By David Grebe
Every year, Verizon publishes the Data Breach Investigations Report (DBIR). This report, while far from perfect, gives us a glimpse into the state of the field, and allows us to challenge some common misconceptions about cybersecurity.
Firstly, it should be noted that the datasets used in the report are far from normally distributed. Firms and organizations freely volunteer the data used to create the report. Because of this, and the fact that Verizon is only partnered with organizations in the US, Europe, Australia, and Malaysia, the data can be expected to be skewed at certain points. Verizon makes a note of this in the report, but then still presents some bizarre data because the validity of the datasets is left unquestioned. For example, the claim that the Chinese government and its affiliates make up around 95% of all espionage cases seems a very bold claim. Another problematic claim by the report, that Romania is the second largest perpetrator of cyberattacks (as the origin of 28% of all external attacks), also seems fishy.
In addition, the report makes use of two separate datasets (one is larger, while the other uses better described security incidents), which ends up presenting problems. For example, one dataset claims that social means to gain access made up 29% of all attacks – the other claims 1%. This is because the report includes many cases of credit card fraud, misuse of equipment, and the user error of sending emails to the wrong people in the larger, rarely used dataset. As these types of cases make up over half of the dataset (and previously took up about one percent), it overwhelms the dataset as well as creating a mixed picture by having different sets of definitions. However, this reminds us that little changes in what a “data breach” consists of drastically affects the data that is presented. Thus, because of the nature of this data, the percentages in the findings ought to be taken with some salt – the importance of this data is to begin to understand about broader trends and possible misconceptions, not the individual values themselves.
As this report has been going on for several years, some trends have emerged that challenge our previous conceptions. For one, external attacks are far more prevalent that internal ones. If true, this turns a common fallacy taught to most of our IT professionals on its head. According to the report, in 2012 only 14% of breaches we committed by insiders, a trend that has held up for the last 5 years. While disgruntled employees striking back at their workplaces may be flashy and costly, most of the cases (92%) appear to be external (keep in mind that a breach may be both internal and external). That being said, once the data includes various extra types of misuse and error (such as namely, losing devices, mis-delivering emails, and misuse of equipment), this picture becomes murkier.
Secondly, people interested in cybersecurity often hear too many buzzwords about massive plans by states to exploit backdoors and use logic bombs to infiltrate their opponents. However, ‘95% of all state-affiliated espionage attacks relied on phishing’. While I doubt that the popularity of phishing is that high, I think it is safe to conclude that even states rely on simple means to steal data. Likewise, of the 631 reports that make up the main dataset, only one required significant customizations and advanced skills to perform. Over 75% of the attacks fit into the low or very low difficulty ratings, demonstrating that a hacker could perpetrate the attacks with little or no knowledge, and with little adjustment to existing hacking tools. In fact, just over half all data breaches studied involved hacking at all to gain access to the targeted computer(s).
Thirdly, even computer illiterate end users can make a simple change to help protect themselves. 76% of network intrusions exploited lost, stolen or weak passwords. Thus, simply taking a step such as two factor authentication (where a person does not just provide a password, but also a code sent by text to their phone or their thumbprint), while a hassle, could solve a large portion of all data breaches.
We thank Verizon and its various partners for making this report public. Open statistical data is incredibly difficult to come by in the field. While the report certainly has its problems, it is usually clear about them. From the data, hopefully we can start to understand some of the areas where our conceptions are not meeting reality, and start to change our tactics because of it.
The 2013 DBIR can be found here: http://www.verizonenterprise.com/DBIR/2013/