The IT Nerd

The new Verizon Data breach investigations report has been released, revealing that nearly a third (31%) of data breaches over the past year started with vulnerability exploitation. This is up from 20% in last year’s report. The report looks at the dramatic impact that AI and supply chains are having on businesses.

Ensar Seker, CISO at SOCRadar:

“The latest Verizon DBIR confirms what many defenders have been experiencing operationally over the past year: attackers are increasingly prioritizing speed and scalability. Vulnerability exploitation jumping from 20% to 31% is a major signal that threat actors are moving away from slower intrusion methods and focusing on exposed internet-facing assets, edge devices, third-party software, and unpatched vulnerabilities that can provide immediate access at scale. What is especially concerning is how this trend intersects with supply chain risk and AI-driven operational acceleration. Organizations are no longer defending only their own infrastructure. They are also inheriting the risks of vendors, MSPs, SaaS providers, open-source dependencies, and interconnected ecosystems. 

A single exploited supplier can create downstream compromise opportunities across hundreds or thousands of organizations simultaneously, which dramatically increases attacker ROI. The AI component is equally important. While AI is currently improving productivity for defenders, adversaries are also leveraging automation to accelerate reconnaissance, phishing customization, vulnerability research, and operational decision-making. This lowers the barrier for less sophisticated actors while increasing the speed of mature threat groups. The result is a threat landscape where exploitation cycles are becoming shorter and organizations have less time to detect and respond. One of the biggest lessons from this year’s DBIR is that exposure management is becoming just as critical as traditional detection. 

Organizations need continuous visibility into external attack surfaces, third-party dependencies, exposed credentials, vulnerable assets, and misconfigurations. The companies that reduce attacker dwell time will be the ones that can rapidly identify exploitable exposure before threat actors operationalize it. We are also seeing a growing divide between organizations that treat patching as a periodic IT function versus those treating vulnerability prioritization as an active cyber risk management process tied to real-world exploitation intelligence. Attackers are increasingly targeting the vulnerabilities organizations fail to prioritize correctly, not necessarily the ones with the highest CVSS score.”

Brian Higgins, Security Specialist at Comparitech:

“The DBIR is always a useful publication. The contribution community is quite unique and it’s worth reading how the data is collected and managed if you haven’t already. A study of results and trends etc. should inform a lot of budget allocation and decision making in the coming periods.The major takeaways this year are:

Vulnerability exploitation overtaking credential theft as the highest ranking breach method. This in itself should be a catalyst for some major resource restructuring.

AI is obviously changing the attack landscape but possibly more noteworthy is a reported 45% of employees using unauthorised generative AI allowing data leakage at alarming levels. Clearly some policy and enforcement measures could help here.

Third party/Supply Chain attacks now account for almost half of all reported breaches. Conclusive proof, should anyone still need it, that it’s not enough in today’s digital environment to simply put your own house in order. Your Network is dynamic and its security relies heavily on factors difficult to control. It’s more vital than ever to have a Plan for when things go sideways.”

I really suggest reading this report as it really provides a lot of insight as to what threat actors are up to and where your next threats may come from. That way you can plan your defences accordingly.

UPDATE: Dave Hayes, VP of Product at cybersecurity company FusionAuth, commented:

“Credentials continue to do a lot of damage, they just don’t look like passwords anymore. The Drift Breach wasn’t a traditional password breach, it was a token abuse problem. OAuth tokens are critical to modern apps, but they’re also incredibly powerful. If companies don’t know where tokens exist, what they can access, and when they expire, attackers will happily answer  those questions for them.”

UPDATE #2: Scott Miserendino, VP of Engineering, Cyber at DataBee, A Comcast Company commented:

“Vulnerability exploitation is now the front door—and patching isn’t keeping up.

The DBIR confirms what many security leaders are experiencing operationally: exploitation of vulnerabilities is now the leading initial access vector (31%), overtaking credential abuse. But the more important signal isn’t just attacker behavior—it’s defender constraints. Organizations are facing a growing backlog of critical vulnerabilities, with only 26% fully remediated and a median remediation time stretching to 43 days. 

The gap here isn’t awareness—it’s operational execution. Security teams don’t lack vulnerability data; they lack the ability to prioritize, coordinate, and act on it at scale across fragmented environments.

Looking ahead, this challenge is likely to intensify. Emerging cyber-focused AI models—such as Anthropic’s Mythos, OpenAI’s GPT-5.5-Cyber, and DeepMind’s Big Sleep—have the potential to dramatically accelerate vulnerability discovery and lower the barrier to exploitation. Even before broad availability, it’s reasonable to expect that attackers will gain access to similar capabilities, enabling them to uncover undisclosed vulnerabilities faster and weaponize them with far less expertise. If that happens, the already widening gap between time-to-exploit and time-to-remediate could expand further, making it a critical area to watch in next year’s DBIR.

