Márton Illé, security evangelist, BalaBit IT Security:
The annual Verizon Data Breach Investigations Report is out and it is worth giving it a go to learn from the lessons of our unlucky fellows in 2014. In many aspects 2014 was a year just like the previous one, though there are some interesting changes and also some trends from the past years that did not change at all.
When we talk about IT security usually people consider it a technology question and sure it has many technology aspects. For example it is interesting to see that still “71% OF KNOWN VULNERABILITIES HAD A PATCH AVAILABLE FOR MORE THAN A YEAR PRIOR TO THE BREACH,” which shows us that though there are new tricks they are not necessarily required to mount a successful attack. Old tricks would do just as well.
I always wonder if it is at all reasonable to expect to apply patches for know vulnerabilities in a timely manner. Well, in 71% of the cases even one year was not enough to do so. This is not a zero-day technology issue, it is just inappropriate processes or mistakes made by humans. Also the report shows that “nearly 50% of users open e-mails and click on phishing links within the first hour.” It is again the users doing something they should not, but also interesting to see the huge difference in the timescale.
In case of phishing we talk about hours, but for vulnerable systems it is months or years. Why do we care about hours when we have years? IT security is like economics, as an attacker I am trying to optimize my ROI of attacks, either by going after large pay-outs or minimizing my investment. The report interestingly shows a steady increasing trend in attacks going after humans. Why? Well, that is probably the cheapest and most reliable way of attacking, otherwise why would attackers do it? Phishing is a very simple thing, does not even require deep technical knowledge unlike writing exploits, but still a core part of attacks: “For two years, more than 2/3 of incidents that comprise the Cyber-Espionage pattern have featured phishing. (p14)”
Can we do something about this? It is a good question! Maybe it is time to face the fact the we can not properly patch a system and we can not “patch,” or educate, humans – or at least not in masses. There will be always vulnerable systems and always users clicking on malicious links.
We need to come up with a security architecture and methods that take all these into consideration! We can not control everything, so it is time to start monitoring and detecting when something bad is happening. Even the the authors suggest: “Put this report down and go setup your syslog servers. We’ll wait. (p59)”.
We need to monitor more and analyze better the data to stop security incidents before an actual data breach, which requires again: timely response. Something we are particularly not good at: “Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise.(p6)”
Though the trend is improving, we need to work on that!