A follow-up on our interview where Verizon’s Jay Jacobs explains reasons for data breach detection failures, financial industry’s security problems, and more.
– For the next year, are you planning to present the results in different ways, change or add segmentation? What exactly?
– It’s hard to say at this point, we’ve greatly improved our data management back-end, which enables some interesting perspective and analysis. One thing that we’re attempting to pick out is patterns. We’d like to focus more on the patterns we see in particular industries. One huge lesson we’re able to pull from our data is that not all breaches are equal and not every organization has the same threat landscape. Being able to pull out the differences and similarities should help inform decisions for those organizations. But we won’t know for sure how we’ll present the data until we can gather it and then see what kind of analysis the data would support.
– What was the most valuable feedback you received this year on your report?
– We’ve been doing this for a number of years and the feedback from the community is always an important part of the process. We get quite a range of feedback too, for example, some people don’t like that we include physical tampering (with ATM machines) in the data because there are very different types of attacks, while others send words of thanks for including that in the research. We collect the feedback and will review it as we go through the analysis next year.
– We see a lot of organizations fail to detect breaches. What do you see to be the main reason: no monitoring, bad monitoring, tools do not work?– The majority of breaches are detected externally to the victim and it’s not for lack of evidence in the victim’s environment. But I would hate to place any type of blame or point a finger at the victims themselves and blaming the victim is counter-productive after a breach. The evidence is usually in their environment, the challenge is in the monitoring and correlation. It’s a daunting task and the challenge for organizations isn’t so much finding that evidence; it’s separating that evidence from the false positives (alerts that end up not being a breach). – Implementing multi-factor authentication can solve a lot of problems. Do you have numbers on how wide this method is used and what the dynamics are year-to-year?
– We estimate that just under 4 out of 5 system attacks in 2012 (involving malware or hacking techniques) targets user credentials at some point in the chain of events. Implementing two-factor authentication would have forced the attacker to adapt or leave. The abuse of credentials is definitely a huge pattern across industries and threat actors and has the greatest potential to force the attackers to change their approach.
– Excluding ATM attacks, what are the most important and/or interesting numbers regarding attacks on banks?
– There are two interesting differences about the financial industry. First is the large proportion of web-based attacks, attacks at and through the web applications are a much larger proportion in the financial industry than in other industries. The other trend we see is insider misuse. While the attacks we analyze show a much larger proportion of external attackers to internal, we see a larger proportion of internal misuse in the financial sector than others. Along with that we see quite a bit of collusion, where an external actor will solicit help or bribe an employee for their cooperation.– Is activism on the rise really or is it just a good newsmaker?
– On the rise over the last few years, yes. Though we saw a decline in the amount of records they stole in 2012, we did see a sharp increase in their denial-of-service attacks. What is interesting about activism-related attacks is that they have a much different set of tactics than other attack communities. Aside from the DDoS, they favor the web applications and target data that will grab attention, which is usually usernames/passwords or related information like that.
– Lost and stolen devices were not counted, do you have any numbers on such devices?
– Our report focused on confirmed breaches of data confidentiality. While lost laptops definitely lose the data, we can only suspect if the confidentiality of the data on the device is breached. In our larger data set (not covered in depth in the report) is that lost devices and misaddressed envelopes represent a huge proportion of the incidents. We see this more where forced reporting of incidents is required.
– In several parts of your report you compare stats year-to-year, how accurate is this as the sources and data set are different every year?
– We talk about this in the report, but we should try to keep year-to-year comparisons to a minimum. Given the change in the sources, we cannot directly compare year-over-year data sets to each other. But there is a natural curiosity about the changes over the years and if we read them as “this is what the data showed last year, and this is what it showed this year”, we can make the comparison. The challenge comes when people say “there was an x% increase from last year”. We shouldn’t jump to that conclusion.
– Any incident may have several attack methods. What percentage of breaches involved multiple threat actions and which exactly? How useful is this type of statistics?
– I did an Appendix in the 2012 DBIR that attempted to dissect this. Roughly two-thirds of the breaches involved more than one threat action in that analysis. Understanding the event chain is an important component of defending. If we can’t stop the attacker at the perimeter, understanding the event chain and the second threat action, third and so on, can help build the defense in depth.