Verizon’s annual Data Breach Investigations Report (DBIR) is one of the most respected studies on cybersecurity, cited by security professionals and security writers regularly and throughout the year. Although the 2017 DBIR was not released at RSA – it will come out later in the spring – Verizon did introduce its Data Breach Digest -- Perspective Is Reality. The digest highlights 16 case studies based on real-world data breach response activities and the lessons learned by the Verizon RISK Team.
“The digest is a companion to the DBIR,” said John Grim, senior manager with the Investigative Response Verizon RISK Team. “This takes the DBIR a step further by bringing those metrics to life.” The idea, he added, is to show victims that they aren’t isolated. There is a commonality to many attacks, but there are some that aren’t as common. The bottom line, however, is that every attack is personal; when it happens to you, it is lethal and dangerous and could destroy a business. The Data Breach Digest shows that you aren’t the only one who has gone through these experiences.
The stories are told from the points of view of the people involved in the attacks and breaches, covering four components: the human element, conduit devices, configuration exploitation and malicious software. The case studies focus on insider threats, attacks on IoT, DDoS and malware, to name a few. Grim said the idea was to show how incredibly complex these attacks are, no matter the size of the company. “We also wanted to show that stakeholders are important in data breach response.”
Based on the report, Grim also talked about some of the top issues in cybersecurity right now.
Compliance is about education, and both the DBIR and the Data Breach Digest are ways to educate employees of all levels about data breaches and the aftermath. They may not understand everything, like forensics, but CISOs can take this technical topic and, through the real-life experiences in the report, show staff just why security is so important. In turn, it leads to why following compliance is necessary to protect the company. CISOs, Grim said, use these scenarios as teaching tools. “Let’s take the lessons learned in the scenario and put it into our own security program to help breaches from occurring. And if one does occur, we can use the lessons learned to be better prepared to respond as a team. From a compliance standpoint, you use these as examples to encourage end users to make smart choices.”
Internet of Things
The Internet of Things (IoT) is a big topic right now (it was a popular session theme at RSA and came up in nearly every conversation; it is also a case study in the Digest). The reason is simple: Everything is becoming interconnected. “What is a thing?” Grim asked. “A thing could be a device. It could be an application. Just because it may not appear to be a computer system, it actually is.” End users need to make sure they follow the same protocols they would for any computer system or application: You need to make sure you keep patching and monitoring it.
“Say someone came into your office and took advantage of a singular device,” said Grim. “It may not be a standard breach with data walking out the door, but it does mean that end users aren’t able to function because they can’t get to the internet or they are prevented from doing their job.”
Like the IoT, the most important security steps for the critical infrastructure are to make sure software is patched and regularly updated. The problem with the critical infrastructure is that much of it uses legacy systems. “These systems tend to be written without security in mind. They were written to make sure the device is operating and functional. Nowadays, we need to make sure they are treated like any other IT system, with modern operating systems and proper security management,” Grim said. The case study in the Data Breach Digest also highlighted another problem for the critical infrastructure: There is a lot of institutional knowledge at these facilities but that knowledge isn’t being shared. When employees retire or switch jobs, they are taking the knowledge with them that includes any information regarding security. There is a need for that information to be shared in a formal response plan so other employees are able to access it if necessary.
Cybercriminals are always going to be at the top of their game. They are quick to evolve with changing technologies and smarter security tools. Response to cybercrime needs to focus on the threat actors – who they are, what they are after. “It’s the human element of cybercrime,” Grim said. He also said companies have to do a better job covering the basics, like following compliances like PCI or doing tasks like RAM scraping.
Grim and his team hope that companies and individuals will use the Data Breach Digest as a way to help build security. “Identify the scenarios that are most relevant to you,” he suggested, “and learn from them.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba