By Mark Rasch
Security Evangelist
Verizon Enterprise Solutions
July 29, 2016

The biggest obstacle to building an effective information program at many institutions – particularly small and medium sized businesses (SMB’s) – is not a lack of resources, a lack of knowledge, or a lack of technology.  Typically, the biggest obstacle is complacency.  When meeting with senior corporate or government officials (in non-regulated environments) you will often hear expressions of concepts like “we would never be a target of hackers,” or “we don’t have anything anyone would want” or “we’re too small for anyone to care about.”

While the security demands of SMB’s are different from large government agencies or multinational corporations, the vulnerabilities are potentially more severe.  SMB’s that suffer significant attacks may never recover – they may be forced to close up shop because of a ransomware attack, or because their clients and customers have lost faith and confidence in their ability to do their job or to protect their data.  That’s why attention must be paid.

The answer to the “we don’t have anything anyone would want” argument is easy to address.  Ask the question, “What would happen to my enterprise if… what would happen if the data I collected (including HR data, sales, costs, marketing, compliance, and strategy information) was no longer confidential.”  And, as we have learned from the recent DNC hack, there’s much more in your information systems than you think – and much more potential damage from its release than you think.  Company employees can be DOX’ed, targeted, harassed and otherwise attacked as a result of (or as the goal of) a data breach.

So the first step is a comprehensive assessment.  But not the kind you’re likely thinking of.  It’s not sufficient to assess your technology – how many servers, how many computers, how many ports open, etc.  That’s a technology assessment.  What you want to do is to assess the business impact of a potential breach as well.  What are the critical systems AND the critical data in those systems – and why is it critical?  When DNC officials were sending routine emails discussing strategy and tactics they probably didn’t consider these emails (or the email system on which they resided or were transported) to be particularly critical.  And that points out another problem with how we typically prioritize security.  We look at securing the device – the container – the transport channel, rather than looking to secure the information in it.  We treat e-mail, for example as a system that needs to be secured, documents as another system, stored files as another, and so on.  But e-mail is just a means for communicating.  There are sensitive e-mails and non-sensitive e-mails.  As a result, we either secure the trivial with a degree of security more reasonable for critical communications (a waste of resources) or secure the critical data at the level of the trivial security (vulnerability).  More often, we do a bit of both.  That’s why data classification and data segregation is also important; layers on layers of security. Even for SMB’s.

Security need not be prohibitively expensive.  Nor need it be unnecessarily complex.  But it should be done right to facilitate business.  And at the end of the day, isn’t that why you are in business in the first place?

by Wesley Hamrick
Analyst, Enterprise
Verizon Enterprise Solutions

The Verizon Data Breach Investigations Report (DBIR) has consistently shown that the number one threat to companies– is malicious code injected via successful phishing attacks.  It’s number one in 2016.  It was number one in 2015.  It was number one in 2014.  And so on, and so on.  So if a company were to target one vector and one solution to fix above all others, it would be phishing.

Easier said than done.

Successful phishing attacks exploit vulnerabilities and weaknesses in hardware, software, people and processes.  At the outset, they use data acquired through other means to engage in social engineering attacks against authorized users.  They use “legitimate” channels of communication – email, text, etc. to further their objectives.  They can use stolen or compromised accounts or credentials, spoofed or faked email addresses, or other indications of validity to trick users into clicking on or otherwise taking action in response to the communication.

The fraudsters lie, cheat, steal, cajole, and hack to get in and to get the user to click a link, go to a website, install software, provide information or otherwise respond.  These attacks can be as simple as installing clickbait, or as targeted and sophisticated as spear phishing (email that appears to come from someone you know) or whale phishing (emails targeted at company executives). Just as the attacks are layered and sophisticated, the defenses need to be as well.

Many phishing defenses rely on technology.  They block email from known spammers or known “bad” email addresses.  They filter, block and quarantine communications from suspicious sites, or which contain suspicious content or links.  E-mail links are disabled by default, executables are not supposed to run on the clean system, and known bad IP addresses are not supposed to be resolved.

But much of that is in theory.  You see, phishing attacks are dynamic and ever-changing.  The goal of the phisher is to get in without being noticed.  The phisher takes into account these known technology defenses.  Phishing mail will originate from a trusted IP address and email account, with a compelling subject line, and the link will not self-execute.  The malware will approximate “normal” behavior to avoid detection.  The IP address may be spoofed, proxied or from an anonymous source.

