Verizon's yearly reminder that we're still useless at infosec

Another annual dollop of delicious data shows that despite all the trendy new twists and exotic malware threats, we're still getting the security basics wrong.
Written by Stilgherrian , Contributor

April is peak season for vendor-sponsored reports on the information security threat landscape and related analysis. Vendors are competing to frame the debate at next week's RSA Conference in San Francisco and other events. They hope that their explanation of the world makes the most sense to the pointy-haired bosses, so that their products seem most appropriate to counter with those threats, leading to a sale or three.

Chief amongst these, in my oft-repeated opinion, is Verizon's Data Breach Investigations Report (DBIR). It's respected because it's based on a comprehensive analysis of actual data breaches, with input from many infosec firms, computer emergency response teams (CERTs), and law-enforcement agencies -- and because it's written in an accessible, no-BS style. And it has jokes.

The DBIR is great at deflating hype balloons. This year, as Violet Blue reported, it acknowledges that Android is a mess, but that the mobile malware epidemic is a myth.

"We've come to the same data-driven conclusion year after year: Mobile devices are not a preferred vector in data breaches," Verizon wrote. "Before we get too far, let's just get this out of the way now -- Android wins. Not just wins, but Android wins so hard that most of the suspicious activity logged from iOS devices was just failed Android exploits."

So what are the problems?

Well, oddly enough, they're much the same as in previous years.

"The industries most affected look remarkably similar to prior years, and the top three are exactly the same: Public, information, and financial services. Our overall take from these results remains consistent, as well: No industry is immune to security failures," Verizon wrote.

"Though the number of breaches per threat actor changes rather dramatically each year as we add new partners and more data, the overall proportion attributed to external, internal, and partner actors stays roughly the same."

We seem to be getting better at detecting data breaches. Around 23 percent of breaches are now discovered within days, compared with around 10 percent a decade ago. But the bad guys have been getting faster, too. In 60 percent of cases, attackers were able to compromise an organisation within minutes. And still, the majority of breaches remain undiscovered for weeks or even months. So, yes, we're getting better at defence, but the attackers are getting better at attack.

Actually, we're not getting better at defence. We fail to patch our systems. Verizon analysed data breaches against the common vulnerabilities and exposures (CVEs) that had been used to break in. "We found that 99.9 percent of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published," the company said. Not a good look.

There's plenty of fascinating detail in Verizon's analysis, such as the fact that "RAM scraping" has grown in a big way. That's when malware pulls data such as credit card numbers out of a computer's working memory -- because the data has to be unencrypted to be processed. "This type of malware was present in some of the most high-profile retail data breaches of the year, and several new families of RAM scrapers aimed at point-of-sale (POS) systems were discovered in 2014," Verizon wrote.

But there were two standout issues for me.

One was threat intelligence. This is the idea that companies and governments should share the details of the attacks they suffer, so that others can watch out for these new threats.

"Ideally, sharing intelligence should lead to a form of 'herd alertness', similar to the way plains animals warn each other when predators are nearby. This would seem to require that intelligence must be shared at a faster rate than the spread of attack in order to successfully warn the rest of the community," Verizon said.

The problem is, around 75 percent of attacks spread from victim zero to victim one in less than a day, and 40 percent take less than an hour.

"Organizations would need access to all threat intelligence indicators in order for the information to be helpful -- a herculean task," Verizon wrote. So why bother? Setting up an intelligence operations centre sounds mighty cool, but it's starting to look like it's a lot of activity and expense that does little to improve defences.

Two, phishing is very much still a thing. In fact, phishing seems to be a more effective attack these days. Around 23 percent of phishing emails get opened. "Departments such as Communications, Legal, and Customer Service were far more likely to actually open an email than all other departments. Then again, opening email is a central, often mandatory, component of their jobs," Verizon said.

"For two years, more than two thirds of incidents that comprise the cyber-espionage pattern have featured phishing."

Almost a year ago, I wrote that we don't need any more cyber 'wake-up calls'. We already know information security is in dire shape, so let's get on with fixing it. We do know how.

We need to focus on what delivers results most quickly, and research has shown that's things like the Australian Signals Directorate's Strategies to Mitigate Targeted Cyber Intrusions or other research-based checklists, managed through continuous monitoring and measured risk reduction.

We need to increase everyone's ability to recognise and avoid attacks, not through cheesy theme songs, but proven programs like Dan Tentler's punch-in-the-face technique, or SANS' Securing the Human.

And we need better programming cultures and practices, to avoid repeats of OpenSSL's Heartbleed and Apple's goto fail.

Has anything actually changed? No, not really. We still fail to patch our systems and networks. We still fail to monitor the logs to detect breaches. And we still get phished because we fail to educate our people.

As I say, we do know what to do. Perhaps one year, we'll actually get around to doing it.

Editorial standards