Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach...

Reviewing the 2017 Verizon DBIR

Amherst Security Group May 10, 2017

Robert Hurlbut RobertHurlbut.com • @RobertHurlbut

Robert Hurlbut

Software Security Consultant, Architect, and Trainer

Owner / President of Robert Hurlbut Consulting Services Microsoft MVP – Developer Security 2005-2009, 2015, 2016 (ISC)2 CSSLP 2014-2017 Co-host with Chris Romeo – Application Security Podcast

Contacts Web Site: https://roberthurlbut.com Twitter: @RobertHurlbut, @AppSecPodcast

© 2017 Robert Hurlbut Consulting Services

Disclaimer

I am not an employee of Verizon or their affiliates. All views, opinions, and biases are representative of my own independent research of the 2017 Verizon DBIR, unless noted.


What is the Verizon DBIR?

The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from one organization: Verizon. Since then, this report has been released annually for 10 years.


What is the Verizon DBIR?

The latest report (released April 27, 2017) represents aggregated data breach data from 65 contributing organizations.


Definitions (from report)

Incident A security event that compromises the integrity, confidentiality or availability of a information asset.

Breach An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.


Definitions (from the report)

VERIS Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and responsible manner.


Incident/breach eligibility

The incident must have at least seven enumerations (e.g. threat actor variety, threat action category, variety of integrity loss and so on) across 34 fields OR be a DDoS attack. Exceptions are given to confirmed data breaches with less than seven enumerations. The incident must have at least one known VERIS threat action category (hacking, malware and so on).


Incident Classification Patterns

1.  Denial of Service 2.  Privilege Misuse 3.  Lost and Stolen Assets 4.  Everything Else 5.  Point of Sale 6.  Miscellaneous Errors 7.  Web App Attacks 8.  Crimeware 9.  Payment Card Skimmers 10. Cyber-Espionage



Verizon 2017 DBIR, page 5


ESP = Espionage motive OR state-affiliated OR nation-state actors FIG = Fun, Ideology, Grudge motives FIN = Financial motivation OR organizational criminal group actors C2 = Stolen credentials Note: Financial motivations and espionage account for 93% of breaches analyzed.

Key Industries

Accommodation and Food Services Educational Services Financial and Services Healthcare Information Manufacturing Public Administration Retail



Incidents (left) vs Breaches (right) counts by Industry


Incidents (left) vs Breaches (right) by Industry

Example: Financial threat actions



Example: Financial recommendation




Example: Healthcare


Summary of Industry Findings

The top three industries for data breaches were: financial services (24%), health care (15%), public sector (12%).

For financial services, the top two motives were: financial gain (72%) and espionage (21%)

The motives were flipped for the public sector, with: espionage (64%) and financial gain (20%)



Social attacks - Phishing for data



Incident Classification Patterns

Recommendations (summaries from “Things to Consider”)

Use two-factor authentication across all websites and privileged access to sensitive internal systems Change default passwords and use strong passwords Ensure DoS protection of external websites


Recommendations (summaries from “Things to Consider”) Insider Threats:

Periodically monitor employee activities Don’t give more permissions to employees than then need Disable accounts upon employee departure Use “warning banners” on systems so employees are aware of policies and ensure employees are aware that their activities are being monitored

Miscellaneous errors: Have second person sign off on publishing content to websites or changes Have a good policy for data handling and disposal of sensitive data (such as data stored on hard drives or printed on paper). Encrypt laptops (use whole disk encryption) and mobile devices Backup systems routinely


Recommendations (summaries from “Things to Consider”)

Have good business continuity and disaster recovery plans for your critical systems and applications. Keep software up to data (OS, web apps, plug-ins). Segregate networks based on data sensitivity (such as retail POS or customer database systems from rest of internal network). Monitor egress points to prevent data loss.


Look at nomoreransomware.org



Extra: DRAFT NIST 800-63-3 Digital Identity Guidelines Some password security recommendations: Remove periodic password change requirements Drop the algorithmic complexity song and dance Require screening of new passwords against lists of commonly used or compromised passwords https://pages.nist.gov/800-63-3/


Resources

Verizon 2017 Data Breach Investigations Report (DBIR)

https://www.verizonenterprise.com/resources/reports/rp_DBIR_2017_Report_en_xg.pdf

Verizon 2017 Data Breach Digest – RSA Conference 2017

https://www.rsaconference.com/writable/presentations/file_upload/lab4-r12_data-breach-digest-perspectives-on-the-human-element_copy1.pdf


VERIS Resources

http://veriscommunity.net Features information on the framework with examples and enumeration listings

https://github.com/vz-risk/veris Features the full VERIS schema

https://github.com/vz-risk/vcdb Provides access to database on publicly disclosed breaches, the VERIS Community Database


Questions?

Contacts

Web Site: https://roberthurlbut.com Twitter: @RobertHurlbut, @AppSecPodcast Email: robert at roberthurlbut.com


Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach...

Documents

Transcript of Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach...