Threat Summary - Week 30, 2019
Reports / Surveys
The average data breach costs $3.92 million
Organizations that suffer a data breach are likely to lose millions of dollars as a result, a new IBM study shows. Over the past 5 years, the average cost of a data breach has increased by 12% to $3.92 million, or $150 per compromised record. Even smaller firms with under 500 employees tend to lose over $2.5 million per breach.
Most people still recycle passwords
A security.org survey found that despite the growing data breach epidemic, 72% of people continue to reuse passwords across different accounts, thereby putting themselves at risk of credential stuffing attacks. 63% even recycle passwords between important accounts (business, online banking, etc.) and entertainment (social media, streaming services, etc.). On average, a single password is used for 4 different accounts. Moreover, when people need to come up with a new password, they often modify an old one, even though hackers usually test tweaked passwords as well.
96% of penetration tests reveal major vulnerabilities
A new Rapid7 analysis[pdf] confirms that pentests are incredible valuable to companies, as they nearly always (96% of times) reveal one or more important security flaws. Login credentials for one or more accounts are compromised in 72% of cases, typically because a common password is used. On the bright side, companies are doing a better job protecting their internal network from external threats, since only 21% of attacks on Internet-facing assets allowed pentesters to breach the internal network.
Half of organizations don’t think they can’t prevent cyberattacks
A global CyberArk survey reveals a staggering lack of cybersecurity confidence among organizations. One in two respondents indicated that their firm can’t stop threat actors from breaching their network time after time.
According to the study, the most-feared threat actors are:
- Hackers (78%)
- Organized crime (46%)
- Hacktivists (46%)
- Privileged insiders (41%)
And the biggest security risks to organizations are:
- External attacks, e.g. phishing (60%)
- Ransomware (59%)
- Shadow IT (45%)
Email security fails against continuous stream of attacks
Email security is dramatically falling short, a new GreatHorn report shows. Even though many inboxes are protected by two or more security solutions, about half (49.8%) of professionals receive malicious emails on a daily basis (24.4%) or on a weekly basis (25.4%). And these attacks are far from ineffective, with 22% of professionals suffering an email-borne data breach in the past three months.
Data breaches
Slack resets 1% of user accounts in connection to 2015 breach
In 2015 a threat actor obtained unauthorized access to Slack’s infrastructure, which prompted the company to reset a large number of user accounts. However, Slack recently discovered that several user accounts that had logged into the service when the 2015 breach was taking place but had not been reset, were compromised. In response, the firm reset 1% of Slack user accounts. These accounts were created before the March 2015 incident, still had the same passwords, and did not use single-sign-on (SSO).
What You Can Do
As mentioned in last week's threat summary report, it is critical for your organization to understand and assess its risk to cyber attacks on an on-going basis. One way your organization can begin assessing its risk is by conducting a free Internet Exposure Scan.
Additionally, as it relates to weak passwords, organizations should consider conducting a password analysis from time to time. Given the amount of weak passwords that are present within organizations and linked to other personal accounts, this could introduce a big risk to many organizations.
Freaky Infosec Fact of the Week
Pacemakers have been hacked, with potentially lethal consequences
In 2017, security researchers managed to install malicious firmware on a device used by doctors to control pacemakers, which enabled them to change settings, including how often patients received shocks. While this attack could have lethal consequences, the issue was still not solved in Autumn of 2018. Here's more information on this: https://arstechnica.com/information-technology/2018/08/lack-of-encryption-makes-hacks-on-life-saving-pacemakers-shockingly-easy/.
About Vonahi Security
Vonahi Security is a cybersecurity consulting firm that offers modern consulting services to help organizations achieve both compliance and security best practices. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit www.vonahi.io
Stay Informed