The implication is clear: vulnerability management is no longer just a prioritization problem—it’s a speed and accountability problem.

The most effective defense remains foundational but difficult to execute consistently:

• A robust, disciplined patching process
• Continuous monitoring of exposures across environments
• Clear, enforced accountability for remediation, grounded in accurate asset and application ownership

Organizations that can reliably answer who owns what, and ensure those owners are accountable for timely patching, will be far better positioned to reduce risk, even as attacker capabilities accelerate. In other words, while the threat landscape is evolving rapidly, the winners will be those who can operationalize the fundamentals with greater precision, speed, and accountability.”

Verizon has released the 2024 Data Breach Investigations Report (DBIR). The report, as always has a wealth of great statistics to choose from. Here’s the key takeaways:

• Vulnerability exploitation surged by nearly 3X (180%) last year.
• Ransomware and the meteoric rise of extortion techniques accounted for a third (32%) of all breaches.
• More than two-thirds (68%) of breaches involve a non-malicious human element.
• 30,458 security incidents and 10,626 confirmed breaches were analyzed in 2023—a two-fold increase over 2022.
• Verizon security by the numbers: 4,200+ networks managed globally, 34 trillion raw logs processed/year, and 9 security operation centers around the globe.

Ted Miracco, CEO, Approov Mobile Security:

   “The fact that it takes 55 days for organizations to remediate 50% of critical vulnerabilities listed in the CISA’s KEV catalog after patches are available points to a significant gap, that presents a critical window of opportunity for attackers to exploit known vulnerabilities. it is crucial for organizations to streamline their vulnerability scanning and patching procedures to outpace malicious activities. Without timely and comprehensive vulnerability information, organizations are at an extreme disadvantage in securing their systems against known exploits.”

I would register to get this report and spend some time reading it in detail. It will give you a roadmap as to secure your organization from the ever growing threats that seem to be everywhere these days.

UPDATE: Darren Williams, CEO and Founder, BlackFog adds this comment:

     “Mirroring BlackFog’s own data this report shows a significant increase in attacks over previous years. While this report indicates 32% of all breaches involved extortion, BlackFog’s own data shows that 92% of all ransomware involves extortion, an important distinction in this subset. It is also important to point out once the data is stolen it can, and is often used to target multiple victims from the original source down to the individual themselves. This data is also used to target other victims months or years into the future and highlights the importance of preventing data exfiltration.”

Verizon has dropped their latest Data Breach Investigation Report, or DBIR. Here’s some key highlights:

• Attackers have four key paths to hack into an enterprise; credentials, phishing, exploiting vulnerabilities and malicious botnets
• 50% of breaches revolve around remote access and web applications
• 25% were contributed to by social engineering
• Credential reuse was involved in 45% of breaches
• Supply chain breaches are the “new hotness” for hackers

Jake Williams, Executive Director of Cyber Threat Intelligence at SCYTHE added these thoughts:

The DBIR showed that threat actors continue to gain access to networks using a relatively small number of high-level techniques. Once in a network however, threat actors most often reuse the same set of post-exploitation procedures to perform system reconnaissance, privilege escalation, and lateral movement in the target environment. While organizations can’t realistically expect to keep all threat actors out of their networks, through CTI-led adversary emulation and detection engineering, they can ensure that  threat actors are detected as early in the intrusion as possible. When threat actors gain a foothold in their network, organizations should be able to ensure it never expands beyond that.

This year’s DBIR should be required reading for any enterprise as it will provide a roadmap as to how to protect your enterprise from getting pwned by hackers.

UPDATE: I have additional commentary from Artur Kane, VP of Product of GoodAccess:

Ransomware attacks are no longer limited to the large or the vulnerable. We are seeing government entities, healthcare institutions, or critical infrastructure operators fall victim to ransomware. But that is not all — small private enterprises and even individuals are finding themselves targeted. Size doesn’t matter; if you curate sensitive data, you are a candidate.

Organizations must realize that conservative cybersecurity approaches are no longer enough to keep them protected. They cannot rely on a secure perimeter to repel cyberattacks any more, because the perimeter is disappearing and move to the internet.

Many users now connect remotely, often from unsecured networks, and companies migrate their infrastructure to the cloud, which is removing critical assets outside of the trusted safe-zone and spreading them beyond the reach of legacy security solutions. Companies often do not have control over the devices that users are connecting with, nor the infrastructure they are on. 

The threat surface is simply enormous, and cybercriminals like to exploit it to gain unlawful access to internal systems and user data, often targeting unwitting users with phishing scams, spoofing attacks, or other methods to steal access credentials and infiltrate internal systems.

