Verizon's 2014 Data Breach Investigations Report (DBIR) is here. I love it because each year the DBIR not only provides good insight into what's taking place before our eyes but it also reaffirms my philosophy about information security that most security risks originate from a relative small number of vulnerabilities. I call these the silly and mostly senseless low-hanging fruit.
The 2014 DBIR gathered information from 50 different organizations on 63,437 breaches in 95 countries around the globe so there's a nice spread of results. Here are a few of the more interesting findings:
- Business both large and small across every imaginable industry were affected – disputing the common claims of “we're not a target” or “we don't have anything of value”.
(The number of security incidents by victim industry and organization, 2013 dataset – DBIR Page 6, Figure 2)
- Of the 63,437 incidents analyzed, a relatively small number (1,367) had confirmed data loss – that is, as far as they know. I believe the majority of organizations are woefully unprepared to truly detect and confirm the details of most breaches. Of the breaches that are confirmed, how many are actually getting reported? I suspect a minority of them.
(Number of security incidents with confirmed data loss by victim industry and organization size, 2013 dataset – DBIR Page 6, Figure 3)
- The top 10 threat actions for 2013 are related to people (i.e. passwords and phishing) and malware. Looking for where to focus your security efforts in the coming year? These two areas are a great place to start.
(Top 20 varieties of threat actions over time – DBIR Page 10, Figure 9)
- Web app attacks are on the rise, making up 35% of all confirmed breaches. This finding mirrors the Web vulnerabilities I see in my work – increasing numbers in any given website or application. Like any other opportunity for ill-gotten gains, when the criminals see flaws they're going to pounce. The more the better for them.
(Frequency of incident classification patterns – DBIR Page 14, Figure 16)
The DBIR contains a set of recommendations for each classification of attacks and there's really nothing new. The formula for ridding your network of the basic security flaws that are continually being exploited remains the same: 1) know what you've got, 2) understand how it's at risk, and 3) do something about it. Besides a few tweaks here and there, no major change of course will be necessary, at least for the next decade or two.
The problem is too many people are implementing policies and technologies (usually because that's what their auditors and vendors are pushing) without ever really determining where they're weak. The proven homeruns – known wins – with security are boring and many people would rather take a different approach. The grass is always greener there.
The choice is yours: chase the more interesting minutiae or fix the fixable that's causing the real problems as outlined in the DBIR. It doesn't have to be that hard – unless you want it that way. Listen to what the DBIR is saying. Read over it and share with management the areas that are applicable to your business. Outside of good communication skills and relationship building, there's hardly a better way to make the case for security than using the information contained in this year's report.
Do your part and we can slowly turn the DBIR findings into something more compelling – new news about security issues that we haven't yet thought of or found a solution for.