How Government Organizations Can Prevent Breaches: Verizon’s 2020 DBIR

Sachin Varghese
By Sachin Varghese

June 3, 2020

Government organizations disclose a wealth of data on their security incidents and breaches. This allows reports like Verizon’s recently-released 2020 Data Breach Investigation Report to paint a clear and accurate picture of what threats Government organizations currently face, and how they can better defend themselves.

In their report, Verizon compiles recent breach data from over 80 different contributing organizations. At Paladion, we are proud to be one of those contributing organizations for yet another year. Further, we have found that Verizon’s analysis of the current breach landscape aligns with our own experiences monitoring and defending organizations in the Technology space.  

Read on, and learn about:

  • What has changed in the Technology breach landscape over the last year
  • What specific threats are currently targeting organizations in this sector
  • And what you can do to defend yourself over the coming year - to prevent your organization from becoming another data point in Verizon’s survey.

New call-to-action

Government: The Second-Most Attacked Industry in 2020

In the past year, Government organizations saw 6,843 security incidents, with 346 of those incidents resulting in confirmed data breaches. Government organizations experienced the second-highest volume of incidents and suffered the fifth-highest number of confirmed data breaches. 

Of the 6,843 security incidents Government organizations suffered, the vast majority (6,030) were large-scale incidents. While the report was able to derive less information about the scale of the actual data breaches Government organizations suffered—and lists 272 of the 346 confirmed breaches as being of “unknown” size—it is safe to assume if most attacks against Government organizations were large-scale, then most actual security breaches must have been large-scale as well.

This is a distressing insight. Even though Government organizations were effective at preventing incidents from turning into material breaches - blocking 95% of their incidents - it only takes one large-scale breach to create substantial problems for a Government organization, and the constituents that they serve.  

Given the thousands of attempts at creating large-scale incidents that Government organizations experience every year, and given the variety of attacks they suffer, it is becoming clear that these groups must extend their security capabilities over the coming year.

The Threat Landscape for Government Organizations

Government organizations are experiencing a new suite of threats. In last year’s DBIR report, Verizon noted that Government organizations were primarily breached by cyber-espionage attacks, miscellaneous errors, and privilege misuse. In this year’s report, cyber-espionage and privilege misuse both declined significantly, and only accounted for single-digit percentages of breach-causing attacks.

They have been replaced by a new set of common threats. Over the last year, 73% of breaches of Government organizations were caused by Miscellaneous Errors, Web Application Attacks, and Everything Else.

The most common forms of Miscellaneous Errors were misdelivery (users sharing sensitive information to the wrong recipient) and misconfiguration (administrators establishing new data centers without securing them properly), with fewer incidents of publishing errors, loss of devices, or programming errors.

The report also found that Government organizations are attacked with a wide range of malware, with the majority of their security incidents caused by:

  • Ransomeware
  • C2
  • Backdoor
  • Downloaders
  • Captured Stored or App Data

Among these malware attacks, ransomware was involved in a majority (61%) of the incidents.

Government organization security incidents and breaches were caused almost evenly between external actors (59%) and internal actors (43%), with 2% caused by multiple threat actors.

Reviewing these data, it’s clear that Government organizations require a comprehensive approach to security. They are beset by a high volume of security incidents delivered through conventional forms of malware. At the same time, they also experience a significant volume of their breaches caused by internal errors and lack of security governance. In short - they must defend themselves both within and without.

New call-to-action

Why Government Faces So Many Threats

Most (75%) of the attacks against Government organizations were financially motivated, with a relatively small minority of the remaining attacks (19%) were motivated by espionage. Interestingly, 3% of attacks against governments were deployed purely for “fun”- simply to cause chaos, and to see if the malicious actor would be able to cause a breach against a high-profile target.

No matter the impetus behind the attack, these malicious actors sought a range of different forms of data, that included:

  • 51% - Personal Data
  • 34% - “Other” Data
  • 33% - Credentials
  • 14%- Internal Data

These results suggest that malicious actors are probing Government organizations for any data that they feel might be able to grant them access into Government networks, or which might be considered valuable or confidential enough by the targeted organization to pay a ransom to keep private.

How Government Organizations Can Protect Themselves

Verizon’s report offers a few suggestions that Government organizations can follow to improve their defenses, namely -  they can implement security awareness and training programs, establish improved boundary defense, and better secure their configurations.

These suggestions are practical and useful. If Government organizations implement them, they will improve their defenses. However, we feel these recommendations are not sufficient, and that Government organizations must also establish:

  • Managed Detection and Response to provide an overall layer of defense across their entire organization, given the wide range of attack vectors suffered, and to specifically resolve ransomware attacks without paying.

  • User Behavior and Configuration Monitoring to limit the rampant incidents caused by misdelivery and misconfiguration, and to overall reduce both the organization’s attack surface and the likelihood of experiencing an internal threat.

  • 24x7 Security Monitoring to continuously search for and set the stage to take against the high volume of known, conventional threats (such as malware) that are launched against Government organizations every year.

If you are interested in learning how to bring these defenses to your Government organization, reach out to Paladion today.

New call-to-action


About

Sachin Varghese

Sachin Varghese is EVP AMERICAS & CMO at Paladion. He has over 18 years of experience in Cyber Security, and has helped several leading enterprises in North America and Europe build resilient cyber security frameworks.