This week Verizon released the 2013 edition of the Data Breach Investigations Report (DBIR). The DBIR has been adding data sources over the last five years, and this year’s report contains 641 confirmed breach incidents collected from 19 participating partners. The data allows Verizon to draw important conclusions as to the most common threats in the wild.
For me personally, the most important findings from the DBIR this year are:
First, the report documents an almost unbelievable efficiency of e-mail as an infection vector. Data from Verizon’s partner ThreatSim shows that sending only six e-mails to an organization is sufficient to reach a click certainty of 80%.
The report also suggests how to counter this particular threat by working on all involved levels:
- Education: train users on the mechanics of these attacks to lower the percentage of clicks on links, even in well crafted e-mails
- Hardening: update browsers and plug-ins to prevent exploits through known vulnerabilities when a user clicks through
- Segmentation: Keep machines on the network segregated in small groups (ideally by themselves) to minimize damage through lateral exploitation. Include network monitoring for detection of command and control communication and data exfiltration.
Second, there is evidence of simple username/password based attacks in many of the investigated cases. According to the DBIR, brute-forced and intercepted passwords are involved in over 80% of all data breaches – for a high profile example, see the latest Twitter AP issue. Multi-factor authentication is the most applicable countermeasure, and many vendors now support a second factor in their authentication routines. Go through your application catalog and see where you store and access critical data and whether you can deploy multi-factor authentication.
Lastly, I liked Verizon’s recommendation to use the 20 Critical Security Controls (CSCs) as an underlying structure for an effective security program. The 20 CSCs embody a pragmatic and prioritized approach to a security program, and are based on the in-the-field experiences of security practitioners who were asked: ‘What works in a real-life security program and where is your best ROI?”.
Both the 20 CSCs and the 2013 Verizon Data Breach report are recommended reading for all professionals involved in security.