I love the Verizon DBIR. Its an amazing, free resource that helps you make data driven decisions on how to manage your organization's risk. Just like in their 2015 and 2014 reports, I find the most useful section to be the categorization of breaches by industry. For this year's report that is Figure 22, this is where we are going to focus on. The best way to leverage Figure 22 is find your industry in the far right column, then look at the different categories in your row. Each category will list the percentage of breaches for your industry. Whichever categories have the largest percentages is where your industry is feeling the greatest pain. After reading through the report several times (and some wonderful chats with some major data crunching experts) I came to a startling conclusion, almost all the breaches are human related. Seriously. Let's take a look at each of the nine categories and and see how security (and breaches) are ultimately about people.
- WebApps: Let's start with the big one. As you can see in Figure 22 (and in figure 18 to the right) WebApps is by far the biggest category affecting almost every industry and representing 40% of all the recorded breaches. At first you would think this a Developer issue, that WebAapp attacks like SQL Injection or CSS abound. But do a deeper dive and you find out that is not the case. Based on Figure 24 and n=879, we see that 817 of the breaches were actually the result of stolen credentials obtained by social means, primarily phishing. That means over 90% of the WebApp breaches were the result of an attacker getting peoples' credentials via phishing, then logging into the WebApp with the stolen credentials.
- Privilege Misuse: Moving to the next column, we have Privilege Misuse, which is primarily insider threats. This category is %100 about people, you can see the full breakdown of the actual incidents in Figure 29. Two interesting learning points from this section. The first is that Privilege Misuse / Insider incidents took the longest of all nine categories to detect. The second is that only a small percentage were in leadership positions (14%) or in privileged positions such as IT admin (14%). Lesson learned, anyone can be an insider.
- Misc Errors: This one was the third largest cause for breaches. Like Privilege Misuse, Misc Errors is 100% people. However unlike Privilege Misuse, Misc Errors is all about good people making honest mistakes. These breaches (called an accidental data disclosure) are not intentional. Think things like emailing the wrong person with sensitive data or posting data on the wrong server (oh, you mean that server is public facing?).
- Stolen / Lost Assets: This is another category that is all about people. The most interesting data point about this category is that people are 100 times more likely to lose something than have it stolen. This means instead of teaching employees to be on the constant lookout for a thief, they they should actually be focusing on making sure employees check they have their laptop when they get off the bus, leave a taxi or go through airport security.
- Crimeware: DBIR defined this as any incident involving malware that did not fit into a more specific pattern. Think cyber criminal targeting consumers, or targets of opportunity. In Figure 34 they breakdown the attack vectors for 135 breaches, identifying that 102 of them are human related, or 75%.
- Cyber Espionage: Figure 40 has it all here. Based on 154 attacks, 81 are confirmed as getting in first through the human. Another 19 if you count stolen credentials, which were most likely stolen via key stroke logger. Put them together and you 65% started with the human.
- Point-of-Sale Intrusions: This is where the bad guys break into an organization's credit card system and either suck the cards from the actual POS (RAM scrapper) or suck the cards off the processing network. This category eluded me as there was no breakdown on how the bad guys were gaining access to these systems. So I reached out to the Verizon DBIR team for more data and they shared everything they had (the Verizon DBIR team rocks by the way!). Turns out 94% of the POS breaches were credential related, in other words the bad guys used legitimate passwords to get into the POS system. Over 50% of these were brute force related (in other words the POS had poor passwords) and over 40% were based on compromised credentials. Unfortunately we do not know how those credentials were compromised, but if the WebApp category is any guide, we can assume a large percentage were human related.
- Everything Else: Of the nine categories I found this one to be the most confusing to decode. As the name implies, this is where a breach goes if it does not fit into the other eight categories. The description states that the vast majority of these breaches are phishing or CEO Fraud related, once again emphasizing employee targeted attacks. However in Figure 44 it shows that 62% of the breaches were 'hacking' related and 35% were social related. I'm not sure if that 35% is all of the phishing or CEO Fraud described in the description, or some other breakdown.
- Denial of Service & Card Skimmers: These two categories were the only ones that do not apply to people. However they also represent less than 4% of all breaches. For Denial of Service, only 1 of the 2,260 breaches fell under this category. Card skimmers (a hardware attack) are not only a very small percentage but are primarily in just one industry, Finance.
As you can see, the majority of the breaches are human related. I was hoping to pin the human vector down to a specific percentage, but some of the categories make it hard to define exactly how many were human related. Long story short, DBIR tells a fascinating story driven by data, and the data is telling us we need to stop focusing on just technology and start securing the human. space To learn more about securing the human element, check out both the Security Awareness Summit and two-day courses on building awareness programs. space
