Verizon’s annual Data Breach Investigations Report (DBIR) gives annual analysis and insight to the prior year’s security incidents and confirmed data breaches. As a security practitioner, I look to this report as a bellwether for our own security practices – what patterns are emerging and what should be my immediate takeaways to better protect my organization.
The DBIR assessed nearly 80,000 security incidents this year, two-thirds of those occurring in the US. As I reviewed this year’s data, the primary factor that jumped out at me was that people account for the majority of incidents.
“The common denominator across the top four patterns – accounting for nearly 90% of all incidents is people.”
You might ask then, what are you going to focus on, to help secure the humans? There are four areas that I targeted based on the new data.
Perfect Our Anti-Phishing Skills
Phishing is the pivot by which threat actors gain entrance into and begin their stealthy march inside the network. As Dwayne Melancon points out in his review, phishing attacks are becoming more sophisticated and overwhelming than ever for many organizations. The best way to evade these attempts is to hone our skills at identifying when we may be targets.
We remind our employees often that they are all targets of phishing. But it takes more than singular reminders for practice to become a habit. Something we might consider beyond the reminders is a war games exercise within the company – something to both raise awareness and educate at the same time? Publicizing our results, and trending our improvement over time with potentially even awards for high performing organizations? Definitely on my radar for this year.
Proactive Steps Toward Protecting Credentials
We are reminded in the Key Takeaways that getting into our networks is often only the first step in attacks and there is usually a secondary victim/target. With that in mind, how can we prevent the progression of the attack if we do inadvertently provide credentials to threat actors?
“Over 95% of these [web app] incidents involve harvesting credentials from customer devices, then logging into web applications with them.”
Two considerations come to mind. First, adding authentication to your most critical services will stop threat actors in their tracks, or potentially raise the bar high enough that they quickly move on. Requiring a password and a second form of proof will go a long way to slowing or completely stopping infiltration efforts.
Second, segment your networks. Flat is easy, but creates a jackpot for the threat actor. Take time to create “bubbles” in your network and put your most critical information there. If you already have these mechanisms in your organization, congratulations! Make sure you take time to audit them and extend them as needed.
Faster Workforce Reporting of Loss/Stolen Devices
Does everyone in your organization know what to do if their laptop or phone is stolen? Most theft is opportunistic and can happen to any of your employees. 55% of incidents happen within an employee’s work area. How will you respond?
“15% of incidents still take days to discover. Incentivize your workforce to report all incidents within a certain number of hours.”
Out of Sight, Out of Mind
IT and IT Security teams typically run fairly lean, and it seems we never have enough time or resources. Our world revolves around immediate and critical priorities needing to be addressed often within minutes and hours. It’s therefore sometimes easy to forget about important work that takes more time, analysis, and thoughtful decision-making.
We can tend to defer these important but less immediate tasks. When important tasks become “archived” in our minds (and this can happen to IT teams just as with any corporate group) we can lose track of key items can leave us open to attack.
“Ten CVEs account for almost 97% of the exploits observed in 2014.”
“The DBIR indicates that 71% of known vulnerabilities had a patch available for more than a year prior to the breach.”
The indicator for me here is to not forget the old ones! Each week we get a new list of vulnerabilities from US-CERT. Often there are 50-100 high and medium vulnerabilities to work on, so ensuring that we promptly find time for the low vulnerabilities will be an important consideration in my resource choices this year.
Many security practitioners find themselves struggling to balance a lean team with the many demands that come from a strong security posture. The 2015 Verizon DBIR certainly helps IT Security practitioners to focus on trends and patterns seen within emerging threats having high probabilities for our environments – allowing us to get ahead of it and reduce our threat landscape.
Thanks for the insights, Verizon – and this summarizes a few takeaways for the IT Security Practitioner:
- Educate the workforce on phishing characteristics;
- Authentication is required to prove that we are who we say we are;
- Request timely reporting (hours, not days) of lost corporate assets;
- Remind our IT teams of older vulnerabilities to assure we’re as current as can be with patch maintenance.
These practices will be high on my list this year. How about you?