Authentication-based attacks factored into about four of every five breaches involving hacking in 2012, according to Verizon's Data Breach Investigations Report released Monday.
The methods involved guessing, cracking, or reusing valid credentials, according to the 63-page report, which noted that the authentication results looked familiar from past years.
Hacking was the most prevalent form of attack and was cited in 52% of breaches. Malware came in at 40%, while Physical, at 35%, rounded out the top three. Authentication-based attacks were the most popular hacking threat action.
"The easiest and least-detectable way to gain unauthorized access is to leverage someone’s (or something’s) authorized access," the report stated. "Why reinvent the wheel? So, it really comes as no surprise that authentication-based attacks factored into about four of every five breaches involving hacking in our 2012 dataset. Nor is it all that surprising that we see this year after year."
But the report did not pull any punches on what an alternative to passwords might mean.
"If we could collectively accept a suitable replacement (for passwords), it would’ve forced about 80% of these attacks to adapt or die. We’ve talked about the shortcomings of passwords for years now, and if it were an easy problem (or the pain caused by password problems was greater), it’d be fixed by now."
The critique seemed as much a realization as a challenge for innovators to come up with a password replacement.
The theft of passwords has been a near epidemic in the past few years.
Zappos, Gawker, Sony, Apple, Fox, CBS, Warner Bros. rootkit.com, LinkedIn, eHarmony, Last.fm are among companies that have felt the sting of stolen credentials along with the hundreds of millions of end-users who owned them.
While the report identifies 40 varieties of hacking, nearly all of the activity is contained in five threat categories, a scenario the report labeled "remarkable." After stolen credentials, the list is made up of: use of backdoor or C2, brute force, unknown and SQLi. "Other" accounts for 2% and the rest of the categories each totaled 1% or less.
"Readers will reasonably ask how attackers steal credentials in order to reuse them to gain unauthorized access. Sometimes users are socially engineered to give them up. Sometimes malware captures them from keystrokes, browser cache, or system files," the report said.
The report noted that more sophisticated espionage cases examined by the study featured combinations of factors, including information theft at rest and in process, combined with credential theft via keylogging malware followed by use of the stolen passwords to access a file server.
"All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity," Dave Hylender, an infosec expert at Verizon, wrote on the corporate blog. "Shaping the many threads into a coherent story that did the dataset justice was probably the most challenging aspect of this year’s report."
The Verizon report highlighted for enterprises two of its 20 Critical Security Controls, originally developed by the Center for Strategic and International Studies and The SANS Institute, that will benefit from strong authentication: Secure Configurations for Network Devices (such as firewalls, routers, and switches), and Controlled Use of Administrative Privileges.
The 2013 data breach report includes 621 confirmed data breaches and more than 47,000 reported security incidents. Over the nine-year range of the study, that tally now exceeds 2,500 data breaches and 1.2 billion compromised records. Verizon, along with 18 organizations from around the world, contributed data and analysis to the report.