Sources of Hope in Cyber Security
May 9, 2017 by Bill Rosenthal

The 2017 Data Breach Investigations Report is out. Verizon Enterprise Solutions performs a service to the community by publishing this report every year. It is one of the most comprehensive reports of its type that I have ever seen. This year’s compilation covered 42,068 incidents and 1,935 breaches.

I advise you to visit http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ and download the entire report, but I wanted to pull out one or two highlights that make me hopeful about the cyber security problem. 

Almost three quarters of breaches (73%) were financially motivated. Another 20% were driven by espionage. The remaining 7%, according to the report’s authors, were driven by FIG, an expression that stands for fun, ideology, and grudge. (One of the reasons I look forward to this report every year is that of all my cyber security reading, this report conveys the information with the most style and imagination.) To the extent you can easily know if your organization might be a target of FIG or espionage (the Democratic National Committee, for example), understanding that the bad guys are in it for the money can give you some guidance in apportioning your security efforts.

Another highlightable point: the researchers found that three quarters of breaches (75%) are perpetrated by outsiders and one quarter (25%) by insiders. That means if your business suffers a breach, it’s three times more likely to be coming from outside than inside. I have warned you in the past about the insider threat. A survey from about a year ago showed that 93% of executives believe their organizations are vulnerable to insider attack. So it’s sort of good news that insider attacks are still a fairly infrequent threat. Insider threats can be more dangerous than attacks from outside. They are more difficult to defend against technically, and since they are often perpetrated by actors who know your system well, they may be harder to detect.

Fortunately, insider threats can also be minimized by good management. There are two sources of insider threat: employee cluelessness and employee alienation. You can protect against cluelessness with training with a program such as Logical Operations’ CyberSAFE. You can help protect against alienation by making employee job satisfaction a management goal. Employees with high job satisfaction don’t generally sabotage their employers.                          

The report sorts breaches into nine patterns. In order of prevalence: web app attacks, cyber espionage, privilege misuse, miscellaneous errors, point of sale, everything else, payment card skimmers, physical theft and loss, crimeware, and denial of service. I was interested to see that crimeware, which includes ransomware, was the second least common pattern in actual data breaches. It was, however, the third most common of incidents (after denial of service and privilege misuse).

Ransomware has become a growth industry, but it is thankfully still only a minor source of actual breaches. And the Data Breach Investigations Report has some good news about it:

When we look at our non-incident data (malware detonations—a sample of 50 million on-the-wire detections), over 99% of malware is sent by either email or web server. This means it’s coming through your mail server or web proxy where you can take steps to squash it.

Put your Cybersec First Responder team on it. Then go have a look at the report. It’s a good snapshot of the current threat landscape.