View
4
Download
0
Category
Preview:
Citation preview
Reviewing the 2017 Verizon DBIR
Amherst Security Group May 10, 2017
Robert Hurlbut RobertHurlbut.com • @RobertHurlbut
Robert Hurlbut
Software Security Consultant, Architect, and Trainer
Owner / President of Robert Hurlbut Consulting Services Microsoft MVP – Developer Security 2005-2009, 2015, 2016 (ISC)2 CSSLP 2014-2017 Co-host with Chris Romeo – Application Security Podcast
Contacts Web Site: https://roberthurlbut.com Twitter: @RobertHurlbut, @AppSecPodcast
© 2017 Robert Hurlbut Consulting Services
Disclaimer
I am not an employee of Verizon or their affiliates. All views, opinions, and biases are representative of my own independent research of the 2017 Verizon DBIR, unless noted.
© 2017 Robert Hurlbut Consulting Services
What is the Verizon DBIR?
The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from one organization: Verizon. Since then, this report has been released annually for 10 years.
© 2017 Robert Hurlbut Consulting Services
What is the Verizon DBIR?
The latest report (released April 27, 2017) represents aggregated data breach data from 65 contributing organizations.
© 2017 Robert Hurlbut Consulting Services
Definitions (from report)
Incident A security event that compromises the integrity, confidentiality or availability of a information asset.
Breach An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.
© 2017 Robert Hurlbut Consulting Services
Definitions (from the report)
VERIS Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and responsible manner.
© 2017 Robert Hurlbut Consulting Services
Incident/breach eligibility
The incident must have at least seven enumerations (e.g. threat actor variety, threat action category, variety of integrity loss and so on) across 34 fields OR be a DDoS attack. Exceptions are given to confirmed data breaches with less than seven enumerations. The incident must have at least one known VERIS threat action category (hacking, malware and so on).
© 2017 Robert Hurlbut Consulting Services
Incident Classification Patterns
1. Denial of Service 2. Privilege Misuse 3. Lost and Stolen Assets 4. Everything Else 5. Point of Sale 6. Miscellaneous Errors 7. Web App Attacks 8. Crimeware 9. Payment Card Skimmers 10. Cyber-Espionage
© 2017 Robert Hurlbut Consulting Services
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 3
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 3
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 3
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 3
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 5
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 6
ESP = Espionage motive OR state-affiliated OR nation-state actors FIG = Fun, Ideology, Grudge motives FIN = Financial motivation OR organizational criminal group actors C2 = Stolen credentials Note: Financial motivations and espionage account for 93% of breaches analyzed.
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 7
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 8
Key Industries
Accommodation and Food Services Educational Services Financial and Services Healthcare Information Manufacturing Public Administration Retail
© 2017 Robert Hurlbut Consulting Services
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 9
Incidents (left) vs Breaches (right) counts by Industry
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 10
Incidents (left) vs Breaches (right) by Industry
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 11
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 11
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 12
Example: Financial threat actions
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 20
Example: Financial recommendation
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 21
© 2017 Robert Hurlbut Consulting Services
Example: Healthcare
Verizon 2017 DBIR, page 22
Summary of Industry Findings
The top three industries for data breaches were: financial services (24%), health care (15%), public sector (12%).
For financial services, the top two motives were: financial gain (72%) and espionage (21%)
The motives were flipped for the public sector, with: espionage (64%) and financial gain (20%)
© 2017 Robert Hurlbut Consulting Services
© 2017 Robert Hurlbut Consulting Services
Social attacks - Phishing for data
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 35
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 38
Incident Classification Patterns
Recommendations (summaries from “Things to Consider”)
Use two-factor authentication across all websites and privileged access to sensitive internal systems Change default passwords and use strong passwords Ensure DoS protection of external websites
© 2017 Robert Hurlbut Consulting Services
Recommendations (summaries from “Things to Consider”) Insider Threats:
Periodically monitor employee activities Don’t give more permissions to employees than then need Disable accounts upon employee departure Use “warning banners” on systems so employees are aware of policies and ensure employees are aware that their activities are being monitored
Miscellaneous errors: Have second person sign off on publishing content to websites or changes Have a good policy for data handling and disposal of sensitive data (such as data stored on hard drives or printed on paper). Encrypt laptops (use whole disk encryption) and mobile devices Backup systems routinely
© 2017 Robert Hurlbut Consulting Services
Recommendations (summaries from “Things to Consider”)
Have good business continuity and disaster recovery plans for your critical systems and applications. Keep software up to data (OS, web apps, plug-ins). Segregate networks based on data sensitivity (such as retail POS or customer database systems from rest of internal network). Monitor egress points to prevent data loss.
© 2017 Robert Hurlbut Consulting Services
Look at nomoreransomware.org
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 37
Extra: DRAFT NIST 800-63-3 Digital Identity Guidelines Some password security recommendations: Remove periodic password change requirements Drop the algorithmic complexity song and dance Require screening of new passwords against lists of commonly used or compromised passwords https://pages.nist.gov/800-63-3/
© 2017 Robert Hurlbut Consulting Services
Resources
Verizon 2017 Data Breach Investigations Report (DBIR)
https://www.verizonenterprise.com/resources/reports/rp_DBIR_2017_Report_en_xg.pdf
Verizon 2017 Data Breach Digest – RSA Conference 2017
https://www.rsaconference.com/writable/presentations/file_upload/lab4-r12_data-breach-digest-perspectives-on-the-human-element_copy1.pdf
© 2017 Robert Hurlbut Consulting Services
VERIS Resources
http://veriscommunity.net Features information on the framework with examples and enumeration listings
https://github.com/vz-risk/veris Features the full VERIS schema
https://github.com/vz-risk/vcdb Provides access to database on publicly disclosed breaches, the VERIS Community Database
© 2017 Robert Hurlbut Consulting Services
Questions?
Contacts
Web Site: https://roberthurlbut.com Twitter: @RobertHurlbut, @AppSecPodcast Email: robert at roberthurlbut.com
© 2017 Robert Hurlbut Consulting Services
Recommended