The DBIR 2015 is the ninth one from Verizon, and similar to the others, it highlights patterns and trends present in an aggregated incident data set. The report begins by emphasizing that there are few unique breaches in the cyber-world, and that the likelihood that an intrusion mechanism has been applied previously is relatively high. Furtherance, the DBIR informs against the presumption that victims of data breach believe they are in isolation; it is this falsehood that impedes on information sharing on attack patterns, which could collectively help prevent future intrusions.
Verizon has managed to develop a classification for breach incidents it has investigated over the past three years. This metric has nine categories: denial of service, web app attacks, crimeware, intrusion of point-of-sale (POS) systems, skimming of payment cards, cyberespionage, miscellaneous errors, misuse by insiders and privileged users, and physical loss and theft. Based on a clustering technique of 90% of the organization’s data corpus, POS intrusions were identified as the most prevalent form of data breach followed by attacks on web apps and cyberespionage (Verizon 5). Out of the nine categories, only 6 are included in the 2015 DBIR. The missing ones are DOS attacks, which is not a data breach, physical loss and theft, and miscellaneous errors; the latter was omitted from the report because it mainly involves mistakes and thus not intentional.
Additionally, this DBIR clusters breach scenarios into 4 categories: malicious software, conduit devices, configuration exploitation and the human element. In an attempt to make companies proactive against data breaches, Verizon has included an ‘Attack-Defend’ card for each scenario. The content of each card is scenario-specific, is derived for the past three years data set, and ‘lethal’ scenarios are identified as such. The contents of this card are explained in figure 1 below.
Figure 1: Contents of an 'Attack-Defend Card' (Verizon 6)
The DBIR 2015 highlights that 20% of data breaches are done using social engineering, with phishing, solicitation and pretexting being the most common methods used in this tactic. 72% of data breaches involving the human element were done through emails, which highlights the need for secure email communication practices coupled with firewalls in organizational networks. This report emphasizes that interrogating the human resource involved/affected by a data breach is as crucial as reviewing the digital evidence. Verizon argues that interviewing individuals working in a compromised department helps to narrow down the weakness in the system and identify potential reasons for a data breach. For example, an employee not satisfied with their job could be contacted for a position in a rival’s firm. This individual either could consciously or unknowingly create weak point in a company’s network, which could be exploited by competitors. On the other hand, such an employee could be sent a phishing email posing as a job invitation, and his/her opening of its content could infect the company’s network.
The report identifies that even mature corporations are prone to social engineering, as it relies on exploiting employee vulnerabilities that sometimes unknown to the organization. Consequently, the DBIR 2015 proposes training of the human resource on social engineering threats and the manner in which they may be executed. This training program can focus on each department and the critical information it handles. Additionally, the report recommends workstations without web access or email connectivity for employees handling proprietary data; this strategy limits threat levels of such information being accessed from an external source. Furtherance, this tactic minimizes the number of places that malware can be loaded on sensitive machines or the network itself.
Devices are significantly involved in data breaches, as they are targeted for their connection to the outside world or the data processed and stored by them. 40% of the data breaches investigated by Verizon involved either payment card skimmers or POS intrusions, which are both device-related. Part of the report’s recommendations regarding conduit devices include integration of security intelligence that will be used to control security devices such as proxy servers. Additionally, corporate training in regards to proper use of company devices should also be done to mitigate attacks targeted to individual employees.
Weak configurations may occur in both devices and networks: in the latter, they facilitate ease of lateral movement after a breach or as a data exfiltration avenue. The DBIR 2015 emphasizes that most common hacking varieties exploit loopholes present in static authentication mechanisms. Furtherance, the report identifies that 80% of data breach incidents it investigated involved weak, stolen, easily guessable or default passwords. Configuration exploitation scenarios are common in web apps, and their prevalence is highest in financial, public, retail and utilities sector. One common attack vector is SQL injection, which exploits vulnerability in web apps implementation by the victim; therefore, a database and server may lack vulnerabilities, but not using secure development principles may predispose the two to a data breach. Additionally, the report recommends the use of advanced intrusion detection mechanisms to mitigate this vector.
