As many of you know Verizon recently released their 2013 DBIR (Data Breach Investigations Report) which analyzes 621 known, documented breaches collected from 19 organizations. There is a huge wealth of information here, and if you have time read it. You can download it from http://www.verizonenterprise.com/DBIR/2013/ There is alot of humor injected, which makes this report surprisingly easy to read. I read the document from a human perspective and was amazed at just how much useful information applies to the Human Element. Below are my impressions, the most important I feel is the last one. Read on.
- DBIR breaks attackers into 3 categories (crime, espionage, activism). When it comes to attacks based on social engineering, espionage was by far the greatest (60-70%).
- Figure 22 identifies the human element was involved in over 80% of malware infection/compromises (see image above).
- Page 36 DBIR calls the human element the 'carbon layer', love that term :)
- Page 37 identifies phishing as the top human attack vector, averaging around 80%, with in-person social engineering averaging 13% and phone social engineering 3%. The top phishing targets that DBIR was able to identify are executives/management. They then included an interesting report by ThreatSim on how many emails it takes on average for a compromise (only 8-10 emails).
- Page 41 identifies human error as only 2% of the 621 breaches they tracked. This was very interesting as they brought up a good point. For a breach to 'count' that breach had to result in actual compromised data. The vast majority of lost or accidentally disclosed data was not counted as it did not result in actual compromise. However, this does not take in account that organizations that lose or disclose data by accident may be required to report it, with potential fines or costs. So human error is important or not important, depending on if you have to report data compromised if it was accidentily lost, even though you do not know if any harm was done.
- Page 44 identifies that BYOD is not even on DBIR's radar, as they have seen so few compromises involving BYOD. This surprised me, however they expect that to grow.
- Page 48 identifies 75% of attacks are opportunistic, while 25% are targeted. This percentage is the same both for small and large organizations. Targeted attacks are a greater percentage than I thought.
- Page 54 identifies the Human Sensor as the most effective method for internally detecting compromise, two times more effective then a NIDS. A direct quote from the report: