For those in the security industry, the annual Verizon Data Breach Study (DBIR) is a must-read. Those of us who attended the Verizon session on theDBIR 2013 at the annual RSA event a few months back were treated to a first glance of some of the findings of this year’s report and an interesting panel discussion about the impacts. The finishing touches have been placed on this sixth edition of the publication, and it is more comprehensive and enlightening than ever.
The reason the DBIR gets such close scrutiny is because it includes data from 19 global security organizations with an analysis of over 47,000 security incidents and 621 confirmed breaches. In addition, the 2013 DBIR offers new insight into data thieves and their motives.
Key findings include:
“The bottom line is that unfortunately, no organization is immune to a data breach in this day and age,” said Wade Baker, principal author of the Data Breach Investigations Report series. “We have the tools today to combat cybercrime, but it’s really all about selecting the right ones and using them in the right way.
“In other words, understand your adversary – know their motives and methods, and prepare your defenses accordingly and always keep your guard up,” Baker said.
In his blog, Dave Hylendar of the Verizon team added some insights of note about the DBIR. He observes the increase in the diversity, frequency and sophistication of attacks on virtually anyone and every institution:
“As a result—perhaps agitated by ancient Mayan doomsday predictions—a growing segment of the security community adopted an ‘assume you’re breached’ mentality…Motives for these attacks appear equally diverse. Money-minded miscreants continued to cash in on low-hanging fruit from any tree within reach. Bolder bandits took aim at better-defended targets in hopes of bigger hauls. Activist groups DoS’d and hacked under the very different—and sometimes blurred—banners of personal ideology and just-for-the-fun-of-it lulz. And, as a growing list of victims shared their stories, clandestine activity attributed to state-affiliated actors stirred international intrigue.”
Furthermore, everyone in the online security community probably agrees with Hylendar’s statement: “All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity.”
The 63-page report is chock full of really interesting charts and descriptions of the various threats. It also concludes with a great recommendation. Verizon is working with the recently formed Consortium for Cybersecurity Actions (CCA) and mapped the most common threat action varieties to that organization’s “Critical Security Controls for Effective Cyber Defense.”
Verizon says the complexity and diversity of cyber threats makes it a challenge to make specific suggestions based on the DBIR and strong recommends, as do I, that if you want to get educated as to what to do, the CCA 20 Critical Security Controls is a fantastic place to start. It makes for a terrific companion piece to the DBIR.
As the headline says, the DBIR contains sobering information that the bad guys had a good year from their perspective in 2012. And, as the data showed, no business regardless of size is immune from attack.
We read on a daily basis that unfortunately 2013 is stacking up as another banner year for those with malicious intent. The good news is the industry is on the case. It is virtually impossible to mitigate all of the risks in a very complex online world. But having visibility to what is going on, using the best information and the right tools to understand and address the most glaring vectors and practices that make your enterprise susceptible to a data breach, can certainly help CIOs and CSOs rest a little easier. Let’s hope next year’s DBIR shows positive downward trend on bad actor exploit activities.
President Obama, in a commentary piece in the Wall Street Journal, has laid out what is described as "Our new national action plan includes $3 billion…
This week, the NHTSA made a decision to designate the computer in a self-driving car the driver. This means, in theory, that you can now build a car t…
Roll over dogs, there's a new human companion in town and it's smart, omnipresent and perhaps best of all, hair-free.
The late Supreme Court Justice Potter Stewart once said, "Ethics is knowing the difference between what you have a right to do and what is right to do…
Telecom fraud is big business and poses a significant threat to carriers throughout the globe. According to a 2015 survey from the Communications Frau…