582,000 Patients Warned of Potential PHI Compromise by California Dept. of Developmental Services

A recent survey carried out with hackers, incident responders, and penetration testers has showed that most can gain access to a targeted system in around 15 hours, but 54% of hackers take under five hours to gain access to a system, and identify and obtain sensitive data.

The data comes from the second yearly Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were located in the United States.

Those surveyed were asked about the length of time it takes to conduct attacks and obtain data, the motivations for attacks, the techniques employed, and the industries that offered the lowest resistance.

While the least protected industries recorded were hospitality, retail, and the food and beverage industry, healthcare groups were viewed as very soft targets. Healthcare, along with law firms, manufacturers, and sports and entertainment companies had below average results and were seen as relatively easy to target. As Nuix states, many of the industries that were referred to as soft targets are required to adhere with industry standards for cybersecurity.

The retail and food and beverage sectors are needed to comply with Payment Card Industry Data Security Standard (PCI DSS) and healthcare groups must comply with HITECH Act requirements and the HIPAA Security Rule, with the latter requiring security measures to be adapted to ensure the confidentiality, integrity, and availability of healthcare information. As far as hackers are concerned, the data is certainly available. When asked how long it takes to breach the perimeter of a hospital or healthcare supplier and exfiltrate useful data, 18% said under 5 hours, 23% said 5-10 hours, and 20% said 10 to 15 hours. ‘Large numbers’ of hackers said they could to identify and exfiltrate sensitive data within an hour of accessing the network perimeter.

Even though groups must comply with certain standards for cybersecurity, that does not mean that appropriate safeguards are adapted, or that they are configured correctly and are providing the required level of security.

“Most organizations invest heavily in perimeter defenses such as firewalls and antivirus, and these are mandatory in many compliance regimes, but most of the hackers we surveyed found these countermeasures trivially easy to bypass,” stated Chris Pogue, Head of Services, Security and Partner Integration at Nuix and lead author of the published report.

How Are Hackers Obtaining Access to Networks and Data?

The most common types of attacks are social engineering (27%) and phishing attacks (22%), preferred by 49% of hackers. 28% preferred network attacks.  The popularity of ransomware has risen in recent years, yet it was not a preferred attack style, favored by only 3% of those questioned in the survey.

Social engineering is employed sometimes or always by 50% of hackers, with phishing emails by far the most common social engineering method. 62% of hackers who use social engineering use phishing emails, physical social engineering on workers is used by 22%, and 16% gather the information they need over the telephone.

The most commonly employed tools for attacks were open source hacking utilities and exploit packs, which combined are used by 80% of questionened hackers.

Interestingly, while the threat landscape is constantly changing, hackers do not appear to alter their tactics that often. Almost  25% of hackers only change their attack methods once annually and 20% said they update their methods twice annually.

As for the motivation for the hacking attacks, it is not always monetary reasons. 86% hack for the challenge, 35% for entertainment/mischief, and only 21% attack organizations for financial profit.

One consideration that comes up from the results of the survey is just how vital it is to run security awareness programs and train staff cybersecurity best practices and to be aware of the threat from social engineering and phishing attacks. With almost 50% of hackers choosing these tactics, ensuring the workforce can identify phishing and social engineering attacks will greatly improve groups’ security posture.

Author: Maria Perez