Wednesday, April 15, 2015

Much Ado about the Verizon Data Breach Incident Report [feedly]

Much Ado about the Verizon Data Breach Incident Report
// A Collection of Bromides on Infrastructure

It's that time of the year again! No, not Tax Day, the release of the Verizon Data Breach Incident Report, which provides analysis of more than 79,000 security incidents and 21,000 breaches. The report itself is 70 pages long, which you can take the time to review for yourself here.

Here are some high-level statistics that you may find interesting:

  • On average, across all organizations, five malware events occur every second. Of course, this may occur in spikes and some organizations will experience a much lower volume while others experience a much higher volume.
  • 70-90 percent of malware samples are unique to the organization they attack, rendering signature-based detection irrelevant.
  • 75 percent of attacks spread from victim zero to victim one in less than 24 hours, again rendering signature-based detection irrelevant. In fact, the vast majority of attacks only exist for 24 hours…hardly enough time for malware researchers to create and disseminate the signatures to prevent them.

To quote the report:

"Criminals haven't been blind to the signature and hash matching techniques used by anti virus(AV) products to detect malware. In response, they use many techniques that introduce simple modifications into the code so that the hash is unique, yet it exhibits the same desired behavior.

One common theme through the report is that five sectors are being attacked more than any other. Government agencies reported 303 instances of data loss and an astronomical 50,000 security incidents. Financial services reported 277 instances of data loss and 642 security incidents. Technology companies reported 95 instances of data loss and 1,496 security incidents. Manufacturing reported 235 instances of data loss and 525 security incidents. Retail reported 164 instances of data loss and 523 security incidents.

Logically, these sectors are being attacked more than others because they hold the most valuable information. Financial services and retail maintain bank accounts and credit card numbers. Manufacturing and technology hold intellectual property. Government agencies retain state secrets. Clearly, cyber criminals follow the money, which is why it is so important to change the economics of cyber security.

In the same way that each of these sectors is attacked for the unique information it contains, there are three demographics of actors in cyber-attacks that each prefer unique attack vectors. Activists (or hacktivists) prefer to attack Web applications 61% of the time. Organized crime prefers to use malware (or crimeware) in 73 percent of its attacks. State-sponsored attacks default to cyber-espionage in 97% of attacks.

It is interesting to note that as the sophistication of the actor increases from activist to criminal to state-sponsored agent, so too does the sophistication of their attack increase from Web application disruption to malicious attacks to advanced persistent threats.

Many organizations may likely dismiss concerns of cyber-espionage, but ultimately, cyber-attacks have more in common than they do apart. The Verizon reports mentions that historically 71% of known vulnerabilities had a patch available for more than a year before a breach.

This demonstrates the challenge of patching vulnerable machines (something I have written about before). Security teams and operations teams often find themselves at odds. A poorly implemented patch can cause more harm than good, yet waiting to implement a patch leaves an organization vulnerable to attack.

The Verizon report underscores this dilemma since just 10 CVEs accounted for 97% of exploits. Clearly, information security teams should prioritize implementing critical patches to make these attacks more difficult for attackers. And yet, some of the CVEs stretch back more than a decade to 1999. There is no silver bullet when it comes to patching (unless you consider an isolation-based solution like Bromium that pro-actively protects vulnerable machines).

One last trend that I would like to highlight in the Verizon report is phishing. Verizon found that 2/3 of cyber-espionage attacks during the past two years have utilized phishing. Additionally, Verizon found that 23% of end users will open phishing emails. Finally, a phishing campaign of just 10 emails has a 90 percent chance of compromise.

This resonates very closely with recent research conducted by Bromium, which determined that 23% of information security professionals believe that end user behavior with email introduces the most risk.

The Verizon report highlights the problem with end users:

"It may not be obvious at first glance, but the common denominator across the top four patterns accounting for nearly 90% of all incidents—is people. Whether it's goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC and ID-10T ├╝ber-patterns."

Ultimately, end users remain the weakest link in the information security chain, which is why Bromium is committed to restoring trust in end user computing.


Shared via my feedly reader

Sent from my iPhone