At heart, phishing is a human problem exacerbated by and potentially solved by humans.  Humans presented with phishing attacks often are easily deceived.  And the phishing attacks come back and in greater numbers.  The problem is that users who are the primary vehicle for phishing are poorly  trained.  By that, I mean that we “check the box” that the user sat through a 15 to 50 minute slide show or video extolling the harms of phishing, and then answered a few random multiple choice questions about the problem.  Even when effective,  such training, has a shelf-life of maybe a few weeks.

Anti-phishing awareness is best when  coupled with a bit of “light touch” testing.  A corporate-sponsored phishing attempt can redirect those who click links back to the training program as a refresher.  If it is not reinforced, it won’t be remembered.

Like everything else in security, it’s a matter of people, processes, technology, and policy.  But don’t forget the people because if you forget to teach the people security, they will forget to secure the network.

Author: Marc Spitler

May 12, 2016

After publishing the Data Breach Investigations Report for the ninth time, we have been on the business end of some sharp criticism for some data in the Vulnerability section. Specifically, a reference to the exploitation rates of vulnerabilities, which included a footnote with specific CVEs. This post is not an assault on any of the people in the information security community who called this out, the fact is valid points were raised and there is a lot that we agree on.

Using the CVEs listed in the footnote as the basis for decision making is not the key to success in vulnerability management and this was not the intended focus on the section. The issues with the underlying data that the list was derived from were acknowledged by the data contributor in several blog posts.  Relying on any Top X list of vulnerabilities is not recommended for any organization.

We felt (admittedly incorrectly) that relegating them this year to a footnote would direct the focus on the other points we wanted to make in this section. We are not discounting the criticism and, in hindsight, should have made our intended focus for the section more clear.

The intended focus of the section, as in the prior year, was to get readers thinking about vulnerabilities and patch management in a different way – to discourage merely playing vuln whack-a-mole and establish a more thought-out approach.

Our security incident and data breach data does not have a lot of CVE-level information in it, so we look to non-incident data to attempt to supplement and support the incident and breach data that is the core of the report. Addressing the specific CVE issue first, one of the main goals of the report is to highlight use of data to make your own decisions and the best data for an organization is going to be their own.

If you need to know what vulnerabilities are likely to affect your organization, don’t use the footnote, use your own vulnerability scan data and analyze those findings in the context of your organization. Prioritize findings with active exploits or proof-of-concept code available. Figure 10 shows at a high-level, that some types of vulnerabilities are typically exploited quicker than others. Again this is a start, no patch management philosophy should be ultra-focused on a single figure/study.

The desired takeaways from the section were designed to improve patching processes by providing data that:

1.  Offers high-level estimates on how quickly to patch new vulnerabilities
2.  Ensures older vulnerabilities are not ignored
3.  Promotes acceptance that some vulnerabilities will likely never be patched and to not assume eventual 100% patch implementation as part of your organization’s security strategy.

Bottom line: We don’t want this section to lead readers down an incorrect and/or myopic path any more than our harshest critics. When we reviewed this section we already had the goals in our minds and should have done better to look at it from the standpoint of a reader. This was made apparent by some of the readers and we appreciate your views. Seriously.

I also want to write about the reason that we started this publication in the first place. In 2008, there was a glaring need to arm the public with a study on what was actually happening in the real world. We realized that we had this data available to us in the form of case reports from our Investigative Response team (now RISK Team). Our goal then, as it remains today, was to provide readers information on the actors, their tactics or actions and what assets are targeted and affected. We strive to remain vendor-neutral, not shill our services within the report, be transparent with our methodologies and acknowledge bias.

The 2015 DBIR featured a large section on studies of non-incident/breach data outside of the typical data that underpinned the prior seven publications. This year we put the emphasis back on the incident corpus and the Incident Classification Patterns and hope that the criticism of one section, which is independent of the rest of the report, does not prevent the readership from starting discussions on what we hope will get the most of the attention moving forward.

These include:

• Static, single-factor authentication was a component of almost two-thirds of the confirmed data breaches. Whether credentials were the data variety compromised, or legitimate credentials were used (either via prior theft or brute forced) our data continues to show that actors are going after credentials to advance their attacks and stronger authentication needs to be more prevalent, not that it or any other control will solve all of our problems, but would disrupt a common attack method.

