Key Lessons from the 2016 Verizon Data Breach Incident Report

The annual Data Breach Incident Report (DBIR) is out and reinforcing the value of well-established cybersecurity practices.  The good folks at Verizon Enterprise have once again published one of the most respected annual reports in the security industry, the DBIR. 

The report sets itself apart with the author intentionally avoiding unreliable ‘survey’ data and instead striving to truly communicate what is actually happening across the cybersecurity breach landscape.  The perception of security typically differs greatly from reality, so this analysis provides some of the most relevant lessons for the field.

Report data is aggregated from real incidents that the company’s professional security services have responded to for external customers.  Additionally, a large number of security partners now also contribute data for the highly respected report.  Although this is not comprehensive across the industry, it does provide a unique and highly-valuable viewpoint, anchored in real incident response data.

Much of the findings support long-standing opinions on the greatest cybersecurity weaknesses and best practices.  Which is to say, I found nothing too surprising and it does reinforce the current directions for good advice.

Key Report Findings:

1. Human Weaknesses

• 30% of phishing messages were opened by their intended victim
• 12% of those targets took the next step to open the malicious attachment or web link

1. Ransomware Rises

• 39% of crime-ware incidents were ransomware

1. Money for Data

• 95% of data breaches were motivated by financial gain

1. Attackers Sprint, Defenders Crawl

• 93% of data breaches were compromised in minutes
• 83% of victims took more than a week to detect breaches

1. Most of the Risk is from a Few Vulnerabilities

• 85% of successful traffic was attributed to the top 10 CVE vulnerabilities.  Although difficult to quantify and validate, it’s clear that top vulnerabilities should be prioritized

Key Lessons to Apply:

1. Train users. Users with permissions and trust are still the weakest link.  Phishing continues to be highly effective for attackers to leverage poorly trained users to give them access. 
2. Protect financially-valuable data from confidentiality, integrity, and availability attacks. Expect attacks and be prepared to respond and recover.
3. Speed up detection capabilities. Defenders must keep pace with attackers.  When preventative controls fail, it is imperative to quickly detect the exploit and maneuver to minimize overall impact.
4. Patch top vulnerabilities in operating systems, applications, and firmware. Patch quickly or suffer.  It is a race; treat it as such.  Prioritize the work based upon severity ranking Serious vulnerabilities should not languish for months or years!

This is just a quick review.  The report contains much more information and insights.  I recommend reading the Executive Summary or the full DBIR Report.

Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.