Wednesday, May 4, 2011

Verizon DBIR (or, I told you so)

Now that I’ve had over a week to read, re-read, digest, etc.

I told you so.  For all the scary, uber-sophisticated attacks we run off to conferences to see, and all the amazing feats of exploitation we hear about, real-world compromises are most often exploiting basic failures in security.  If you are a regular reader of the Verizon Data Breach Investigations Report you will know that the DBIR has again confirmed our failure to secure the basics.

That is a pretty gross oversimplification, but it is true.  This year’s report reflects a pretty significant shift from the enterprise to SMB, and has some interesting data.  One thing that many have latched on to is the rise in the number of breaches, but significant drop in the number of records breached in 2010; if Verizon’s numbers reflect the world at large we will see a stunning reversal in the 2011 data.  This anomaly doesn’t alter the value of DBIR data, but it highlights the difficulties in making pronouncements based on a single report.

Before we go on, some background information will be useful.  The Verizon report includes both Verizon and US Secret Service data, and while it represents hundreds of cases the experience is far from universal.  There is a lot of selection bias at play, and that narrows the scope of the results.  See my recent How to misinterpret the Verizon DBIR post for more thoughts on interpreting the report.

As far as the substance of the report, there are a handful of things I find insightful, or at least interesting:

  • The “internal threat” is real.  Just not a big deal compared to outsiders kicking our butts.  And, the insider take tends to be smaller than external attackers.
  • 83% of victims were targets of opportunity.  Too many people are still making it easy.
  • Speaking of… 92% of attacks were “not highly difficult” per Verizon.  Even if we argue about the ones Verizon labels “moderate”, there are still 43% of attacks in the “stupid easy” category.  (OK, technically speaking, Verizon refers to 6% with a difficulty of “none” and 37% “low”).
  • 89% subject to PCI-DSS had not even achieved compliance with this fraudulently imposed sub-minimum sub-standard.  (Sorry, I may have let a little editorializing slip in there).

Continuing trends included:

  • Organizations not knowing where their stuff is and how it can be accessed (the unknown unknowns) appear to be improving, but this is still a big problem.
  • Organizations do not log everything they should, but it is OK, because they don’t look at the logs anyway.  At least not until it is too late.
  • And how do they know it is too late?  Again, third parties are much more likely to discover a breach than the organizations themselves.

There are a lot of ATM, gas station, and other POS (Point of Sale systems) attacks in this year’s report, largely split into two categories: physical compromise of ATM and gas station card readers, and exploitation of remote access deficiencies in POS systems.  While the remote access attacks fit in with our traditional idea of criminals attacking computer systems, the physical installation of skimmers on ATMs and gas pumps does not.  It is hard to look cyber while standing at the location of compromise while carrying hardware and wearing a toolbelt.

I like this report more each year.  BUT, there are things which make me nuts.  If I could have two things from the DBIR team they would be:

  • More raw data.  Give me the numbers.  I understand that too much detail could undermine the anonymization, but I want more raw data.  (Yes, I’m one of those folks who generally believes good data visualization means a readable font in the spreadsheet).
  • An adult version of the report.  Take out the redundant high-point popups, they’re a distraction to those of us who really read the report.  Pull out some of the infographics, too (see above). I’ll read the whole report, with highlighter and pen in hand, more than once, and decide what is important to me.

That’s enough from me- there are already more than enough summaries of the DBIR out there.