Verizon DBIR - Great Action Items for Awareness Programs

I finished reviewing the new Verizon DBIR (Data Breach Investigations Report).  I think this is their best yet.  If you are unfamiliar with this report, its the most comprehensive analysis of what the bad guys are doing each year.  This years analysis is based on data from 95 countries, 1,367 confirmed breaches and 63,437 incidents.  There is some amazing content to help you better focus your awareness program, I recommend you download a copy and spend some time reading it.  For a technical report, this is also surprisingly easy (and fun) to read.  Below is what stood out for me from a security awareness / behavior change perspective.

1. FIGURE 19:  If you are short on time, skip the details and go straight to page 15 where you will find Figure19.  Then, look for your industry in the far left column. You will then be able to identify the greatest risks (Verizon calls it incident classification patterns) to your organization.  In SANS MGT433 there is a lab that has you identify the top ten human risks to your organization.  This is one of the best sources I’ve found that helps you do just that.
2. POS: The first incident classification pattern Verizon identifies is POS Intrusions.  My top take aways for POS security awareness programs is focus on people understanding and using strong passwords and train people to not use POS systems for any personal/social use.  Nothing shocking here, but good to have the data to back these points up.
3. PHYSICAL THEFT / LOSS: This incident classification pattern is, as you may expect, about people losing devices/data or having it stolen.   The key take-away from here is the quote "Losing information assets happens way more than theft, by a 15-to-1 difference". In other words, most awareness programs are teaching the wrong thing by focusing on just theft.  Instead of training employees to watch out for bad guys stealing their stuff, we should be teaching employees to do a  ‘device check’ after security screening at airports, returning car rentals, leaving an airplane or checking out of hotel rooms.  Regardless if a device is lost or stolen, FDE (Full Disk Encryption) is always your friend.
4. MISCELLANEOUS ERRORS:  I'm so glad the Verizon team added this.  A large number of incidents (and breaches) are caused by people simply making mistakes. The biggest risk?  To quote "Misdelivery (sending paper documents or emails to the wrong recipient) is the most frequently seen error resulting in data disclosure."  In other words, yes phishing is a big risk, but when talking about email we should also cover the dangers of email auto-complete when filling out the TO header.  Also interesting was failure for proper data disposal which was 3rd in the list.  How many of your employees have no idea that a copier machine has hard drives, or feel that once you delete data, it is gone?
5. CRIMEWARE / MALWARE : For malware, the primary attack vector is Web drive-by/download (81%).  Email links/attachments (i.e. phishing) represent only 9% of infection vectors.  This implies most phishing attacks(at least effective ones) are the attack vector for APT/Espionage attackers, not standard criminals. The best defense against malware?  Keep browsers up-to-date and disable java, which we blogged about last week.
6. CYBER-ESPIONAGE: I thought this quote was very telling.  “...insofar as we can determine from the data before us, however, size doesn’t seem to be a significant targeting factor. industry, on the other hand, does:”.  In other words when it comes to APT, size is not the determining factor, your industry is.  In addition, it looks like spear phishing may slowly be replaced.  Another quote "The proportion of espionage incidents incorporating phishing is lower than our last report (it was 95%), but not because of a drop in actual frequency. This is primarily due to a big increase in the use of strategic web compromises (SWCs) as a method of gaining initial access.”  NOTE: What many of us call a water-whole attack Verizon calls a SWC.
7. EVERYTHING ELSE: This is for incidents where there is not enough data to truly classify it.  There is some great data here from ThreatSim folks concerning phishing attacks.  A key metric, people are 3x as likely to click on a link as opposed to opening an attachment (p47).

Finally, once again the Human Sensor comes to play.    My favorite quote from the report is on p42.  “Over the years we have done this research, users have discovered more breaches than any other internal process or technology. it’s not all about prevention; arm them with the knowledge and skills they need to recognize and report potential incidents quickly.” In other words, if you want to improve your detection and response capabilities, be sure to include people and not just technology.