5 Questions with Gabe Bassett, Verizon Data Breach Investigations Report Co-Author
1. What do you consider to be the top three surprise findings in the 2019 Verizon DBIR report?
There were definitely three major surprises this year:
First, that the median amount stolen in BECs is only $24,000 USD according to United States Federal Bureau of Investigation (FBI) data. It suggests that it’s not what is stolen from organizations that costs them the most, but, rather, everything they need to do to handle the incident.
The analysis also demonstrated that senior executives were 12 times more likely to be compromised in social incidents than the previous year. The reality is that attackers are looking for the quickest and easiest way to obtain money. Typically, time-starved and under pressure to deliver, senior executives quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to get through.
Finally, the number of ‘Errors’ increased to 21 percent of all breaches. We have suspected for years that errors were under-reported because industries with mandatory reporting requirements (such as healthcare and public administration) have high error rates, but it is surprising that errors are now being more publicly disclosed. This is due to one specific kind of error, where an organization puts private information in publicly accessible cloud storage. Because those are often discovered externally, they often get reported publicly rather than simply mitigated privately by the organization.
2. Mail servers "surprisingly" are in the top group of assets affected in data breaches. Why is that a surprise?
Previously, mail servers hadn’t been above the 7th most common asset. This was a large jump forward, tied strongly to the increased use of lost or stolen credentials in breaches.
3. What are the most common "starting points" for a data breach and what can organizations do to reduce them?
There are four important starting points for breaches, these are:
- Well-known, unpatched, internet-facing vulnerabilities
- Use of stolen credentials
- Social attacks (Financially Motivated Social Engineering and Phishing)
The following steps can help organizations reduce these risks:
- Organizations need to find well-known vulnerabilities (years or decades old) and patch them as attackers constantly scan the internet for them
- For Errors, organizations need to plan for graceful degradation in their processes that touch sensitive information. We don’t expect an engine to explode if a car gets a flat tire. We should engineer processes to be resilient to one failure or mistake as well. No person, process or tool is perfect. We should plan for that.
- Two-factor authentication is a big part in helping prevent credential attacks. No 2FA solution is perfect, but they make it that little bit harder for the attacker and that little bit has a big impact. Employees can also be encouraged to use password managers. It can help them create unique passwords for all sites and help prevent entering passwords in fake sites. Another easy step organizations can take is to not have onerous password policies such as requiring passwords to be changed regularly.
- For social attacks, there are lots of options for mitigating phishing. Conduct simulated phishing. Give employees an easy way to report phishing (phishing reporting rates tend to mirror click rates for the first hour but drop off while click rates continue to increase for the next week. If you act on reports of phishing, you could potentially mitigate two thirds of the clicks.) Block links, executables, and macro-enabled office documents at the mail gateway. And give people who need to access attachments from outside of the organization as part of their job (PR, HR, legal, etc) sandboxed tablets rather than full desktops or laptops to help prevent malware. For Financially Motivated Social Engineering attacks, have a process for confirming any transfer of money that requires a non-email method of validating the transfer. It’s kind of like two-factor authentication but for spending money.
4. Organized criminals groups appear to be responsible for only 39% attacks. Can you provide more details?
This is partially due to the prevalence of Errors (which can be any number of internal actors) and due to an uptick in espionage in the public sector. Financial motivation is still the most common type of motivation and the one most organizations should likely plan to prevent. When you remove Errors and public sector breaches, Organized Crime is 57 percent of breaches with State-affiliated being the next closest at 16 percent.
5. What did you enjoy the most about working on the 2019 report?
The ‘Paths’ section was most enjoyable and provides opportunities for defenders, such as:
- Defenders can pick where they want to meet the attacker in the path. Is it more beneficial to mitigate the first actions the attacker takes, the ending actions, or something in the middle? All that matters is that the attacker’s overall path fails. (see figure 30.)
- Defenders can work to lengthen the attack path. Longer attack paths are less appealing to the attacker and more likely to fail. If organizations can make the attacker take more actions (even if they have a moderate or good chance of succeeding), it helps the organization’s defense. (see figures 29 and 24.)
- Organizations can potentially guess what actions they didn’t detect based on what actions they did see. (figures 31 to 33). For example, malware rarely starts an attack. Phishing rarely ends an attack. If an organization sees either, it can infer that there are actions they didn’t detect.