The use of malware is identified as a common practice in sophisticated breach attacks: some of this software may be used to initiate, advance, terminate and/or remove traces of the intrusion. The DBIR notes that malware scenarios involve 80% hacking activity and 44% social actions, which is indicative that malware incidents are co-dependent on other data breach vectors. The report recommends that whenever malware is detected and server cannot be restarted without crippling business operations, the network cable should be disconnected and persistence mechanisms removed. Consequently, malicious software and any of its files should be deleted after its process has been stopped. Once this is achieved, the system can be restarted in its now remediated state, but it would still require frequent monitoring to detect any suspicious activity.
The 2015 DBIR highlights specific incidences that Verizon has encountered in its prevention and countering of data breaches. The company acknowledges the multiplicity of tactics that are used to execute data breaches, and thus there cannot be a singular solution. The inclusion of these specific examples in the report can assist cyber-security personnel to be informed on emerging vectors and the manner in which they can be stopped. At the beginning of the report it is highlighted that data intrusion methods are usually repetitive, which means that if it was applied towards a competitor, there is a likelihood it would be used against an organization. The DBIR recommends the use of an Attack-Defend card to establish defenses against each data breach scenario. The existence of such a parameter is crucial in ensuring speedy response whenever an intrusion or suspicious activity is detected.
A vital strategy identified in the report is the need to interrogate human resources alongside digital evidence when investigating a breach. This recommendation is founded on the realization that a majority of intrusions exploit human vulnerability, regardless of them using other scenarios such as malware and conduit devices. Additionally, the DBIR suggests comprehensive training as a mitigation strategy against social engineering. The efficacy of such a program would be mainly because an organization may not be privy to each employee’s vulnerabilities, thus cannot mitigate them collectively. This report can be used to develop a training manual, mainly because it contains real-life scenarios that would be more relatable and understandable to employees working in non-IT departments.
An essential aspect to note when using the DBIR 2015 to allocate resources and assess new risks is to understand that most of the recommendations made in this report should be customized to an organization’s human resource, technology and processes before being implemented. Whereas vectors such as SQL injections and malware may follow the same pattern as those indicated in the report, the response strategy can only successful if it co-exists with other elements within a corporation. For example, an intrusion prevention strategy that relies on proxy servers and firewall hardware, can only achieve its objectives if this equipment are available within a firm.
The report highlights the top three data breach incident categories as POS intrusion, cyber-espionage and attack on web apps. This finding is helpful in preventing intrusions, as institutions are made aware of where to concentrate their security efforts. Additionally, the report indicates the prevalence of each of the incidents based on a per industry classification. Similarly, corporations in each sector are made aware of what attack vectors are most likely to be used against them, and thus they can enhance their security measures beforehand. Furtherance, the DBIR 2015 identifies phishing as the leading threat action followed by use of stolen/lost credit cards. This information indicates a need to increase authentication protocols in e-commerce platforms and to educate end users of the growing threat of phishing. In addition, the report highlights the use of stolen, guessable and/or default passwords as an increasing vulnerability for a majority of databases and networks. Therefore, organizations can auto-generate passwords for its employees and users to avoid use of default and easily guessable ones. Moreover, these passwords can be changed periodically dependent on the sensitivity of the information they secure.
Based on the DBIR 2015, allocation of resources to mitigate and counter data breach should be founded on risk of vulnerability and sensitivity of information stored/processed; this implies that the process should start with a risk assessment that would then be used to develop specific response strategies for each. In some instances, the report recommends storing highly sensitive information such as proprietary data on machines without web access or email connectivity. This strategy is aimed at minimizing vulnerability points within a system/network, and reducing the likelihood of an external attacker accessing such critical data. Nonetheless, the success of any of the strategies mentioned above is highly dependent on the integration of the four cluster scenarios to reduce exploitable areas. Although the report is relatively technical in its explanations, it has attempted to simplify data breach, and information and network security; this makes such information easily understandable to decision-makers that lack a background in IT.
Verizon. “DBIR Verizon Data Breach Digest.” N.p. 2015