Five things I’m reading this week:
2017 Verizon DBIR: Verizon just released the 2017 Data Breach Incident Report – an industry-leading annual report on the state of cyber threats over the last year. As always, it is chock-full of interesting data, but this year the statistic that most jumped out at me was the fact that 75 percent of all breaches analyzed in the report were perpetrated by outsiders – not insiders.
The specter of the malicious insider looms large over the cybersecurity industry and defender organizations today. Cybersecurity ads tout it and new companies spring up daily designed to combat it. Given this, it’s striking to be reminded by this year’s DBIR that it is far from the majority threat that most organizations face.
To be clear, if you dig into the industry-by-industry breakdown, you can better understand the contours of this reality. In education, 30 percent of threats are from insiders; in healthcare, 68 percent of threats are from insiders; and in government, 40 percent of threats are from insiders. If you’re in any of those industries, insiders are an extremely serious threat. But for the other industries – financial, information, manufacturing, retail – insiders accounted for less than 10 percent of the breaches.
What does this mean? Once again, it’s important to validate the cybersecurity hype against the reality of the threats we all face. If insiders pose a serious threat to your organization, investing to protect yourself against them should be a serious priority. And one advantage is that many steps that stop insiders – limiting user privilege; strengthening access controls; segmenting your environment – work well against outsiders as well. But if insiders are only responsible for a tiny fraction of the threats your industry faces, it may be worth thinking about whether that new insider-threat monitoring solution is the best place to put hard-earned security dollars.
If a Hacker Can Phish, Why Would She Zero-Day?: Symantec is out with a new study finding that malicious activity from exploit kits dropped remarkably in 2016 – by 60 percent. The total number of zero-days dropped from 4,985 in 2014 to 3,986 in 2016. This ought to be good news, and in some ways it is. With fewer zero-days, weaponizing them will be more expensive, and there will be fewer to go around for those breaking into systems.
But this drop doesn’t mean there have been fewer breaches. The same study also offered a clue as to where that exploit effort might have gone: the number of phishing emails increased from 1 out of every 220 emails in 2015 to 1 out of every 131 emails in 2016.
Put simply, phishing is much faster, cheaper, and easier than building a custom exploit kit. If phishing emails continue to work – and work well – why would intruders spend their time and energy building exploit kits?
One of the key goals of security is to push intruders to more difficult operations. Instead of handing them low-hanging fruit, we should be making them climb taller, more difficult walls. This won’t necessarily stop them, but it will drain their resources, reducing the number of intrusions they can manage and forcing them to concentrate their efforts.
Unfortunately, this study is evidence that we’re doing exactly the opposite. A comparative rise in exploit kits vs. phishing emails would in fact be good news, because they’re harder and more expensive. But what these statistics show is that the low-hanging fruit is as easy to grab as ever. This is a stark reminder that (a) much of security resolves to strengthening our weakest link (which is almost always human); and (b) security needs to be built with the expectation that intruders will get inside, and thus should focus on slowing them down, keeping them from reaching high value assets, and sapping their energy once inside their target network.
This is five years old, and more about law than cybersecurity, but who doesn’t want to read a book about superheroes? Especially one that answers the time-honored question: would the second amendment apply to Wolverine’s claws? Clearly, this should be on your summer reading list.
Computer Science is an essential discipline in our modern era, but it is – by its nature – a discipline designed to solve problems that arise from other parts of society. Emma Pierson had an excellent op-ed in Wired earlier this week that makes a powerful point: if Computer Scientists don’t understand the other disciplines they’re working with and in, they won’t understand the ramifications of the tech that they’re building. Building solutions without an understanding of the problem you’re solving and the impact of your solution isn’t just inefficient – it’s dangerous.
I'm reading: "Hey, Computer Scientists! Stop Hating on The Humanities."