Verizon DBIR Report: 63% of Breaches Exploit Static Passwords

Last updated: 11 May 2016

According to the 2016 Verizon Data Passwords Breach Investigations Report released last week, 63 Percent of data breaches exploit static passwords, specifically “weak, default or stolen passwords.” Over 1,400 breaches with confirmed data disclosure involved compromised (static) credentials, with many more breaches in the overall count whose results are unknown.


Strong Authentication – A First Line of Defense

“We know that a standard username and password combo may very well be enough to protect your fantasy football league,” says the study. “We also know that implementation of stronger authentication mechanisms is a bar raise, not a panacea. Even with all of that, 63% of confirmed data breaches involved leveraging weak/default/stolen passwords. This statistic drives our recommendation that this is a bar worth raising.”

In fact, of the nine types of breaches (‘incident patterns’) identified by the study, at least five could be prevented or mitigated using strong multi-factor authentication:  The impact of Web App attacks that exfiltrate static user credentials could be diminished. Point-of-sale Intrusions that involve the hijacking of point-of-sale systems (aka cashiers’ computers) could be prevented, as these often involve fixed passwords which can be stolen or hacked via brute force. Pre-boot authentication could render useless the sensitive data on lost or stolen laptops, and both cyber-espionage and insider misuse could be curtailed, as well (think shoulder-surfing, password guessing and keyloggers).


Perimeter and Other Defenses

 To be sure, other countermeasures are recommended by the study. Network segmentation, to “Separate the POS environment from the corporate LAN,” for example, is one measure that could prevent lateral movement of attackers to other file shares and systems on the network.  The timely installation of security patches is also critical, as unpatched security holes are commonly exploited for installing financially-motived Crimeware as well as command & control (C2) botnet clients. The latter topped the ‘threat action varieties’ chart, and—often invisibly—turns systems into slaves of a botnet master server. The pervasiveness of this type of C2 malware also brought the authors to recommend blocking emails that contain executable files (ending with .exe) before they reach recipients, and monitoring and filtering web traffic for suspicious communications. Full disk encryption and tokenization of data were recommended as countermeasures for physical theft or loss.


Moving from Breach Prevention to Breach Acceptance

As the latest DBIR puts it, “You can’t effectively protect your data if you don’t know where it resides.” That is why Gemalto advocates a data-centric strategy for protecting organizations’ most valuable assets. Rather than relying on perimeter defenses to prevent breaches from happening, a ‘Secure the Breach’ strategy calls on IT and security leaders to accept that a breach can and will occur. Once organizations accept that they can and will be breached, they can proceed to identify where their critical data resides, take action to secure that data with effective encryption and key management, and effectively control access to that data with multi-factor authentication.  Learn more about Gemalto’s Secure the Breach strategy, visit

Finally, whereas the report’s authors contend that they “are realists here,” and they “know that implementation of multi-factor authentication is not easy,” we at Gemalto beg to differ. It is our experience that deploying 2FA, even to thousands of users, can be done over a coffee. For details, check out SC Mag’s recent 5-Star review of SafeNet Authentication Service.

Leave a Reply

Your email address will not be published. Required fields are marked *