Verizon's 2015 Data Breach Investigations Report

I’ve bugged the Big Boss at work off and on for “What’s the best thing to read on information security?”

It’s not that I can’t find millions of pages to read, the problem is knowing the right thing to read. All things equal, I’d prefer to start with whatever everyone else (i.e., Big Boss) is reading.

So he finally mentions in passing: “Read the Verizon Data Breach Investigations Report for 2015.”

Ok, then, let’s read.

What’s in 2015’s DBIR?

Here’s a bit of what you can look forward to in the Verizon DBIR for 2015. I could list them out, but really, you need to do your own due diligence.

  • The three top industries affected by data breaches haven’t changed from year to year. If you work in one these industries, you’re particularly vulnerable.

  • Just because you’re not “important” doesn’t mean the bad guys won’t attack you. Find out why you may be targeted even when you’re not in a top industry.

  • How classifying incidents by type year over year exposes a threat space which may be finite, understandable and possibly measureable, allowing you to evaluate your own exposure.

  • Learn the common denominator for 90% of all breaches (hint: you may find a mirror handy), and what you can do to help mitigate this factor.

And lots more, some of which will be briefly noted below, but of course you’ll want to get the DBIR for yourself.

64 pages of security awesomeness

First, about the style: This year’s DBIR is written in a super chatty style, and leans on a motley collection of popular culture colloquialsms. This is mildly entertaining, but doesn’t really add much to the information being presented. It’s not difficult to read around.

Impact

Impact is one of the most important sections of the report, containing a credible attempt at assessing monetary cost of data breaches. Two charts and a table are provided, all of which contain quantitatively useful information. Most importantly, the model used for assessing impact, records involved in the breach versus dollar cost for remediation, is shown to have a relatively low $r^2$, meaning a simple count of lost records is not sufficient to accurately assess monetary damage in all cases.

However, this sort of result is very useful for indicating that other factors need to be examined in more detail.

As might be expected, the confidence interval becomes very broad as the number of record lost increases. For example, Verizon reports that for one hundred million records lost (100,000,000), the claims averaged $8.8 million, with a low of $5 million and high of $199 million. That’s a lot of variance.

The report does not correlate the claim size with the industry subjected to the breaches.

Let’s take a look at the section following Impact, and see how Verizon classifies incidents.

Classifying incidents

Verizon classified incidents using an otherwise unspecific hierarchal clustering method, resulting in nine (9) categories capturing 96% of the reported incidents. These categories are 1. Point-of-Sale Intrusions, 2. Payment Card Skimmers, 3. Crimeware, 4. Web App Attacks, 5. Denial-of-Service Attacks, 6. Physical Theft/Loss, 7. Insider Misuse, 8. Miscellaneous Errors, and 9. Cyber-Esponiage.

We’ll take a deeper look at item 5 in our list.

Denial-of-service

Distributed denial-of-Service (DDOS) attacks increased in 2014 compared to 2013; Verizon’s DBIR partners reported double.

Helpful mitigation strategies recommended by the DBIR include: locking down non-essential services, keep systems patched, and adding anti-spoofing filters when possible.

Of pehaps most interest to enterprise readers, the DBIR tabulates the number of DDOS victims by industry (Figure 37). The “Unknown” category leads the list with 860 incidents reported, followed by Public (435) and Financial Services (184).

Summary

Despite what I find as an overly conversational tone, the Verizon DBIR does contain a nice overview of 2014 network security incidents. While my inner scientist would enjoy much more in-depth discussion of methodology, the report “feels” about right for what I understand to be it’s intended audience: non-specialists who need a fast, high level overview of the kinds of security concerns important to their enterprise.

A personal glossary

  • C2: Command and Control

  • CVE: Common Vulnerability and Exposure

  • Data breach: a security incident resulting in confirmed disclosure of an information asset to an unauthorized party.

  • Data compromise: see “data breach.”

  • NAICS: North American Industry Classification System.

  • Security incident: An event compromising confidentiality, integrity or availability of an information asset.

  • Strategic Web Compromise: attacking one web server with the intention of using it to attack other targets.

Final remarks

Information security is an afterthought for most people. It’s difficult, and not always obvious what best practices must be followed, and the notion that “external actors” up to and including foreign governments may be backing attacks is far outside most people’s life experience.

Information security must be part of an organization’s “lifestyle,” which means it must be integrated into the behavior of everyone associated with an organization. The Verizon DBIR can help bring those afterthoughts forward into everyday discussion.


Tags