2015 Data Breach Report Roundup

The 2015 Verizon Data Investigation Breach Report (DBIR) is out.  First, a well-deserved recognition for the great job, yet again, done by this team.  This report is legendary in the security community for its relevant information, unbiased conclusions, and sheer entertainment value (fairly certain the team dresses as Monty Python characters at least once a year).

This year’s installment of the DIBR continues the tradition of outlining a number of trends, significant attack methods, and for the first year really digs into providing real data around one of the most nebulous measurement problems in the industry, data breach cost impacts. 

Here is my take on the top 10 things every security professional needs to know and drill down in the report:

1. Everyone is a target, but Public (ie. government, etc.), Information, and Financial industries are at the center of the vortex for data breaches.  For organizations in those industries, be aware and take extra precautions in protecting the confidentiality of your data
2. Misery loves company.  70% of incidents, where motive was determined, have a 2nd victim.  Two-step attacks reach outward to impact others and 75% of secondary victims are impacted within 24 hours.  Being compromised puts at risk those partners, customers, and suppliers who trust you 
3. Attacks move fast.  60% of the time, attackers compromise a target within minutes
4. Phishing success is up, rising from the teen percentages last year to 23% effectiveness and it happens fast, with 50% opened/clicked-on within 1 hour
5. Vulnerabilities seem to live forever.  99.9% of the vulnerabilities exploited by attackers had existed for at least a year.  Attackers continue to follow the path-of-least resistance, targeting easy victims with well-known and documented vulnerabilities.  So, patch already!
6. The speed of exploit development is also rapid.  About half of all vulnerabilities were exploited in a month of being discovered.  So, apply patches early as well!
7. Mobile device malware does not yet play a significant role in data breach attacks.  Only 3 of every 10k phones get infected with serious malware per week.  95% of malware types lived for less than a month, with most gone in a week.
8. Malware is a unique beast.  70-90% of malware samples are unique to an organization, with distinctive signatures/hashes.  This is likely due to how modern malware continually morphs itself once inside, to remain entrenched.  It shows the old method of anti-malware pattern matching is largely ineffective.  This is why, for years, security companies have been shifting to better ways of detecting malware.
9. For the first year, the DIBR has taken on the security metrics bull by-the-horns and produced analysis for impacts related to breaches.  It is one of the best models I have seen to calculate the elusive “cost per record”, and no, it is not a flat rate (not 58 cents and not $201 per record).  The logarithmic model Verizon came up with varies based upon the number of records exposed.  Losing 1k records would cost $67 dollars p/record, while losing 100m records comes in at about 9 cents p/record.  Scalable and rational, well done!
10. The 10th and final conclusion I make is simple.  Go read it. The details are numerous, conclusions are solid, observations are real (not survey data), and the team provides the clues necessary for individual interpretation of relevance based upon your organization.  This is one report you should actually take the time to read.

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist