Even if you’ve never read Verizon’s Data Breach Investigations Report (DBIR), you’ve been exposed to it. Among the proposals, marketing materials, and whitepapers generated by the information security industry, it’s the most cited source of statistical data and trends related to organizations’ loss of data due to security incidents.
Data breaches, defined as cyber incidents with confirmed data loss, investigated by a number of contributors are categorized and analyzed, in bulk, to come up with the charts and conclusions that start discussions and motivate action among security businesses and their clients. While there are problems with selection bias, and challenges in categorization and terminology, it’s the most comprehensive study we have available each year, and represents an ambitious undertaking.
Who consumes the report—or better yet—who analyzes the analysts? While there are sections that the C-Suite in general will immediately find useful, the document is tailored towards those who already speak the language of information security. The prose is dense with jokes and pop-culture references that speak to the stereotypical “geek”, while taking a light tone that might grate for those that have a serious “bottom-line” stake in expensive and embarrassing breaches.
Generally, the document itself is read intently by analysts in IT management roles and information security service providers, and the information is distilled into concepts and guidance that are applicable throughout the organization.
When documents like this are published, our process at HORNE Cyber is to create one or more “annotated” copies. These marked-up documents reflect our notes, draw out points of interest, and cull the things that aren’t impactful. This gives the rest of our team members the ability to quickly get up to speed, compare published information with our own observations and data, and find out how we can use it in our conversations and partnerships with clients.
Naturally, since I’m the earliest riser in the Starkville office, I took advantage of being the first into work Tuesday morning to “claim” the early-release copy of the 2016 DBIR and spend a portion of my day taking notes on it. I’d like to share with you 10 of the things I noted in my process of distilling this report down:
- Not much data is available on “Internet of Things” and mobile device-related breaches. While I agree that cell phones and tablets might not be a popular attack vector at the current time, I do wonder about “Things”. Our penetration tests have seen so much success recently with devices such as security cameras, multi-function copiers, door locks, and other embedded systems that I would have to imagine that if attackers aren’t making significant use of them now, they will be soon.
- Those with the most to lose are among the most targeted. Publicly-traded companies experience the most breaches, with financial institutions, healthcare, and manufacturing also in the top ten. Tragically, the organizations that suffer the most from loss of data are more likely to experience a breach.
- While the report downplays the threat of espionage/state-sponsored threats in parts of its text, the charts show it as being a factor in around ten percent of studied breaches. This may not sound like a large number, but to me it’s worryingly large. Such threats are usually more sophisticated and funded, and have mission-oriented goals that they’ll likely not give up on. With nation-state actors presumably being fewer in number than organized crime groups, and the higher likelihood that espionage-related breaches would be withheld from data gathering, a “1 in 10” statistic indicates to me that these threat groups have been very busy indeed.
- In recent years, breaches are more likely to be discovered first by third-parties and law enforcement than organizations’ internal staff. This can represent a significant embarrassment to the target, and reduce available options for controlling and responding to a breach on their own terms and timeline.
- New vulnerabilities are being found faster than they are being patched by vendors, but it hardly matters, since the rate at which many organizations actually apply security patches is even slower.
- Phishing attacks on average see a 13% success rate in giving attackers access, though the only statistic that matters to an attacker is that the first victims will fall for them quickly—usually less than two minutes. This allows an attacker to gain access to the target network rapidly without bombarding an entire organization with phishing emails. The statistics here match up to our observations on social engineering attacks almost perfectly. Someone will always click, which is why we emphasize the importance of internal penetration testing for our clients to “see” what real attackers are going to see.
- Web application attacks are on the rise. It has been my experience that the “depth” of attack surface in a single web application can equal or outstrip the complexity of an entire network’s attack surface outside of the web applications. Many of these applications are developed specifically for an organization and do not see the attention of mainstream vulnerability researchers. It’s critical for these systems to be examined carefully by those that specialize in finding web vulnerabilities.
- Insiders are likely to be leveraged by nation-state attackers to compromise systems and give the attackers access. Intelligence agencies are very experienced in developing human assets, and have the entire range of bribery and blackmail at their disposal in gaining access to their target. The discovery of insider attacks generally occurs months after the fact, if ever.
- Most malicious software is short-lived and the authors adapt quickly to the threat of antivirus detection. While running antivirus is an important part of keeping out less sophisticated threats, it should be only one of many layers of defense, as it’s almost trivial to bypass most malware protection.
- Compiling free-form incident data in a report like this is hard. With companies divided out by size between “small” and “large”, the vast majority were “unknown.” It can be challenging to convey trends in complex data with easily-understood charts, and even more challenging to present more advanced chart types without confusing the reader. Vulnerabilities and attacks are far too subtle in their differences to put into bins for analysis. Difficulties in categorization wind up creating incident categories for both “Everything else” and “Miscellaneous Errors”, which hurts clarity. For all its warts, however, the report is an invaluable resource, given careful analysis.
I’m sure these will be topics I write more about throughout the year (and the above only represents a fraction of the notes on our internal annotated copy), so I’m looking forward to revisiting them in more detail. You can download the full 2016 DBIR here.
It’s important to be able to take public knowledge on security issues and distill it into useful information about threats you will face. Only by understanding attacks will you be able to focus your defenses. Who gathers and analyzes knowledge and experience for your organization?
For weekly insights into cybersecurity, please sign up here: