BY Richard Summerfield
Cyber criminals are deploying new and innovative lines of attack in addition to modified versions of existing methods, according to Verizon’s 2024 Data Breach Investigations Report.
According to the report, which analysed more than 30,000 real-world security incidents, including a record high of just over 10,000 confirmed data breaches, spanning 94 countries, the three most popular vectors for data breaches were unauthorised uses of web application credentials, email phishing and exploiting vulnerabilities in web applications, when excluding errors and misuse, typically honest mistakes by employees.
Attacks utilising the exploitation of vulnerabilities were up 180 percent, according to the report. This increase comes as no surprise given the mass exploitation of the MOVEit zero-day vulnerability and other similar vulnerabilities. Primarily, these attacks utilised ransomware and other extortion-related threat actors, and the main entry point was web applications. Attacks involving ransomware or extortion have seen considerable growth over the past year, accounting for 32 percent of all breaches.
“The exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises,” said Chris Novak, senior director of cybersecurity consulting at Verizon Business.
The human element also had a substantial hand in the number of recorded breaches. Sixty-eight percent of breaches involved a non-malicious human element. Accordingly, the onus remains on organisations to improve security awareness among their employees in order to reduce the impact of breaches. The report explains that the most common causes of breaches involving a non-malicious human element are someone falling victim to a social engineering attack or someone making a mistake.
“In either case, these could have been mitigated by basic security awareness and training. This is an updated metric in the report (we would previously include malicious insiders), and it is roughly the same as the previous period described in the 2023 DBIR,” Verizon added.