Verizon’s 2016 Data Breach Investigations Report finds cybercriminals are exploiting human nature

Cybercriminals are continuing to exploit human nature as they rely on familiar attack patterns such as phishing, and increase their reliance on ransomware, where data is encrypted and a ransom is demanded, finds the Verizon 2016 Data Breach Investigations Report.

This year’s report highlights repeating themes from prior year’s findings and storylines that continue to play off of human nature, including:

  • Eighty-nine (89) percent of all attacks involve financial or espionage motivations.
  • Most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years. In fact, the top 10 known vulnerabilities accounted for 85 percent of successful exploits.
  • Sixty-three (63) percent of confirmed data breaches involve using weak, default or stolen passwords.
  • 95 percent of breaches and 86 percent of security incidents fall into nine patterns
  • Ransomware attacks increased by 16 percent over 2015 findings.
  • Basic defenses continue to be sorely lacking in many organizations.

Read more…

InfoSec Awareness: CSRF

CSRF means Cross Site Request Forgery and also known as a one-click attack or session riding . With CSRF attacks, browsers are hijacked to “do” things to a website without a user knowing. It’s the proverbial trojan horse where there is an inherent trust from a site that the user/browser is doing something trusted and so attacks riding the coat tails of such trust are given the same trust that the user would also get. An attacker may forge a request to log the victim in to a target website using the attacker’s credentials; this is known as login CSRF.

A simple example (does not actually exist) would be that an authenticated user in WordPress with admin privileges is tricked into clicking a link (as the authenticated user) and then admin privileges are transferred to the attacker. We’ve seen this kind of attack on Facebook and Twitter before where DMs or messages are spread across Facebook walls or via Twitter DM).

Prevention

Individual Web users using unmodified versions of the most popular browsers can do relatively little to prevent cross-site request forgery.

Logging out of sites and avoiding their “remember me” features can mitigate CSRF risk; not displaying external images or not clicking links in spam or untrusted e-mails may also help.

Challenge-Response is another defense option for CSRF. The following are some examples of challenge-response options – CAPTCHA, Re-Authentication (password), One-time Token

No Organization is Immune!

No Organization is Immune: Fraud Can Have a Lasting Effect on Any Company — Despite the growth of fraud across organizations of all industries and sizes, many may still not see themselves as a potential target. Though fraud may be dismissed as something that affects a certain type of company, the reality is that there is no “typical” fraud victim. In recognition of Fraud Prevention Month, Shred-it, a world-leading information security company wants to help organizations of all types recognize their susceptibility to fraud and identify safeguarding methods.