As the summer cycle of cybersecurity conferences (both virtual and in-person) comes to a close and two months remain in the government fiscal year, FSO’s will be well served to take on board some of the sobering facts contained in the “Verizon 2021 Data Breach Investigation Report” (DBIR). The DBIR analyzed over 79,600 incidents and confirmed 5,258 data breaches, which equates to approximately 15% of the incidents being breaches.
Breaches
The breaches discussed in the DBIR were categorized into eight vectors from which data went missing. The good news, from the FSO’s perspective, is that the number of incidents of lost or stolen assets was very low, as were misuse of privilege and denial of service. The not so good news is the fact that system intrusions and miscellaneous user errors were each responsible for approximately 20% of the incidents causing data loss. Not surprising to any FSO, the bad news is that the highest incidence of data losses occurs within basic web application attacks (25%) and social engineering (35%).
Insider Threat Briefings
Since the FSO is responsible for the delivery of the insider threat program with respect to classified engagements and the CIO/CISO for companies and government departments/agencies, more weight needs to be given to web applications and personnel engagement with others.
The Web
With respect to web applications, researchers at Verizon looked at a database of a million companies and learned that the median organization had 17 internet facing assets. That is to say, 17 points of contact for an adversary to engage and touch the entity. The very good news – most of these organizations had no vulnerabilities; compared to 2017 when less than 15% of organizations fell into the “no vulnerabilities” bucket, a marked improvement over time. Where vulnerabilities do exist, the analysts found it was the older vulnerabilities which had not yet been patched or mitigated which were being exploited.
The Employee
FSOs need to continue to emphasize to their employees that they are the target. The DBIR notes how employee credentials to networks is the most sought after piece of data. When compromised, they provide the adversary the keys to the proverbial kingdom. The next most sought after information is personal identifying information (PII). PII can and is monetized quickly by criminal organizations. The two vectors – credentials and PII are not separate and equal – one can facilitate the acquisition of the other, so FSO’s would be well served to keep them co-joined and not siloed.
Be wary of inbound emails which request action by clicking on an attachment or on a link, as phishing is the most prevalent form of social engineering taking place. The report noted that within the “public administration” sector, social engineering accounted for over 69% of all breaches.
Interestingly, the report takes a poke at cyber training and simulations, noting that “most security education teams do not mimic real life situations, do not parallel the behaviors that lead to breaches, and are not measured against real attacks the organization receives.” FSO’s who are utilizing third-party educational training apps and simulations” may wish to review their instance in light off the DBIR observation.
As the fiscal year closes and end-of-year funds become available, investing in awareness training touching on the two areas identified web applications and social engineering will be money well spent.