• Phishing continues to trend upwards as well. 41% of breaches involved phishing as a threat action leveraged by remote attackers.

• The combination of Phishing, leading to dropping of malware in the form of a backdoor and/or C2, leading to capture and reuse of credentials is one that we find used across several patterns, and in data breaches that are highly targeted, as well as opportunistic. This provides a foothold onto a desktop/laptop. A major issue is that we are not doing enough to make the attackers invest time and effort once the initial access is gained.

Lastly, I want to reiterate one of the main overarching goals of the report is to encourage organizations to use  their own data to make security decisions. The data that underpins the report is a sample, with all associated biases along for the ride. We do however, believe  that the DBIR  is the best representation (thanks to the diversification of incident data achieved by partnering with numerous organizations) of what is occurring in the real world. That being said, we really want people to try this at home. Having an understanding of what incident patterns are more closely associated with your industry is good. Collecting your own security incident data and incorporating your own analysis as part of your security decision-making process is even better.

Author:  Joan Ross, Managing Principal, Cybersecurity
May 10, 2016

Verizon’s recent annual Data Breach Investigations Report validates what has been a documented and disturbing reality – the lack of methodical security maintenance activities over operations and data — leads to the majority of security breaches.  The empirical evidence proves this out, but after so many years of security practice, why are professionals still struggling?

Kurt Vonnegut’s quote “everyone wants to build and no one wants to do maintenance” partially explains it. Maintenance is not as valued by organizations that are intent on new or more profitable lines of business, it’s not as exciting  as the leader painting grand new visions.  And yet, as those visions are compromised, the leader has turned his or her  attention toward something new, requiring others to mend the security flaws and reinforce the system to operate reliably. CISOs are the pragmatic technologists in an organization, aware that with every change, update and new code release, no business fulfillment vision is complete if it’s not continually secured. Meantime the resources devoted to the implementation have often moved on without ongoing maintenance consideration.

Security requirements and design are essential as part of any business strategy.  To forego these activities predictably leads to weaknesses and vulnerabilities harder to rectify once a system is built and operational.  Is your CISO part of your engineering design team?  Is a security engineer assigned ongoing activities for maintenance? If not, weaknesses will form and be found by others. It’s predictable and inevitable.

Gary Klein has produced notable research into adaptive decisions and incident response that explains the seemingly lack of commitment to maintenance.  Even with multiple safety features engineered to prevent disasters, time and use will often wear these protections down.  Humans are enamored with the rush to perform under adversity and become heroes, but in fact, the heroes he documents undergo rigorous maintenance and testing activities beforehand as normal course.  This focus and practice is what security professionals have to emulate to be successful in preventing data breaches. It’s time to make security maintenance, as ephemeral as it may seem, part of any ROI  equation.

by Joan Ross, Managing Principal, Cybersecurity

Its 6a.m. when you, the CISO of an organization, are alerted that zero-day malware is running rampant across the Internet, infecting and spreading across your globally connected business.  By now, this type of occurrence is nothing new to you – in fact, some form of malware has existed ever since computing systems evolved. By now you should be well prepared for these types of common events in one of two ways.

Scenario One: You manage the 24/7/365 incident response team of dedicated, trained professionals.  They are experts at detecting and containing exactly these types of incidents.  You’ve ensured they are well funded and adequately staffed and trained for this type of event, equipped with the necessary tools and technologies required to combat this type of situation.  You have established, defined and tested standard operating procedures to ensure no one skips an important step in the heat of the active prevention, containment, and analysis phases.

Your staff is not re-tasked or otherwise diverted onto other projects, but have dedicated “eyes-on-glass” alerting and action in place.  In fact, one of them is notifying you that they are on alert, prepared and performing their standard procedures. They will keep you apprised as the malware spreads across the globe, paying careful attention to business partner and supplier systems and connections.

You educate your entire company personnel, including executives, at least quarterly, on this type of threat. You counsel on how to be cautious, suspicious and resistant to being duped.

Your established process to alert employees and business partners has already been enacted.  Proper preventive procedures have been enacted by your security personnel across firewalls, email systems, and other venues of infiltration.  The malware variant is being analyzed, and your staff is in touch with your vendor for the status of their emergency signature patch.

