For those in the security industry, the annual Verizon Data Breach Study (DBIR) is a must-read. Those of us who attended the Verizon session on theDBIR 2013 at the annual RSA event a few months back were treated to a first glance of some of the findings of this year’s report and an interesting panel discussion about the impacts. The finishing touches have been placed on this sixth edition of the publication, and it is more comprehensive and enlightening than ever.
The reason the DBIR gets such close scrutiny is because it includes data from 19 global security organizations with an analysis of over 47,000 security incidents and 621 confirmed breaches. In addition, the 2013 DBIR offers new insight into data thieves and their motives.
Key findings include:
“The bottom line is that unfortunately, no organization is immune to a data breach in this day and age,” said Wade Baker, principal author of the Data Breach Investigations Report series. “We have the tools today to combat cybercrime, but it’s really all about selecting the right ones and using them in the right way.
“In other words, understand your adversary – know their motives and methods, and prepare your defenses accordingly and always keep your guard up,” Baker said.
In his blog, Dave Hylendar of the Verizon team added some insights of note about the DBIR. He observes the increase in the diversity, frequency and sophistication of attacks on virtually anyone and every institution:
“As a result—perhaps agitated by ancient Mayan doomsday predictions—a growing segment of the security community adopted an ‘assume you’re breached’ mentality…Motives for these attacks appear equally diverse. Money-minded miscreants continued to cash in on low-hanging fruit from any tree within reach. Bolder bandits took aim at better-defended targets in hopes of bigger hauls. Activist groups DoS’d and hacked under the very different—and sometimes blurred—banners of personal ideology and just-for-the-fun-of-it lulz. And, as a growing list of victims shared their stories, clandestine activity attributed to state-affiliated actors stirred international intrigue.”
Furthermore, everyone in the online security community probably agrees with Hylendar’s statement: “All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity.”
The 63-page report is chock full of really interesting charts and descriptions of the various threats. It also concludes with a great recommendation. Verizon is working with the recently formed Consortium for Cybersecurity Actions (CCA) and mapped the most common threat action varieties to that organization’s “Critical Security Controls for Effective Cyber Defense.”
Verizon says the complexity and diversity of cyber threats makes it a challenge to make specific suggestions based on the DBIR and strong recommends, as do I, that if you want to get educated as to what to do, the CCA 20 Critical Security Controls is a fantastic place to start. It makes for a terrific companion piece to the DBIR.
As the headline says, the DBIR contains sobering information that the bad guys had a good year from their perspective in 2012. And, as the data showed, no business regardless of size is immune from attack.
We read on a daily basis that unfortunately 2013 is stacking up as another banner year for those with malicious intent. The good news is the industry is on the case. It is virtually impossible to mitigate all of the risks in a very complex online world. But having visibility to what is going on, using the best information and the right tools to understand and address the most glaring vectors and practices that make your enterprise susceptible to a data breach, can certainly help CIOs and CSOs rest a little easier. Let’s hope next year’s DBIR shows positive downward trend on bad actor exploit activities.
The USC Shoah Foundation was founded by Steven Spielberg in 1994 to document first-hand accounts of the Holocaust for future generations. Since then, …
Roman Valeryevich Seleznev was sentenced to 27 years in prison last week in the U.S. for stealing millions of credit card details from businesses.
Microsoft gunning for a place in the human capital management sphere with new application, and the addition of Dynamics 365 to LinkedIn.
Intellectual property is considered an intangible asset and can include things like recipe ingredients, articles, logos, and proprietary systems and p…
I've been looking at a lot of the comments on game review articles and forums of late, and gamers appear to be disappointed that the games aren't gett…