Once inside, there is little to stop them from doing damage or stealing sensitive data. Organizations must therefore implement security measures to tackle these threats.

Besides regular hardware and firmware updates and software patches, it is important to reduce the attack surface to minimize chances of initial intrusion. Organizations can do this by insisting on strong authentication of both users and devices, supported by multi-factor user authentication, and granting user privileges on a strictly need-to basis and allowing access only to a pool of strictly necessary systems and no further. 

This makes it more difficult for attackers to actually use the stolen credentials, and if they do succeed in penetrating the network, they do not get free access to the entire network, but only a segment, which makes it difficult for them to move laterally and escalate the attack. 

In addition, strong encryption should be employed on all connections, whether this is users, remote branches, or clouds. It is vital to conceal all company traffic from the eyes of potential attacker — they can’t steal what they can’t see.

But even with all these measures in place, compromises will happen, often through simple human error. Besides the aforementioned network segmentation by access privileges, it is also vital to have a real-time threat detection capability to expose threats in their infancy. Security administrators also need to have solid response and recovery plans in place for these occurrences, and should conduct regular trainings and drills.

Keeping continuous access logs can be an invaluable source of intelligence for tracing the journey of a cybercriminal through layers of security, which is vital for preventing similar attacks in the future. Also, regular backups are an absolute must, as post-breach data recovery can be very costly.

Last but not least, user training can greatly contribute to improving the overall company security posture. As a large part of ransomware attacks opens with a phishing lure, training employees in how to spot them can save millions of dollars in later breach recovery.

Ransomware attacks can only be expected to rise in both intensity and severity, as both profit-oriented and nation-sponsored hacker groups intensify their activities amid the increase in global tensions. All organizations, both private and public, must adapt to this threat both in their own interest and in the interest of the society as a whole.”

UPDATE: Christopher Prewitt, Chief Technology Officer of MRK Technologies had this to say:

As expected credentials and phishing are the leading paths for breaches. As defenses improve, attackers have utilized credentials to walk right through the front door, even using phishing as means to acquire credentials.

As in years past, over 80% of breaches occur involve the human element. Attackers continue to target humans and their want to be helpful or can be tricked into clicking on something, opening a document, or providing their credentials to the attacker. With this, whatever we are doing for email security, it clearly isn’t working well.

Ransomware is a strong influencer to the DBIR data, where “Actor Disclosure” is over 50% for discovery method for breaches. Historically DBIR had shown that dwell time was North of 200 days. As ransoms become more common, its smash and grab effects have greatly reduced the dwell time. Ransomware attacks almost doubled year over year. Stolen credentials and phishing account for 70% of how ransomware is deployed.

With more and more investment in cloud and SaaS, it shouldn’t be surprising to see a significant increase in Basic Web Application attacks.

Supply chain isn’t only our consumer related industries. Almost all companies are reliant on a digital supply chain in order to transact, whether its with customers, suppliers, or partners. Supply chains are also a source of risk, with 90% of the supply chain incidents involve losing control of credentials or introducing ransomware.

Verizon once thought that buying Yahoo and AOL was the future. But that turned out to be fallacy as that purchase didn’t exactly go to plan. So as a result, Verizon is selling Yahoo and AOL for $5 billion to a private equity firm named Apollo Global Management:

The sale will see online media brands under the former Yahoo and AOL umbrellas like TechCrunch, Yahoo Finance and Engadget go to Apollo. Verizon bought AOL for $4.4 billion in 2015, and it bought Yahoo for $4.5 billion in 2017.

There has been increasing evidence recently that Verizon wanted to sell off its media properties and instead focus on its wireless networks and other internet provider businesses. Last year, Verizon sold HuffPost to BuzzFeed. It also recently sold off or shut down other media properties like Tumblr and Yahoo Answers.

Clearly Verizon is going to focus on it’s core business and acknowledging that it couldn’t compete with Google and Facebook. Which is interesting as their chief competitors are doubling down on media. Thus you have to assume that Verizon failed miserably. It will be interesting to see what happens in the days to come when it comes to this deal.

Privacy is a “thing” at the moment and I guess that Verizon sees that and wants to cash in on this trend by creating a privacy focused search engine via their Verizon Media division:

Verizon Media, the media and digital offshoot of telecommunications giant Verizon, has launched a “privacy-focused” search engine called OneSearch. With OneSearch, Verizon promises there will be no cookie tracking, no ad personalization, no profiling, no data-storing, and no data-sharing with advertisers.

