Why do we all get so excited about the Verizon Data Breach Investigations Report (DBIR) every year? For me, it’s not just the subject matter. It’s mostly the snarky tone and the pop-culture references. Call it what you will, but the injection of humor into an otherwise serious set of findings of our seemingly collective ineptitude makes it at least palatable to read and thus easier to digest.
Seriously though, while it’s not all bad, the dataset for this year’s analysis was again frightening. “41,686 security incidents and 2,013 data breaches” in the past calendar year? That’s well over 100 events per day!
Whether that scares you or not, here are two trends and themes I think are worth thinking more deeply about in this year’s report.
Some of the most interesting pieces of information within the DBIR every year are the noticeable trends in comparison with previous years’ statistics. One finding in particular that jumped out at me right out of the gate in the “Results and analysis” section was the following regarding the “Threat actors” involved in the analyzed data “breaches”:
“System administrators are creeping up and while the rogue admin planting logic bombs and other mayhem makes for a good story, the presence of insiders is most often in the form of errors. These are either by misconfiguring servers to allow for unwanted access or publishing data to a server that should not have been accessible by all site viewers. Please, close those buckets!” (2019 Data Breach Investigations Report, Page 7)
To me, this is a problem that is within our reach and control to solve. It’s not an easy problem per se, but it’s really a blocking and tackling kind of thing. Maybe it’s even more of a stop the bleeding kind of thing too.
Discipline is the primary ingredient missing from this recipe, but I don’t mean laziness when I say that. It’s hard not to make any mistakes, especially when we know system administrators are stretched so thin and worked so hard. It’s also hard to follow process to a “T” when there are deadlines to meet.
Configuration management and policy enforcement solutions exist to force us to cross the I’s and dot the T’s. They promote focus on foundation-level security controls, which in turn increases the effectiveness of the fancier solutions you’re relying on to catch the bad guys in the act.
Bottom Line: Self-inflicted wounds are perhaps the ones that hurt the most, and unfortunately, according to this year’s DBIR, we’re doing it more often than in years passed.
Normally I’d be worried about someone calling me out for being biased as we’re always obsessing about “Credentials and Data” here at STEALTHbits, but the facts are the facts. Stolen credentials and the (ab)use of stolen credentials dominated the rankings in this year’s study.
This makes sense though. After all, it’s kind of hard to obtain access to valuable assets in the digital world without a valid set of credentials – unless it’s just completely wide open, which is also a possibility.
“Like all good stories, attackers need somewhere to begin, and whether this starting point is with a list of vulnerable servers, phished emails, or stolen credentials, if the proverbial lever is long enough they will breach your perimeter. Therefore, it is wise to do all that you can to reduce the number of starting points that they are provided. After all, vulns can usually be patched and creds can be better protected with multi-factor authentication.” (2019 Data Breach Investigations Report, Page 27)
I agree. And given Active Directory is where the vast majority of internal users’ credentials are contained for 90% of businesses worldwide, you might want to see how strong your users’ passwords are and the state of other conditions and vulnerabilities attackers exploit to compromise your credentials and data.
Bottom Line: There are two common denominators in every breach scenario – credentials and data. This year’s DBIR very clearly supports this fact.
“There’s definitely a feeling in InfoSec that the attackers are outpacing us. They’ve got all the creds, the vulns, and the shells, not to mention the possibility of huge monetary incentives.” (2019 Data Breach Investigations Report, Page 27)
I’ll never say anything relating to cybersecurity is easy. There are just too many moving pieces, too many factors, too many threat vectors. Like anything in life though, it’s got to be one day at a time, one foot in front of the other.
The DBIR is not just a status check on how well we’re doing each year. It’s a call to arms to do something about the problem. The question is not whether you’re going to fight, however. The question is which weapon you’re going to use.
Fortify the foundation? Control the creds? Defend the data? Or pray for an unprecedented advancement in AI that will detect, quarantine, and eradicate all the threats we face by the end of the year?
I think we know what we need to do.
|Who is behind the event? This could be the external “bad guy” that launches a phishing campaign, or an employee who leaves sensitive documents in their seat back pocket.” (2019 Data Breach Investigations Report, Page 2)|
|“What tactics (actions) were used to affect an asset? VERIS uses seven primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental. Examples at a high level are hacking a server, installing malware, and influencing human behavior.” (2019 Data Breach Investigations Report, Page 2)|
|“More specific enumerations of higher level categories – e.g., classifying the external “bad guy” as an organized criminal group, or recording a hacking action as SQL injection or brute force.” (2019 Data Breach Investigations Report, Page 2)|
|“An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party” (2019 Data Breach Investigations Report, Page 2)|
As General Manager, Adam is responsible for product lifecycle and market adoption from concept to implementation through to customer success. He is passionate about market strategies, and developing long-term path for success for our customers and partners.
Previously, Adam served as CMO and has held a variety of senior leadership positions at Stealthbits – now part of Netwrix including Sales, Marketing, Product Management, and Operational Management roles where his focus has consistently been setting product strategy, defining roadmap, driving strategic engagements and product evangelism.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.