04 February 2014
Questioning Security Paradigms
Verizon has released its annual report on data breach investigation for 2013. The data breach report is a barometer of sorts for the infosec industry. Organised survey’s about incidents and data breaches are few and far between in the the infosec world. It is surprising, however, that the industry tends to ignore key findings of these reports and continue on their path of inertia. Here are a few key observations from the report that question our regular security paradigms:
Insiders - Outsiders
92% of reported breaches were perpetrated by outsiders! Let me repeat that for emphasis. 92% of reported breaches were perpetrated by outsiders. This is consistent with the data breach report of 2012. For more than a decade, infosec professionals have been harping a line “80% of security breach is from insiders.” Is this no longer true? Do we take out good, old, dependable cliche and throw it out of the window? Maybe. Maybe not. It is possible that many insider breaches do not get detected, or if they do get detected, they do not get reported. It is also quite possible that organisations have strengthened controls from the inside (based on consultants ramblings for decades) and this threat is has been controlled. Well, all said and done, it is time to start questioning this cliche.
That’s right. BYOD is conspicuous by it absence. Threats to user owned mobile devices… where art thou? I have written about my views of BYOD here
. There is a short note in the report saying that BYOD threats are not significant yet. Can we now take a small break in our race of getting MDM products and read the statistics please?
Malware - and we thought our anti-virus was good enough!
10 of the top 20 threat actions are related to ‘Malware’. Almost half of all Malware spread by users opening email attachments! Please fish out last year’s training sheets and measure the effectiveness of those trainings. What is worse is that nobody knows where 10% of the Malware came from. Infosec professionals need to rethink their strategy. We probably need to move from the ‘Do you have anti-virus? Is it updated?’ tick-in-the-box checklist to something more. One of my clients recently had a ransomware incident. Malware is getting more powerful, are we getting smarter?
To sum up...
There are very few reports that focus on breaches of information security in a formal manner. It is time we made use of these to improve our information security. Security researchers are trying to do this. I came across an interesting paper here
. It is time for infosec professionals to shed the inertia and start thinking different. The statistics are there for all to see. Verizon's report can be downloaded from here