Takeaways From 2022 DBIR: It All Comes Back to Passwords
Michael Rothschild, VP of Product Marketing, HYPR
4 Min. Read | May 26, 2022
Like clockwork for the last 15 years, the Verizon Data Breach Investigations Report (more affectionately known as “The DBIR”) was released today. It contains 108 pages of detailed information and insights regarding types of attacks, attack surfaces, attack actors and more. The data is sliced and diced in so many ways that everyone that is anyone in the security community will be pouring over the report for weeks.
The 2022 DBIR did a great job of not only releasing new data, but also with a nod to its 15 year anniversary, taking a retrospective look at some key findings and relating them back to the findings of 2008. These are some of the most interesting elements of the report for those that have been in security for some time because there have been both major changes and static trends from 2008 to 2022. These nuggets of information can help us better understand the trajectory of threats and how we, as security ambassadors, should react and help architect our infrastructures for the future.
The Myth and Reality of the Insider Threat
Two specific report elements really stood out to me. For years, we consistently talked about the “insider threat.” Specifically, how an organization’s most valuable asset, namely its people, constituted the biggest threat. In the 2022 DBIR report, while 82% of the attacks involved a human element, most of the attacks came from outside the organization. This is not to say that insiders played no role, but the good news is that the vast majority of employees, partners and subcontractors, who are all insiders, did not knowingly or purposefully contribute to an attack. With ongoing education and reinforcement of best security practices to our “most expensive asset,” organizations are well down the road to making the number of unintentional insider threats trend downward. Even more important, however, is to eliminate opportunities for unintentional breaches. Which brings me to the second element.
Credentials, Credentials, Credentials
The second glaring metric was the use of credentials in an attack. Attacks such as phishing, man-in-the middle (MitM), smishing, brute force, credential stuffing, social engineering (both online and offline) are all attacks that are architected to lift passwords and other credentials in order to gain access to a system. This is the master skeleton key which gives hackers and cybercriminals the portal to perform reconnaissance and launch attacks anywhere anytime and anyhow they want. Whether harvesting data, ransoming information, taking down a system or causing a catastrophic failure, most attacks can be traced back to a stolen, compromised or misused password.
The Achilles heel of most organizations is the use of the password. Passwords were originally conceptualized and used to book time on mainframe computers; they were never meant to be a form of authentication or security. They certainly were not meant to serve as a security staple in the way we use them today. And while over time, we have added layers of protection on top of the password, such as one-time passwords, tokens and push notifications, these never lived up to the level of security needed. All it really did was provide a false sense of security and add a ton of friction to the user experience. So in essence, we are in a very similar position to where we were 15 years ago.
Remove Passwords, Remove the Risk
Moving forward, organizations need to remove passwords from their security arsenal. This, of course does not mean that we should run everything wide open, but rather that we need to adopt multi-factor authentication (MFA) that is passwordless. Phishing-resistant MFA is recommended in guidance put out by CISA, the OMB and many countries all over the world, with FIDO certification the designated gold standard. Instead of relying on a string of letters and numbers to keep things secure, we can go passwordless in a way that completely eliminates shared secrets. By using public and private key exchanges that are invoked by the user, rather than by a server (which can easily be spoofed), credentials are removed as an avenue of attack.
With constantly changing attack surfaces and attack vectors, organizations need to look at how people authenticate and gain access to systems starting with the desktop and extending to the cloud. Our ability to conquer the password issue as the origin for many other attacks will put us in a remarkably more secured position as a community than we are today. We can fix the way the world logs in and we do not have to wait another 15 years to effect this change right here, right now.