Scenario Two:  You are an experienced CISO and business professional, pragmatic and astute to know that there is inadequate funding to enact or maintain this type of incident response team.  Incident response is not your organization’s core competency.  Your duty is to inform, advise, and recommend an adequate security solution.  This is when your decisions and actions matter for your career, your company, and your customers.

You recommend an experienced company well-known for their cyber intelligence and global SOC monitoring.  One that authors data breach intelligence reports based on their global backbone, experienced, dedicated, global security operations team that provides value about the cost of a rapid response.  Criteria selection matters.

Your 6am notification is from your SOC partner, providing you with all the information you need to confidently inform your organization you are on alert but all best practice industry standards are effective and ongoing.  Your company does not make the headlines, and your business partners extend further trust for you have managed and invested well.

Author: Joan Ross, managing principal, cybersecurity, Verizon Enterprise Solutions

Customer data breaches are occurring at an alarming rate. With the recent media attention of yet another laptop stolen containing mass records of sensitive patient medical information, it leaves the greater security and user community to ask what necessary control information is not being provided to organizations.

The Verizon 2015 Protected Health Information (PHI) Data Breach Report provides the supporting empirical evidence executives require to best inform their organizations on factual risk and current exploit. The purpose of the PHI Report is to better inform an organization’s information protection decisions, risk analysis, and to help prioritize their investments. It’s these investment determinations that are personally impacting people, and for which they are primarily responsible and accountable for in conducting their business for their customers, shareholders, and business partners. Alarms clearly sounded in our most recent report that details:

• Most organizations, regardless of industry, hold some form of protected health information regarding their personnel, their human resource programs, or their actual business.
• Ninety percent of all organizations, across all but two industries, have experienced a protected health information breach – truly a call for action across industries.
• Lost and stolen assets are clearly defined as the number one threat vulnerability that is resulting in the PHI security breaches.

The PHI report provides the basis to convey industry standard security requirements for mobile devices containing potentially sensitive information. There is little to no need for PHI data to be stored on mobile devices, and every reason for robust, layered security controls to be present.

Let’s examine the limited business rationale to date.

Field or remote health workers: These personnel travel to the patient to collect vital health information. Because connectivity can be difficult and they have limited timeframes to collect the necessary information to assist the patient, sessions may be entered locally into the mobile device. Prudent organizations require the personnel to routinely and securely upload the data to a more protected, central system, not only for security, but to track access and use of the patient information. There is no reason for sensitive information to remain on the mobile phone or on the laptop for several days. Mature, more secure-focused organizations will ensure that the data cannot be copied or transferred elsewhere either digitally or physically through monitoring and preventive controls.

Business continuity strategy: Smaller organizations have implemented business continuity budget and planning for all personnel to transport their primary mobile work device to and from work each day. In this manner, if a business disruption occurs, the employee in the affected regions can still be productive while the disruption gets resolved. This may present additional risk to the organization and requires at a minimum the same mandated controls, processes, and validations as for field and remote workers listed above.

If there exists other business rationale for PHI to exist on mobile devices without these necessary controls, by all means we’re ready to listen and recommend essential, effective controls and processes.

By: David Grady, Principal Client Partner, Security Solutions

Security solutions providers of all flavors and sizes showcased their wares at the recent RSA conference in San Francisco, but the big money seemed to be in book sales, if foot traffic in the show’s pop-up bookstore was any indication. We saw at least 400 different information security-themed titles for sale, many costing $50 or more, and we saw plenty of perusing and purchasing going on between keynote addresses and vendor presentations.

The sheer diversity of book topics for sale at RSA reflects just how challenging (and sometimes overwhelming) it can be for security professionals to keep current. There were books about secure coding; books about data analytics; books about cloud computing and social engineering and IoT. There were also titles about how to get a job in information security and how to keep your job as a CISO and how to deliver a TED talk and how to pass one of a dozen types of certification exams. There were even books in the “pleasure reading” pile consisted of fictional cyber-thrillers meant to be read during a security practitioners’ rare vacation break.

A few hours after it opened on Day 1 of the conference, bookstore staff reported brisk sales of CISSP exam prep guides. By mid-week, books about how to succeed as a CISO were flying off the shelves.

By week’s end, what was the most popular topic? “Pretty much everything,” the bookstore manager said (with a smile).

For a good read – and a free one, no less – get your copy of Verizon’s brand new Data Breach Digest report at http://verizonenterprise.com/verizon-insights/data-breach-digest/2016/insiders.