Software Integrity Blog


Verizon DBIR puts security burden on users

Verizon DBIR puts security burden on users

The 2018 Verizon Data Breach Investigations Report (DBIR)—the 11th annual exhaustive collection of good advice and (mostly) bad news—which dropped a couple of weeks ago, doesn’t contain any major surprises about the state of online security.

The number of confirmed breaches—at least the ones reported by 67 contributors globally—was 2,216, among 53,308 “real-world incidents.” In 2014 it was 1,367. Obviously the overall trend is in the wrong direction.

And the advice for users on how to avoid being part of that trend is no surprise either—it is, essentially, to practice what are now well-known security basics like patching, encryption, and multifactor authentication.

But this advice does appear to be incomplete. It puts virtually all the burden of better security on users—individuals and organizations—without much reference to those who develop and build the software that runs their online infrastructure.

Andrew van der Stock, senior principal consultant with Synopsys Software Integrity Group, said reversing the trend will also require software developers to build security into their products, from concept to design and throughout the life cycle.

He noted that the number and impact of breaches continue to rise, “despite years of asking people to do the bare minimum to avoid negligence.”

“This report demonstrates yet again, with hard metrics, that patching and monitoring systems, while useful, is not reducing the overall number and severity of breaches.”

“As an industry, we must build security, privacy, and trust into our designs, our acquisitions, and interactions with partners and the public,” he said.

The DBIR found that most of the successful attack methods are familiar: stolen credentials, RAM scraper malware, phishing, and privilege abuse. However, as criminals have learned, you don’t have to steal data to make money—you can just hold it hostage.

Ransomware, which didn’t even appear in the DBIR until 2013, went from fifth most common type of malware attack last year to first place this year, showing up in 39% of security incidents that involved malware.

Which wouldn’t surprise anyone reading headlines over the past year. Ransomware is common in large measure because it is easy and profitable. It is the everyman attack tool.

As the executive summary put it, “It’s easy to deploy and can be very effective—you don’t have to be a master criminal; off-the-shelf toolkits allow any amateur to create and deploy ransomware in a matter of minutes. There’s little risk or cost involved and there’s no need to monetize stolen data.”

But the report also noted a more ominous trend—attackers are moving from targeting individuals to targeting file servers and databases, especially in industries like healthcare and education, since “they can do much more damage, and make much more money.”

The infamous WannaCry ransomware attack, which temporarily paralyzed more than 80 hospitals in the United States, the U.K., and Canada, is just one of the more high-profile examples of that.

There were pockets of good, or at least not entirely bad, news. Breaches motivated by espionage declined not just as a percentage of the total but in raw numbers as well, from 292 to 171 during the 12 months covered by the report—November 2016 through October 2017.

The findings on phishing were encouraging at one level—78% of people didn’t fall for a single phishing attack during the report’s time period. But that was offset by the reality that in the average phishing campaign, 4% of recipients are still taking the bait. “And incredibly, the more phishing emails someone has clicked, the more likely they are to do so again,” the report said.

The motives for attacks haven’t changed much either—the majority (76%) of attackers are after “cold, hard cash.” Predictably, more than half of the attacks were by organized criminal gangs, while only 12% involved nation-state or state-affiliated actors.

And as has been the case in past years, they aren’t necessarily after the megacorporations with multiple billions of dollars.

“Most attacks are opportunistic and target not the wealthy or famous, but the unprepared,” the report said.

The report also found that the public, healthcare, and information sectors were the most popular targets. But the public sector, at least statistically, was more resilient than the others. While that sector logged 22,788 incidents—more than a third of the total—only 304 of them resulted in a breach. Healthcare came off much worse—750 incidents resulted in 536 breaches. The information sector had 1,040 incidents, with 109 actual breaches.

Finally, the advice to individuals and organizations remains much the same, because security fundamentals for users remain much the same. Nothing will make you bulletproof, but you can make yourself a much more difficult target—and most attackers are looking for the easiest target possible.

Among the recommendations:

  • Be vigilant so you’ll detect a breach before law enforcement or a customer does. Use log files and change management systems.
  • Teach security awareness. Make sure your employees understand how important cyber security is to your brand, and therefore your bottom line. Teach them how to spot the signs of an attack and how to react.
  • Implement least-privilege principles. Limit data access to those who need it to do their jobs. Have processes in place to revoke it if they no longer need it.
  • Patch, patch, patch—promptly. Don’t let cyber criminals exploit known vulnerabilities by failing to keep your antivirus software up-to-date.
  • Encrypt, encrypt, encrypt. Even if you practice good security hygiene, you are likely to get breached sometime. But if your data is encrypted, it is useless if it is stolen.
  • Use two-factor, or stronger, authentication. Phishing remains remarkably effective. And employees make mistakes. Multifactor authentication can limit the damage that can be done if credentials are lost or stolen.

But that advice, while useful, still leaves a gaping hole that just about any organization could fill to become much more resilient—better software security.

Van der Stock said the public has a right to expect that their private and sensitive personal data is safe from malicious disclosure and abuse—the kinds of things illustrated by the Equifax breach and the recently revealed Facebook data “sharing” scandal.

“The only way to truly honor their trust is to ensure that systems are resilient against bulk data breaches, which requires a secure-by-design mind-set from the outset,” van der Stock said. “It is very costly if not impossible to do it after the system has been launched.”

Expand your horizons with BSIMM.

Learn more


More by this author