s personal information.
-
Use strong and updated encryption methods such as TLS 1.3 (uses ephemeral keys) for sensitive data to prevent hacking.
-
Adequately protect all identity documents and copies (physical or digital ones) against unauthorised access.
-
Identity information should not be disclosed to unsolicited recipients and their requests by phone, e-mail or in
person should not be answered.
-
Install and use content filtering to filter out unwanted attachments, mails with malicious content, spam and
unwanted network traffic.
-
Use Data Loss Prevention (DLP) solutions.