Latest Breach Data Tells All
What We Can Learn From Others' Failures


Shawn Stewart
Mr. Stewart has 27 years of experience with hundreds of international, commercial, military, and government IT projects. He holds certifications with ISC2, Cisco, Microsoft, CompTIA, ITIL, Novell, and others. He has a Masters in Cybersecurity, a Bachelors in IT, a Minor in Professional Writing, and is a published author.
Verizon recently released its 2024 Data Breach Investigations Report. You can find it here (Link). The report covers over 30,000 incidents, of which over 10,000 were deemed actual breaches. To clarify, their percentages do overlap, so don’t roast me when I quote numbers that equal 130%. I’m just the messenger. Also, we only know about the breaches corporations and organizations are required by law to report or choose to disclose. However, we see a clear picture of certain shifts in attacker behavior.
Breach Data
No surprise, extortion attempts have increased. Ransomware did decline slightly but only because threat actors simply found easier ways to extract money from companies. Median price of breaches varies, but typically equals around 1.34% of revenue. For a small business losing $50,000 could close their doors.
How The Breach Happened
#3 Social Engineering – People continue to be the weak link in the security chain. This points to poor policies and a lack of training. Social Engineering includes a threat actor convincing a person to provide money, data, passwords, etc. A major red flag is the exponential rise in desktop sharing software as an entry point. This should receive acute attention from all IT departments. As convenient as it is, remote control software should not accessible by outside sources.
#2 Phishing – While corporations pour millions into advanced AI to protect their users, people continue to fall for phishing and spear phishing emails. Learn to spot and avoid Phishing messages here (Link). But the report shows a startling trend. The median time for users to fall for phishing – opening, clicking, and entering data – is less than 60 seconds! If you train your users on nothing else, have them employ the STAR method for email. That’s Stop, Think, Act, Review. Even if your users stop and count to 10, it helps prevent the knee-jerk reaction threat actors expect.
#1 Web Applications – As expected, the top manipulation path continues to be Web applications or Internet-reachable servers. What is a server? For this report, it is any device that serves pages, applications, or forms. This could be classic web pages or corporate SSL VPN portals. Accessibility from the open Internet is the key.
Primary Web Breaches
Zero-Day and Known Vulnerabilities – Based on CISA (Link) and Verizon’s data, you only get 5 days from the identification and public announcement of a vulnerability before threat actors are using it against you. Honestly, I think that’s very optimist. That’s not enough time to get through most Change Management processes. Further, businesses don’t realize their hardware, software, or plug-ins include other vulnerable software, like Apache in Linux. While Verizon didn’t mention Open Source software, many cybersecurity specialists, including myself, warn if you use Open Source, your patch management response must be immediate.
Human Error and Misconfigurations – Poor password policies and simply not changing or removing default accounts and passwords are open doors. By simply enabling Multi-Factor Authentication (MFA), even weak, easily cracked passwords will not lead to system access. Still, it’s not a cure-all. Regular penetration testing identifies misconfigurations, which account for 35% of all breaches. Read about password policies here (Link)
Vendor and Supply Chain Failures – If you put everything in the Cloud, you pass the liability of managing the systems to a third-party. Do they maintain the same security posture and policy you would if you hosted the system? The numbers scream “NO”! The number of breaches caused by vendor failures increased by 68% last year!
Comparison to OWASP Top 10
Below are five (5) of the OWASP Top 10 Web Application Security Risks. Here’s how they compare to the Verizon report.
#1 Broken Access Control – Least privilege failures, URL bypass, privilege elevation, API bypass, etc. This fits with Human error and poor password policy.
#2 Cryptographic Failures – Weak or missing encryption or data stored in plain text.
#3 Injection – Form data is not validated, filtered or sanitized or allows commands to pass directly to the server.
#4 Insecure Design – Not to be confused with insecure implementation, this implies a programmed system that does not properly follow a Secure Software Development LIfe Cycle (SDLC).
#5 Security Misconfigurations – There it is!
Read the detailed OWASP Top 10 here (Link)
Number 6 on the list is zero-day and known vulnerabilities, so we can see that the Verizon report basically simplified the results.
Thoughts on the Verizon Breach Report
Whoever wrote this report was trying very hard to be witty and likes to hear themselves talk. I can relate. As a disclaimer, they only reviewed 30,458 incidents and 10,626 confirmed data breaches. I disagree with some of their numbers. For instance, they say Organized Crime completed a vast majority of breaches and state-sponsored threat actors accounted for less than 5%. I believe they fail to realize that nearly all the hacker groups globally receive some level of state funding. Seems like a dance by Verizon to avoid biting the hand that feeds them in certain markets.
Who’s Getting Hit
Since we love lists, here is the breakdown of which sectors are targeted the most by NAICS sector codes in parentheses:
- Public Administration (92)
- Finance (52)
- Professional (54)
- Manufacturing (31-33)
- Education (61)
- Healthcare (62)
- Information (51)
- Retail (44-45)
- Other (81)
- Entertainment (71)
How to protect yourself
Every organization should begin their security journey with Policy. Policy drives expectations, actions, and decisions. It forces better password practices, enforces MFA, and requires penetration testing, as a start. Education for everyone, especially those who don’t think they need it, must occur regularly, more than once a year, to check a box for HR. Finally, Technology maintains security through encryption, constant updates, and monitoring. On top of everything, you need constant vigilance and the understanding there is no finish line in cybersecurity.
See how your organization’s security stacks up (Link)
Need Help?
Reach out to us! We’re all in this together. Visit our contact page to submit an inquiry. Also, please follow us on social media for the latest updates.
Check Out Our Podcast!
The Hillbilly Hacker Podcast is the hottest new show on the Internet to learn about today’s latest technology in simple words. You can find the Hillbilly Hacker on Spotify, Apple, Amazon, or where ever you find your podcasts. (Link)