Verizon breach report: bad news and worse news

The trouble with reports such as Verizon’s deeply detailed 2015 Data Breach Report is that they make for such interesting reading, even while they effectively depress the hell out of everybody.

The very first element in the report talks about “victim demographics,” and carries a graphic that depicts in red where incidents and breaches happened around the world. The whole of North America, Australia, Russia, most of Europe and Asia, and a good part of Latin America are a deep crimson. The only place not well colored is Africa, but that’s probably due more to the fact that few of the organizations reporting breaches to Verizon actually operate there.

But then there are the interesting bits. The public sector once again seems to be the major casualty when it comes to data breaches, with over 50,000 security incidents tallied during the year, far more than other sectors reported. However, as Verizon itself points out, that’s misleading, since there are many government incident response teams participating in the survey and they handle a high volume of incidents, many of which fall under mandatory reporting regulations.

The number of confirmed data losses probably paints a more accurate picture. With over 300, the public sector had the highest number (other than the “unknown” sector), but it wasn’t that far ahead of the financial services industry. Manufacturing took the third-place slot.

Depression returns when the report looks at some of the threats and how successful they are. How long, for example, have we been told to regard all unsolicited offers online as suspicious? Social engineering has for years been attackers' best way to get inside organizations, and phishing once again tops the Verizon threat list. For the past two years, phishing has been a part of more than two-thirds of the cyber-espionage pattern Verizon tracks.

And no wonder, since the ROI for the bad guys is apparently so good. Some 23 percent of the recipients of these emails open them, according to the report, and 11 percent click on the attachments. The numbers, Verizon said, show that a campaign of just 10 emails yields a greater than 90 percent chance that at least one person will fall prey to the phishers. A test conducted for the report showed that nearly half of users open emails and click on links within the first hour of one of these phishing campaigns.

A separate study, sponsored by KnowBe4, confirms that email spear phishing is the number one source of data breaches, with human error following that. Education of users is seen as the best solution, and every government agency says it has programs that are meant to bring users up to speed on the dangers, but that depends on what your definition of “program” is.

The organizational approach to user education is a big part of the problem, according to KnowBe4 chief executive Stu Sjouwerman. For compliance reasons, he said, “too many companies still rely on a once-a-year ... ‘death by PowerPoint’ training approach, or just rely on their filters, do no training and see no change in behavior.”

And then there are vulnerabilities. Notice all of those notifications you get about upgrades to operating systems and apps? Many them involve security upgrades to patch vulnerabilities that have been found, and it’s the same for enterprise systems. The past year seemed to surface an especially large number of vulnerabilities, including three alone involving the key OpenSSL security protocol, and which resulted in the now infamous Heartbleed bug, among others.

According to a study of the exploit data reported for the Verizon report, fully 99.9 percent of the exploited vulnerabilities were still being compromised more than a year after they were reported. The lesson? Don’t just patch in response to announced “critical” vulnerabilities, but patch often and completely. The report “demonstrates the need for all those stinking patches on all your stinking systems,” its authors said.

The Verizon report wasn’t a complete downer, though. It looked at the security problems surrounding mobile devices, for example, which have been a focus of government for some years and have been a major reason for the anemic uptake of bring your own device programs in agencies. But a forensic examination of the breach data surrounding mobile showed that less than 1 percent of smartphones used on the Verizon Wireless system — the biggest in the U.S. — were infected with malware. A minuscule number of the devices carried what Verizon called “high-grade” malicious code.

Given the detail in the report, just about every organization can get something from it, though coming up with an overall conclusion about the state of cyber security is tougher. For the report’s authors, however, the practical solutions are tried and true, if a bit tedious.

“Don’t sleep on basic, boring security practices,” they say. “Stop rolling your eyes. If you feel you have met minimum-security standards and continue to validate this level of information, then bully for you! It is, however, still apparent that not all organizations are getting the essentials right.”

That’s probably an understatement.