Six Observations on the 2014 Verizon Data Breach Investigations Report – Part II0
Last time, I noted the prominence of cyber espionage, who and what is targeted, and the embarrassing time it takes to detect attacks. Here are three more observations to take away from this year’s Verizon Data Breach Investigations Report.
The curse of human weaknesses
Even with all the latest headlines, sadly the Verizon report found that phishing remains one of the most popular attack vectors for cyber espionage (67 percent of breaches), and that weak or compromised passwords are involved in the overwhelming majority of attacks. The prominence of spyware keyloggers and password dumpers attests that passwords continue to constitute a critical weak point in any security strategy. User credentials themselves are top targets in breach scenarios across all industries.
Organizations would do well to train users to identify phishing and other schemes, and trade in their passwords for increasingly affordable authentication solutions leveraging biometrics, locational data, social profile identifiers and behavior patterns.
The attribution distraction
With a broader view into the global cyber landscape, Verizon registered less of a concentration of attacks originating in East Asia, and a growing number in Eastern Europe. But the more valuable finding is that one in four attacks cannot be attributed or connected to a nation or region at all. Further credit is due for the authors’ warning to “be wary of threat intelligence vendors claiming to be 100% sure an attack is X actor group from Y country with Z motives; they are ‘likely’ incorrect.”
Put more simply: Attribution is difficult. It’s heavily reliant on speculation and researcher bias. And if it’s not delivering a solution, it’s simply a distraction. Organizations, industries and policy makers must understand that every moment spent speculating on attribution is a moment lost to the efforts to determine what needs protecting and actually build and run the required defenses.
Information sharing is central to the solution
Perhaps the biggest takeaway from the 2014 Verizon Data Breach Investigation Report is that more information sharing between industry peers allows us to learn more from each other’s experiences fighting cyber-attacks. In the same way that increasing the number of Verizon research contributors shed new light on cyber espionage and other attack patterns, technology providers, enterprises, industries and governments can certainly work harder to learn from our collective experiences and more effectively confront cyber espionage attacks.
If cyber espionage is the “crime of the century” we have an obligation as a security industry to work together to address it. This includes sharing cyber espionage attack information between industry peers, working with law makers to incentivize such collaboration, and working with global law enforcement bodies to pursue cyber criminals across borders.
Next time, I’ll provide insights into the ecosystem of cybercrime based on the research McAfee’s Raj Samani and McAfee Labs have conducted over the last year.