-
Verizon held a panel to discuss the findings of its 2024 Data Breach Investigations report
-
Enterprises need around 55 days to patch half of their “critical vulnerabilities,” which hackers can exploit much quicker
-
Extortion attacks are on the rise, while ransomware has slightly declined (but is still a threat)
WASHINGTON, DC – It’s no secret data breaches are on the rise, particularly in the telecom space (as we’ve covered recently with AT&T and Comcast). Verizon just published a report outlining the trends it’s noticed in cyber attacks in the last year and the kinds of threats companies should be worried about.
Verizon’s 2024 Data Breach Investigations report studied more than 30,000 incidents (including 10,000 data breaches) in 94 different countries.
At a panel on Wednesday discussing the report’s findings, Verizon Business CEO Kyle Malady pointed out while there are many companies that have a “really good security posture,” others “don’t think about it at all.”
“And then there’s the middle who thinks about it, but they’re nervous. Because this is a highly complicated, highly complex thing,” he said. “But it’s a big risk to everybody’s business, whether you’re a huge Fortune 500 company or a small-medium business.”
Cybercrime 101
Chris Novak, Verizon’s senior director of cybersecurity consulting, highlighted zero-day vulnerabilities as one of the “top-of-mind” issues. Basically, a zero-day vulnerability is something that exists in an operating system, app or device from the moment it’s released, but the vendor doesn’t know it.
The report found organizations need around 55 days to patch 50% of their “critical vulnerabilities.”
“Compare that against what we see, the threat actor’s kind of moving forward against those vulnerabilities with exploit code typically in about five days,” Novak said. “So the time gap there is significant.”
In a separate conversation with Fierce Network, Novak explained companies often don’t have a patch to fix a product’s zero-day vulnerabilities right away. So it could take hours, days, weeks, “sometimes even months,” to come up with a fix.
For cyber attackers, zero-day vulnerabilities are a potential “open door” into any organization using that product or software.
Public sector the biggest target
Of course, “nobody’s immune” to data breaches, but Novak noted the government sector is “a big target and a big landscape in general.” A recent report from Lumen also found government entities are often facing the most prolonged DDoS attacks.
Novak explained the public sector “has so many agencies and so many buildings, so many assets…the more you grow, the more you have other potential attack surface area components that you need to guard and defend.”
Other sectors that are particularly vulnerable to attacks include finance, education, healthcare and manufacturing.
Another data point Novak brought up is the rise of extortion attacks, which typically involve a threat coupled with a demand for money or some other response in return for stopping or remediating the attack.
Pure extortion attacks are now a component of 9% of all breaches, the report stated. Traditional ransomware actors are shifting to these newer techniques, so ransomware attacks slightly declined to make up 23% of all data breaches.
Novak said perhaps threat actors have seen “defenses on the cyber side have improved as it relates to ransomware. So the ransomware attacks have not been as successful.”
But that’s not to say companies shouldn’t be as worried about ransomware, which Verizon’s report flagged as “a top threat across 92% of industries.”
How can enterprises better address network vulnerabilities? Nasrin Rezai, Verizon SVP and chief information security officer, said on the panel they need to go beyond standard patch management.
“Patching more and doing it regularly is foundational. It’s like basic,” she said, noting it’s also about “having a broader view of, what are my critical assets? Do I have visibility to them? [If a company] has an extension of many other third parties in [its] ecosystem, do I know what they bring to the table?”
According to Verizon’s report, 15% of data breaches last year involved a third-party, including data custodians, third-party software vulnerabilities, and other direct or indirect supply chain issues.
Rezai emphasized the importance of “continuously validating” cybersecurity analytics as well as “making it easier” for developers to detect threats.
“What can we do as cyber defenders? Make it more automated, give them more analytics, give them more risk-based methods by which they can prioritize,” she said.
Can genAI help hackers?
Jeanne Meserve, security analyst for Canada’s CTV News and moderator of the panel, commented that generative AI has been “viewed with great fear in the cybersecurity community.”
Asked if Verizon uncovered anything about GenAI in relation to attacks, Novak said interestingly, “the data didn’t show anything.”
“I think we’re still very early in this cycle. There’s an interesting chart in the report where it shows the amount of times that we believe generative AI has been associated with a breach, and the amount of times people just generally talk about generative AI,” he said. “And one of them is almost a flat line across zero, and one of them is a hockey stick chart up.”
Novak added while there have been some instances of GenAI being used to say, create better phishing emails or to write malware, they are “very much the outlier examples.”
And that’s probably because “threat actors are finding the methods they are using today continue to work.”