After reading the 2015 Verizon Data Breach Investigations Report (DBIR) I wanted to share with you my thoughts from a security awareness / human behavior perspective. Before I do, I just wanted to share a big thanks with Bob Rudis (@hrbrmstr) and the DBIR team, they did an amazing job. For those of you who are unfamiliar with the DBIR, this has become the industry standard for making data driven decisions on security. With that said, let's jump on in.
PHISHING (p16): The first thing that popped right out for me is phishing has its own, dedicated section. While the section does not cover anything dramatically new for those who have been in awareness for a while, the fact that is has its own section tells management should take notice. Phishing (targeting the human) continues to be one of the top ways bad guys are getting in. One key take-away for me was this. "The median time-to-first-click coming in at one minute, 22 seconds across all campaigns." This demonstrates the need for developing the Human Sensor. In addition here was a gem of a quote not to be missed - "Departments such as Communications, Legal, and Customer Service were far more likely to actually open an e-mail than all other departments."
VULNERABILITIES (p19): "99.9% of the exploited vulnerabilities were compromised more than a year after the CVE". This means effective patching can make a huge difference, the challenge is being consistent. Contrast that to their mobile device findings on page 22, less than 1% of all mobile devices are infected. Lesson learned for what we should be teaching people:, patch your computers and double check for your smartphone so you do not lose it. My favorite quote from this section was "A CVE being added to Metaspoit is probably the single most reliable predictor of exploitation in the wild."
VULNERABILITIES (p26): While not directly related to human security, I loved this quote. "Consistent with some other recent vendor reports, we found that 70% to 90% (depending on the source and organization) of malware samples are unique to a single organization. Receiving a never-before-seen piece of malware doesn’t mean it was an “advanced” or “targeted” attack. It’s kinda cool to think they handcrafted a highly custom program just for you, but it’s just not true." - In other words, signature based AV is truly and officially dead (shocking, I know).
INDUSTRY PROFILES (p28): The key takeaway from this section is data sharing should not be limited by industry type, but across different industries facing the same threats. Oddly enough, we are seeing the very same thing in the security awareness community. In the past we tried to coordinate our community by industry. However we have learned that information sharing is far more effective when done by common, shared problems (phishing, metrics, engagement, management support, etc).
IMPACT (p31): While not directly related to human security, I found the costs section fascinating. Verizon DBIR smashes the perception of the average costs of a data breach. The number they used was 58 cents per record. The key finding I felt was not so much the average cost, but the fact that the more records you have compromised (millions vs. thousands), the less the cost per record (Figure 23 captures this perfectly)
INCIDENT CLASSIFICATION PATTERNS (p36): Figure 24 is very power. To quote the DBIR, "It may not be obvious at first glance, but the common denominator across the top four patterns— accounting for nearly 90% of all incidents—is people.” For those of you looking for a nice chart on what threat should your organization focus on, Figure 29 on p38 is where you want to go. Interestingly enough they point out not a lot of change from last year.
INSIDER MISUSE (p50). This category combines those who cause harm with malicious intent and those who cause harm simply because they wanted to bypass controls. Privilege abuse was the most common action (55%). Most organizations I know of though focus their privilege abuse efforts on IT. According to DBIR, IT represents just 1.6% of that abuse. Common end users represent over 37% (Figure 38). Looks like we have been focusing our privilege abuse training on the wrong target group.
CYBER ESPIONAGE (p58): No major surprises here. Over 75% of APT incidents used Phishing as the attack vector. What I thought was interesting was the event split between malicious links and malicious attachments. See Figure41 for breakdown.
WRAP-UP (p59): DBIR wraps things up with this key quote. "Even with a detailed technical report, the actual root cause typically boils down to process and human decision making.” Overall the findings were not dramatically different then last year's report. This I feel is a good thing. It shows both our community and this report is beginning to mature. Perhaps we have a better idea of what is coming, and can begin looking at longer term trends. Once again, a big thanks to the amazing DBIR team, they rock.