With its default dark mode, OneSearch lets you know that Advanced Privacy Mode is activated. You can manually toggle this mode to the “off” position which returns a brighter interface, but with this setting deactivated you won’t have access to privacy features such as search-term encryption. With Advanced Privacy Mode on, links to search results will only be shareable for an hour, after which time they will “self-destruct” and return an error to anyone who clicks on it. More broadly, the OneSearch interface is clean and fairly familiar to anyone who has used a search engine before. But at its core, it promises to show the same search results to everyone given that it’s not tailored to the individual.

I had a look at the OneSearch privacy policy and it says that Verizon will store a user’s IP address, search query, and user agent on different servers so that it can’t draw correlations between a user’s specific location and the query that they’ve made. Another point is that it also says that it will monetize its new search engine through advertising. But  the advertising won’t be based on browsing history or data that personally identifies the individual it will only serve contextual advertisements based on each individual search,

Call me cynical, but I can’t see how OneSearch can call itself privacy focused. DuckDuckGo doesn’t collect or store any of your information. That’s true privacy as far as I am concerned which is why I use it and not Google, Bing, or anything else. And it’s not what Verizon is doing with OneSearch as they are collecting your information, but simply storing it in different places which nobody on the planet can consider to be privacy focused. That alone makes me gunshy about ever using this search engine. But if you want to give it a try, OneSearch is currently available on desktop and mobile web, with mobile apps coming later this month.

The first-ever shareholder vote on child sexual exploitation online received a 34-percent vote at Verizon’s annual meeting today, estimated at representing more than $50 billion in stock.

Speaking at today’s annual meeting, the proposal’s lead filer Tracey Rembert, director of Catholic Responsible Investments at CBIS, had this to say about today’s vote:

“The innovations and technologies our company is rightly proud of, have also had the unintended consequence of making it easier to commit sexual crimes against children. Email accounts, digital advertising exchanges, wireless data, cloud storage, online user content — they all help facilitate child sexexploitation. And Verizon depends upon all of them for revenues.

“Child sex abuse material is a societal problem, but it is almost entirely manifesting and growing in the ICT sector. We believe that Verizon needs to demonstrate to investors that it is properly assessing the risk to children and itself from this growing threat.”

Michael Passoff, CEO of Proxy Impact and resolution co-filer, had this to say about today’s vote:

“As technology speeds up, our kid’s safety slows down. The digital playground is not always a safe place for kids. This is an exceptional vote for a first-year resolution, it’s clear that shareholders want Verizon to be a leader in making the world safer for our children.”

The resolution was filed by CBIS, Proxy Impact, the Maryknoll Sisters, the Benedictine Sisters of Virginia, and the Sisters of St. Dominic of Caldwell, New Jersey.

Understanding Shareholder Votes:

Shareholder resolutions are non-binding and consequently do not “win” or “lose” regardless of the vote. They do have to meet U.S. Securities and Exchange Commission’s vote thresholds to be eligible to be resubmitted the next year. These thresholds (based on total For vs. Against votes) are 3% support the first year, 6% the second year and 10% the third and following years. Shareholder resolutions were designed to be a formal communication channel with management and are best assessed as how they influence management. In this sense, even modest votes can have a significant impact based on their ability to educate management and other investors to the potential risk and opportunities related to the issue being raised.

On May 2, a group of investors are presenting the first shareholder resolution to come to a vote on the growing risk of child sex exploitation online at Verizon Communications’ annual meeting in Orlando, Florida. The filers, representing faith-based and high-net-worth investors with more than $27M in shares, are calling on the largest telecom in the U.S. to increase its efforts to protect children online from sexual abuse and grooming. The investors note in the proposal that parental controls have not been enough to protect child users, and that companies like Verizon are at the intersection of a spectrum of technologies that are putting children at increased risk. The largest proxy voting advisory firm in the world, Institutional Shareholder Services, recommends support for this proposal.

Verizon’s Tumblr was proven to be sharing child sex content last November, and was kicked off of Apple’s App Store because of it. The company has also faced significant fines in 2018 related to the illegal collection and selling of child user data.

The lead filer of the proposal, CBIS, is concerned by the flood of child sex imagery and conduct occurring online. The major hotline for reporting child sex abuse in the U.S. — the National Center for Missing and Exploited Children — has reported receiving more than 45 million child sex images and videos to its Cyber Tipline in 2018.

Along with CBIS and Proxy Impact, other co-filers of the proposal include the Maryknoll Sisters, the Benedictine Sisters of Virginia, and the Sisters of St. Dominic of Caldwell, New Jersey.

The U.S. Department of Justice reports that “mobile devices have fundamentally changed the way offenders can abuse children,” and “apps on these devices can be used to target, recruit or groom, and coerce children,” or to “stream video of child sexual abuse” in real-time. INTERPOL notes that only 4,000 unique child sex images were circulating in 1995. Today, the UN Office of Drugs and Crime estimates at least 50,000 new images hitting the web each year.