3 public sector takeaways from Verizon’s data breach report

Even as cyber attacks grow in complexity, many bad actors use same techniques that have been around for decades.

This is the main takeaway from Verizon’s highly anticipated Data Breach Intelligence Report, which looks at how enterprises can follow basic security protocols to help stem the rising tide of attacks. Even with attacks reaching unprecedented levels, the report finds that many data breaches are beginning with simple phishing attacks or security holes created by human error.

With 70 contributors hailing from government agencies, Internet service providers and cyber forensic firms, the report provides a comprehensive look at a year when discussion of data breaches reached a fever pitch. Researchers poured over nearly 80,000 security incidences and more than 2,200 data breaches from 61 countries while writing the report.

FedScoop got an inside look at this year’s report and pulled out the most pressing points for the public sector. (The full report will be released Wednesday.) Take a look at a few of the highlights below.

When it comes to info sharing, quickness beats quantity, quality

A heavy portion of the data Verizon collected shows that once attackers have moved past an enterprise’s defenses, they are moving on to a second target as fast as they can. According to the report, 75 percent of attacks spread from the first to second victim within 24 hours, with more than 40 percent hitting the second organization in less than an hour.

The report finds that the speed and amount of information sharing is on the rise, but more must be done to combat breaches.

Stephen Brannon, a principal with Verizon’s Cyber Intelligence Center, told FedScoop a good first step would be to increase the quality of the information sharing because every enterprise has unique challenges that others may never be aware of. If enterprises want to move toward something resembling “herd immunity,” as he called it, they need to be as fast as they are thorough with the information they are sharing.

“If you are going to use information sharing to create a sort of herd immunity to prevent attacks, you got to be really good and really fast with the information sharing,” Brannon said. Enterprises “can’t be sending email about it, it has to be automated.”

Stop worrying about mobile malware

For all the hand wringing about bring your own device, or BYOD, and cries about mobile being a new threat vector, Verizon just doesn’t see the data to support those claims.

“Every year, we’ve heard people say, ‘There are people hacking phones to get back into the enterprise,’ and we just don’t see that in our data about breaches,” Brannon said. “It’s a much smaller problem than everyone is worried about. Mobile devices are just not a common vector for data breaches.”

The report’s authors poured through Verizon’s data and found that of the tens of millions of phones in use per week, an average of 100 phones showed signs of having malware in their system. Of the malware that was discovered, Verizon described it as “annoyance-ware,” adware used to collect data about the user instead of focusing on the contents of the phone.

“It’s just trying to get a little bit of personal information or trying to get money through some kind of fraud,” Brannon said. “It’s not being used in the security scenario of a data breach.”

Brannon said the only way he sees a rise in data breaches through mobile devices is if enterprises stop making it easy for attackers to access networks through other means, leaving mobile devices the attackers’ only resource for carrying out their intrusions.

“If we raise the bar and come back two or three years from now and hackers can’t get in the easy way anymore through other vectors, then they might go to mobile,” Brannon said. “Until that, hackers will go in straight through our computers.”

Focus on security fundamentals

When it came to public sector breaches, the report found familiar instances of what caused each breach. The top two reasons for public sector breaches were attributed to “crimeware” (malware infections within organizations that are not associated with more specialized classification patterns) and miscellaneous human errors, like bad patching or lax security practices.

“When we track back to who is the threat vector, 60 percent were system administrator errors,” Brannon said. “It’s not to say there are people doing bad things or purpose. Just by the numbers, there are a lot of system administrators making mistakes that are leading to data breaches.”

With both instances, Brannon said organizations could rely on simple fixes that have been around for a number of years: Establish two-factor authentication and make it easier to see who is accessing certain forms of data on the network.

“So many of these attacks take out the password one way or another: They guessed it, they got it through a keylogger, they stole it,” Brannon said. “If there had been some second factor: a PCI card or a security token, that would have prevented it or made the attack much, much harder.”

The report concludes that this heightened visibility can go a long way toward preventing breaches or dropping a significant amount of a security budget on an elaborate suite of tools.

“I feel like there are a lot of people selling really cool and really shiny security things, but really good filtering and monitoring of what’s coming in and out of your organization through email and Web is where you are going to be able to stop a lot of the things that are still getting in,” Brannon said.

The 2015 report can be downloaded in full on Verizon’s website.