One of the sure signs of spring, besides tulips and daffodils, is the release of the 2014 Verizon Data Breach Investigations Report. For those who are excited by survey methodology, this year’s report marks a dramatic change for the DBIR. They’re no longer sticklers about verifying breaches leading to actual data exposures, which limited the data pool, and now report a broader set of security incidents. It means they can conduct a more interesting analysis, which the 2014 report has in spades.
On the down side, we don’t have the number of records exposed, which the DBIR provided in the past (but with lots of qualifiers). Yeah, I was disappointed as well. So I checked out this blog’s other favorite breach resource, the Identity Theft Resource Center, for their tally of breaches gleaned from non-verified reports in the media. It was not a good year—act surprised if you want– for consumer data security. In 2013, the ITRC counted over 90 million records stolen—a stunning jump from 2012’s mere 17 million records.
Anyway, the DBIR team crunched the data from over 60,000 incidents and came up with nine groups or clusters having common threat actions, threat targets, and actors. They claim the following categories cover almost 90% of the incidents: POS Intrusions (1%), Web Apps (6%), Insider Misuse (18%), Physical Theft (14%), Crimeware (20%), Card Skimmers (1%), Miscellaneous Errors (25%), DoS Attacks (3%), and Cyber Espionage (1%).
The largest cluster, Miscellaneous Errors, popped out to me as well, and demanded a closer look. According to the DBIR team, an astonishing 80% of these errors involve the accidental delivery of sensitive information to the wrong recipient or posting of non-public file contents to a public location. Often this was done by ordinary users, who were way below the C-level.
For us, at the Metadata Era, it points yet again to the sobering fact that too much PII and corporate IP is available on file systems without being limited on a need-to-know basis.
There’s more distressing news in the report. The statistics on the time it takes for IT to detect security incidents still show that most corporate responses don’t happen untilmonths after the incident. As we’ve noted before, too few companies have in place the technology to detect unusual file access patterns, a key sign that intruders are lurking in your system.
On a positive note—and this is great news for IT—the DBIR gang offered their own controls to help prevent or limit breach risk for each of the aforementioned clusters. And then they did something that really gave us security mitigation joy. They provided a map of these clusters—in figure 69 to be exact– to the SANS 20 Critical Security Controls, which is the bible for “what works” security.
Speaking of SANS, we’ll be posting more about their controls, delving into the security philosophy behind them along with showing a new way to rework the SANS approach. And we’ll also be pulling out other interesting data points from this year’s DBIR—it’s chock-full of data security insights.