If data theft is a game of speed, the bad guys are winning.
Fueled in part by an increase in phishing attacks with malware attachments in the past year, fraudsters took only minutes to compromise a network in 93% of breach incidents, according to Verizon's 2016 data breach investigations report.
In 28% of those cases, the criminals were out of the network with the data they were after in only minutes as well. Even more frightening, in 11% of those breaches, it took mere seconds to compromise a network, and in 7.1% only seconds to steal data.
Some of that trend has to do with physical compromises at unattended machines like ATMs and gas pumps, but most of it comes from nation-state and financially motivated attackers establishing control of networks with malware, the report said.
Verizon's annual report includes data on more than 64,000 security incidents affecting organizations in 82 countries across various industries. Of that number, Verizon categorized 2,260 as incidents in which the victim confirmed data loss.
All breach incidents were reviewed through the Veris framework, a system in which organizations record and share information with Verizon about breaches in a common format. Many were forensic investigations operated and conducted by Verizon using contributions from Veris.
The speed at which attackers are infiltrating networks and leaving with targeted data is "one of the scariest stats in the report," said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"Equally concerning is that it's taking companies multiple weeks to discover the breach," Conroy said.
In the 2015 report, Verizon reported 30% of breaches were discovered within "days or less" of the incident, but acknowledges that good news was short-lived, coming in around 20% in the 2016 report.
The report also confirmed what security vendors and experts have been saying for the past several years – that hackers will continue to use malware and phishing methods that work because employees use weak passwords and don't restrict network access as strongly as they should.
"Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff," the report noted.
Thirty percent of phishing messages were opened by the target across all data sets in the Verizon report, compared to 23% in the 2015 report. About 12% went on to click the malicious attachment or link, enabling a successful attack, up slightly from 11% the year before.
The median time for a first target of a phishing campaign to open a malicious e-mail is one minute and forty seconds, while the median time to the first click on an attachment was three minutes and 45 seconds.
Organizations need to make it difficult for an attacker to get from the access point, or user device, to other assets in the organization, the report said. Verizon suggests protecting a network from compromised desktops and laptops by segmenting the network and implementing strong authentication between user networks and any data of importance.
Static passwords "are adorable," but sophisticated attackers don't just bypass them, they utilize them to advance their attack, the report said. Of the confirmed data breaches, 63% involved weak, default or stolen passwords.
"This report highlights the fact that if companies were just doing the basics of applying patches, using strong password security policies and other measures, a vast majority of attacks could be prevented," Conroy said.
Point of sale terminal attacks against the hospitality, food and retail industries accounted for 534 incidents last year, with fraudsters shifting their attention from large retailers to large hotel chains, the report said.
RAM scraping, or memory scraping for card details on back-end systems, and keylogging malware had significant roles in POS terminal attacks, capturing credentials that could be used against POS assets. RAM scraping was cited in 512 of the POS incidents.
Attackers took advantage of static, single-factor authentication in many of the POS breaches. Just more than 30% of all breaches used stolen credentials with point of sale intrusions.