A few days ago the Verizon Data Breach Investigations Report hit the streets. I covered that here and it should be considered required reading by anyone who is responsible for keeping their enterprise secure. I wanted to get another view on the DBIR. Thus I am fortunate to get the initial thoughts of Keatron Evans, principal security researcher at Infosec Institute.
Supply Chain is still top of mind and a serious threat. When we look at the other top items on the list from this report, they are intrinsically linked to the supply chain. Several high-profile Ransomware attacks were at the hands of vendors or suppliers. Several intrusions not involving Ransomware were due to vendors and suppliers. It’s great to see this report finally confirm this, but we’re still not any closer to a solution than we were when the “Winds of Solar” supply chain breach shook the world.
NOTE: Keatron will be speaking about securing the supply chain at RSA.
82% of actual breaches had a human element to them according to the DBIR. Social Engineering, primarily phishing still leads the way for most data breaches. Credentials fall right behind it. But it’s worth mentioning the relationship between the two. Often times the reward of successful phishing is credential harvesting. This keeps end-user security awareness, Endpoint protection and EDR solutions in the lead as the best weapons to defend against the leading breach avenues. There is also a mention of Pretexting and Business Email Compromise being key drivers for this. I can cite our own internal numbers. Out of all of my clients, companies with 100 or more employees, we’ve had to assist with Business Email Compromise attacks against at least one executive at each organization. So this mirrors what we are seeing at our own micro-level.
It’s no surprise that training has its own section in the report. There is a very timely mention of how long training can take depending on the outcomes. I tell students all the time. Getting certifications can happen quickly, learning how to do something could take considerably longer than “quickly”, and changing will inevitably take much much longer than “quickly”. In an article I published last year, I proposed that doing intense skills training for IT and cybersecurity staff had a greater net improvement impact on cybersecurity than end-user awareness training does. The statements made in this report about training developers and engineers on security since they build the systems are timely statements and I believe they are right on point. This again echos my own data from our customers for whom we both train and provide penetration testing and other services.
One of my main concerns with the findings is that while we are improving on remediation, we are still remediating the same things. The vulnerabilities being exploited are not often zero-day in nature and they’re well known and mostly patchable. A lot of the web application attacks which seem to remain high are based on stolen credentials which blurs the actual issue, which is credentials are being stolen instead of bypassed by some advanced zero-day or next-generation attack. I think there are many great pieces of data uncovered by this report. We have to stay diligent in removing low-hanging fruit vulnerabilities because even advanced threat actors are using them. We must make sure we keep our people trained up to be able to combat the latest threats. And lastly, Ransomware is there to stay. It’s become too profitable and too easy.
Like this:
Like Loading...
Related
This entry was posted on May 28, 2022 at 9:20 am and is filed under Commentary with tags Infosec. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
A Security Researcher Provides His Initial Thoughts On The Verizon DBIR
A few days ago the Verizon Data Breach Investigations Report hit the streets. I covered that here and it should be considered required reading by anyone who is responsible for keeping their enterprise secure. I wanted to get another view on the DBIR. Thus I am fortunate to get the initial thoughts of Keatron Evans, principal security researcher at Infosec Institute.
Supply Chain is still top of mind and a serious threat. When we look at the other top items on the list from this report, they are intrinsically linked to the supply chain. Several high-profile Ransomware attacks were at the hands of vendors or suppliers. Several intrusions not involving Ransomware were due to vendors and suppliers. It’s great to see this report finally confirm this, but we’re still not any closer to a solution than we were when the “Winds of Solar” supply chain breach shook the world.
NOTE: Keatron will be speaking about securing the supply chain at RSA.
82% of actual breaches had a human element to them according to the DBIR. Social Engineering, primarily phishing still leads the way for most data breaches. Credentials fall right behind it. But it’s worth mentioning the relationship between the two. Often times the reward of successful phishing is credential harvesting. This keeps end-user security awareness, Endpoint protection and EDR solutions in the lead as the best weapons to defend against the leading breach avenues. There is also a mention of Pretexting and Business Email Compromise being key drivers for this. I can cite our own internal numbers. Out of all of my clients, companies with 100 or more employees, we’ve had to assist with Business Email Compromise attacks against at least one executive at each organization. So this mirrors what we are seeing at our own micro-level.
It’s no surprise that training has its own section in the report. There is a very timely mention of how long training can take depending on the outcomes. I tell students all the time. Getting certifications can happen quickly, learning how to do something could take considerably longer than “quickly”, and changing will inevitably take much much longer than “quickly”. In an article I published last year, I proposed that doing intense skills training for IT and cybersecurity staff had a greater net improvement impact on cybersecurity than end-user awareness training does. The statements made in this report about training developers and engineers on security since they build the systems are timely statements and I believe they are right on point. This again echos my own data from our customers for whom we both train and provide penetration testing and other services.
One of my main concerns with the findings is that while we are improving on remediation, we are still remediating the same things. The vulnerabilities being exploited are not often zero-day in nature and they’re well known and mostly patchable. A lot of the web application attacks which seem to remain high are based on stolen credentials which blurs the actual issue, which is credentials are being stolen instead of bypassed by some advanced zero-day or next-generation attack. I think there are many great pieces of data uncovered by this report. We have to stay diligent in removing low-hanging fruit vulnerabilities because even advanced threat actors are using them. We must make sure we keep our people trained up to be able to combat the latest threats. And lastly, Ransomware is there to stay. It’s become too profitable and too easy.
Share this:
Like this:
Related
This entry was posted on May 28, 2022 at 9:20 am and is filed under Commentary with tags Infosec. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.