Reading between the lines -- Verizon 2015 Data Breach Investigations Report
The annual Verizon 2015 Data Breach Investigations Report was just released, and many in the IT world are already finding the information disturbing, in part because Verizon's conclusions appear difficult to remediate. If you study the report closely, however, you will see there's some good news about improving your information security posture more easily.
I have been immersed in the world of information technology for more than 30 years now, and am constantly amazed at how little has changed. We still seem to approach any significant issues by "throwing money at them." If you read the Verizon report in detail, however, you will come away convinced of a distinctly different approach -- one based on fundamentals, rather than expensive technology. I am not suggesting that the growing body of technology products are not good or useful, but I am suggesting that they are never a substitute for covering the basics.
Phishing is a major and growing problem -- As with 3 day old grouper, phishing smells badly, and gets worse every day. Verizon reports that this approach accounts for 20% of recorded incidents. Given the recent publicity about POS terminal attacks and foreign governments' alleged involvement in attacks, phishing quickly gets forgotten. It probably forms the basis for many of the well-publicized breaches. That is not surprising, given that, according to Verizon, "a campaign of 10 emails yields a greater than 90% chance that at least one person will become the criminal's prey." That should astound readers, because given my personnel experience, phishing is not high on the list of worry items for IT leaders.
Vulnerabilities age well -- It seems that 99.9% of vulnerability exploits happen more than a year after the vulnerability was disclosed. What is more convicting, however, is the fact that during the 2014 study period, 97% of exploits were from a list of just 10 published vulnerabilities. Ouch. This means that a little effort focused on patch management would have yielded major positive results.
Mobile is not as big a part of the problem as we might be led to believe -- Mobile device exploits make up a small percentage of recorded incidents. The importance of diligence in this area cannot be overlooked because of the low statistics. Computerworld reported in late 2014 that smartphone sales were expected to be anemic in the coming years due to market saturation. Sales will be primarily from upgrades, which involve new hardware, new software, and likely new vulnerabilities. Further complicating mobile security is the fact the malware elements are very transient -- Verizon reported 95% of mobile malware items did not persist more than a month, soon to be replaced by something new.
The rumors of the death of anti-virus software are greatly exaggerated, BUT it needs to be reinvented -- The issue is that most such products are signature-based. They look for known sequences in transferred information, and block those known to be associated with malware. The issue is that the signature for a given malware element can be quickly and easily changed -- far more quickly than anti-virus vendors can adapt to the changes. Anti-virus packages need to continue to evolve new capabilities that extend beyond signatures.
Insider incidents usually involve privilege abuse -- Verizon reported that 55% of insider incidents involved abuse of privileges. I did not find this surprising at all, and in practice, I have seen many organizations that just grant broad privileges to avoid the effort of applying proper granularity.
So, we now have an idea of the subtext in the Verizon report, and all of us who read it should be a bit scared. There is definitely a silver lining to the cloud of information security threats, however. It seems that we can address a large part of the risk using very straightforward methodologies. Not many are likely to find these surprising, and yet, few organizations implement them well.
Employee awareness is key -- While major improvements in malware filtering have been made, malware still gets through via email. The only way to combat this is employee awareness, achieved most easily through regular, in-person training, (even more effective with door prizes and food!).
Patch those systems -- Consider how many of the incidents recorded in the Verizon report would not have happened if just 10 patches been applied to all systems. I recognize that with the number of systems in an organization growing at a rapid rate, this is hard to track. If you want to throw money at the problem, start with a good patch management product.
Don't give up on anti-virus software -- This software still has a clear value, but IT managers need to monitor the market closely, and adopt new products as technology evolves.
Reduce and control privileges -- Early in my security career, a major computer vendor included a pithy saying in their literature: "Stinginess with privilege is kindness in disguise." This could not possibly be more true today.
If you are considering a major expenditure on security hardware and software, make sure you cover the fundamentals listed above FIRST. You may just save yourself some money and pain.