Reviewing the 2017 Verizon DBIR

Transcription

1 Reviewing the 2017 Verizon DBIR Amherst Security Group May 10, 2017 Robert Hurlbut

2 Robert Hurlbut Software Security Consultant, Architect, and Trainer Owner / President of Robert Hurlbut Consulting Services Microsoft MVP Developer Security , 2015, 2016 (ISC)2 CSSLP Co-host with Chris Romeo Application Security Podcast Contacts Web Site:

3 Disclaimer I am not an employee of Verizon or their affiliates. All views, opinions, and biases are representative of my own independent research of the 2017 Verizon DBIR, unless noted.

4 What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from one organization: Verizon. Since then, this report has been released annually for 10 years.

5 What is the Verizon DBIR? The latest report (released April 27, 2017) represents aggregated data breach data from 65 contributing organizations.

6 Definitions (from report) Incident A security event that compromises the integrity, confidentiality or availability of a information asset. Breach An incident that results in the confirmed disclosure not just potential exposure of data to an unauthorized party.

7 Definitions (from the report) VERIS Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and responsible manner.

8 Incident/breach eligibility The incident must have at least seven enumerations (e.g. threat actor variety, threat action category, variety of integrity loss and so on) across 34 fields OR be a DDoS attack. Exceptions are given to confirmed data breaches with less than seven enumerations. The incident must have at least one known VERIS threat action category (hacking, malware and so on).

9 Incident Classification Patterns 1. Denial of Service 2. Privilege Misuse 3. Lost and Stolen Assets 4. Everything Else 5. Point of Sale 6. Miscellaneous Errors 7. Web App Attacks 8. Crimeware 9. Payment Card Skimmers 10. Cyber-Espionage

10 Verizon 2017 DBIR, page 3

11 Verizon 2017 DBIR, page 3

12 Verizon 2017 DBIR, page 3

13 Verizon 2017 DBIR, page 3

14 Verizon 2017 DBIR, page 5

15 ESP = Espionage motive OR stateaffiliated OR nationstate actors FIG = Fun, Ideology, Grudge motives FIN = Financial motivation OR organizational criminal group actors C2 = Stolen credentials Note: Financial motivations and espionage account for 93% of breaches analyzed. Verizon 2017 DBIR, page 6

16 Verizon 2017 DBIR, page 7

17 Verizon 2017 DBIR, page 8

18 Key Industries Accommodation and Food Services Educational Services Financial and Services Healthcare Information Manufacturing Public Administration Retail

19 Incidents (left) vs Breaches (right) counts by Industry Verizon 2017 DBIR, page 9

20 Incidents (left) vs Breaches (right) by Industry Verizon 2017 DBIR, page 10

21 Verizon 2017 DBIR, page 11

22 Verizon 2017 DBIR, page 11

23 Verizon 2017 DBIR, page 12

24 Example: Financial threat actions Verizon 2017 DBIR, page 20

25 Example: Financial recommendation Verizon 2017 DBIR, page 21

26 Example: Healthcare Verizon 2017 DBIR, page 22

27 Summary of Industry Findings The top three industries for data breaches were: financial services (24%), health care (15%), public sector (12%). For financial services, the top two motives were: financial gain (72%) and espionage (21%) The motives were flipped for the public sector, with: espionage (64%) and financial gain (20%)

28 Social attacks - Phishing for data

29 Verizon 2017 DBIR, page 35

30 Incident Classification Patterns Verizon 2017 DBIR, page 38

31 Recommendations (summaries from Things to Consider ) Use two-factor authentication across all websites and privileged access to sensitive internal systems Change default passwords and use strong passwords Ensure DoS protection of external websites

32 Recommendations (summaries from Things to Consider ) Insider Threats: Periodically monitor employee activities Don t give more permissions to employees than then need Disable accounts upon employee departure Use warning banners on systems so employees are aware of policies and ensure employees are aware that their activities are being monitored Miscellaneous errors: Have second person sign off on publishing content to websites or changes Have a good policy for data handling and disposal of sensitive data (such as data stored on hard drives or printed on paper). Encrypt laptops (use whole disk encryption) and mobile devices Backup systems routinely

33 Recommendations (summaries from Things to Consider ) Have good business continuity and disaster recovery plans for your critical systems and applications. Keep software up to data (OS, web apps, plug-ins). Segregate networks based on data sensitivity (such as retail POS or customer database systems from rest of internal network). Monitor egress points to prevent data loss.

34 Look at nomoreransomware.org Verizon 2017 DBIR, page 37

35 Extra: DRAFT NIST Digital Identity Guidelines Some password security recommendations: Remove periodic password change requirements Drop the algorithmic complexity song and dance Require screening of new passwords against lists of commonly used or compromised passwords

36 Resources Verizon 2017 Data Breach Investigations Report (DBIR) rp_dbir_2017_report_en_xg.pdf Verizon 2017 Data Breach Digest RSA Conference file_upload/lab4-r12_data-breach-digest-perspectives-onthe-human-element_copy1.pdf

37 VERIS Resources Features information on the framework with examples and enumeration listings Features the full VERIS schema Provides access to database on publicly disclosed breaches, the VERIS Community Database

38 Questions? Contacts Web Site: robert at roberthurlbut.com