EPISODE 62
Going deeper into the 2020 edition of the DBIR

EP 62: Going deeper into the 2020 edition of the DBIR

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

September 15, 2020

Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and Cybersecurity Practice Lead at Focal Law Group, go deeper into the 2020 edition of the Verizon Data Breach Investigations Report (DBIR).

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity counsel is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Kip Boyle: So, Jake, what are we going to talk about today?

Jake Bernstein: Hey, Kip. Today, we're going back to the Verizon Data Breach Investigations Report to see what else we can learn from it.

Kip Boyle: Yeah, as we wrapped up the previous episode on it, I was thinking, Jeez, there's just so much more here to consider. So yeah, one episode was not enough.

Jake Bernstein: Definitely not. And so, let's just dive right in. I'm going to give a quick overview of what we plan to discuss today, with the eternal caveat that just because we think or say we're going to talk about it doesn't mean we'll actually get to it.

Kip Boyle: Oh, come on, we're a little bit better than that.

Jake Bernstein: Well, you never know. We never know exactly where things will take us.

Kip Boyle: True that.

Jake Bernstein: But here's the plan. So first, we're going to look at the industry breakouts and the patterns available from that particular analysis in the report. Second, we're going to investigate a little more deep into something that's very important to both of us, which is the differences between large and small businesses. And I have to admit, I'll give a little bit of a preview right now, it was not as exciting as I was thinking it might be. But the lessons from it are probably actually more important than I realized.

Kip Boyle: Wow, what a tease.

Jake Bernstein: What a teaser, right? And then last, we're going to look at some specific trends. And actually, we're going to focus on one question. You had mentioned to me a couple days after the previous recording, you said, "Hey, Jake, I heard a rumor about security incident event management systems, and how much they're catching. And so, we're going to talk about that, too." So how's that for a tease?

Kip Boyle: Yeah, that sounds great. Okay, everybody, there you go. That's our 3.0 point plan for this episode. And let's see if we can do it within a reasonable amount of time. All right, let's dive in. And let's start with the industry breakouts. So, look, here's the thing about the report in general. And this is a caveat that they state very clearly in there. But I'm going to restate it. There are a lot of run numbers in there. And you might be tempted to compare the number of incidents and the number of breaches in one industry to another. And you might be tempted to say, "Oh, construction is in good shape overall, because they have very few incidents and breaches compared to Oh, I don't know, say, professional services, which is actually at the top of the list on a raw, count basis.

But don't do that. There's a lot of reasons why that would create some false conclusions. And a lot of it has to do with the reporting process, which is to say that maybe people in construction just don't tell people much about their incidents and breaches. They're not a chatty bunch. But professional services, people like Jake and I who can't stop talking, tell everybody. So bear that in mind, we're going to bear that in mind too as we go through here.

But at the same time, because some industries have higher numbers, you can say more interesting things about them because the datasets are larger, and you can do more analysis. So that's why they get the white-hot spotlight on them. So I hope that makes sense. And so, having said that, let's keep going, Jake.

Jake Bernstein: Yeah, it does make sense. It makes a lot of sense. So, I want to actually start by mentioning some of the industries that we are not going to talk about, and it's because there isn't a lot of available data. So, first of all, a bit of context. In 2019, Verizon collected 157,525 incidents, of which 108,069 were breaches. However, the vast majority of those were either not interesting because they were just individual credential-based attacks like to log in to a bank account or something, or they weren't reliable.

And so, the DBIR covers 32,002 total incidents that converted to 3,950 actual breaches. And this is as a reminder, a breach is an incident where there is confirmed disclosure. So this is the DBIR specific definition. People should not mistake the Verizon definition for illegal definition. Just because particularly under most modified data breach statutes, these days, many of these incidents would qualify as "breaches" under the law, whereas for technical purposes and analytical purposes, they do not for Verizon, the DBIR.

Kip Boyle: So the DBIR is a technical report, not a legal analysis.

Jake Bernstein: Correct.

Kip Boyle: Okay.

Jake Bernstein: Okay. Here are the NAICS codes or industries that we're not discussing. And again, the reason is, is that all of these have under 50 incidents. In some cases, under 30 incidents, and then less than 30 breaches. And those are administrative, construction, management, mining, and trade. The ones that we are going to talk about, and we'll give a list here in a moment, they involve thousands of incidents and hundreds of breaches.

Kip Boyle: Yeah. And so there's a lot of data reduction here. So Verizon collected almost 158,000 incidents, but only a small section of a 32,000 were actually analyzed. So, again, another thing to bear in mind as you read the report is the vast majority of incidents were not deeply analyzed because of data quality issues. And so, that's another point here, which is, about 7,000 incidents couldn't even be categorized into NAICS industry codes. So that skews the data a little bit as well. But anyway, so again, more caveats but... Okay, Jake, who are we going to look at?

Jake Bernstein: Okay. So, there are many different ways we could have diced this up, but I'm just going to go with the top five industry codes by number of incidents. And as Kip just mentioned, unknown would count. In fact, it would be second place. But obviously, we're going to ignore that since we can't say that much about the unknown categories. So we got professional services, public sector, information technology, and the information kind of industry, and then finance, and manufacturing.

And then I tossed it in as a bonus education. We're definitely going to talk about professional services and the information sector and mostly leaves the rest undiscussed. We're skipping public sector just because we don't have public sector clients. However, the analysis that we go through for all of these is really valuable, and it would apply anyway. So, just because we're not going to be talking about your specific sector, don't go away, don't change that dial, as they used to say on the radio. And trust me, I think you'll get something out of it.

Kip Boyle: Yeah, definitely. Because I think there's some themes, and just the way we break it down would be helpful to you. So let's get going. We're going to start with, again, this professional services, and its industry is actually professional, scientific, and technical services. And many of our clients and our peers fall into that category. This is the industry that we operate in. And so, it's really typical for organizations in this industry to have a some kind of a web presence to either just say, "Hey, we're open, we're available to help you or maybe they're doing content-based marketing, or they're doing file upload, file download, file sharing, data sharing. Anyway.

And so, the need for a good web presence of some kind is really important to organizations in here. And I think that's going to be true, really, for a lot of other industries, if they're not already doing it now because we're living in the age of lockdowns, quarantines, working from home, that sort of thing. But anyway, that's a little forward-looking. But here's some of the interesting takeaways.

So, in this industry, the vast majority of the attacks were financially motivated. 93%. in fact, were able to be categorized as financially motivated. Now, there's other types of motivations. You might be a hacktivist. You've got a political agenda and you're using computer attacks as a means of pursuing your agenda, espionage, that sort of thing. But that's not what this industry is facing. It's finance-driven.

Jake Bernstein: It is probably worthwhile to point out that actually, espionage itself is the second highest actor motive. So that's interesting.

Kip Boyle: Yeah, it's in there, but it's not number one. And so, again, Jake really makes the point that there's only so much we can cover in this episode. So, hopefully, we're going to motivate you to get back into the report and really drill down into your industry and just don't even bother looking at the other ones, just really get familiar with what are the issues in your industry. It's going to help you and we're going to tell you how towards the end of the episode.

And so, no surprise for this industry, the number one attack pattern is web application, compromise, and also phishing, and either lost or stolen credentials are playing an outsized role in the successful breaches of these organizations and their websites. And also interesting, 22% of the attacks involve insider threats. So that's kind of the overview, but, Jake, why is this the industry with the most incidents?

Jake Bernstein: So, three words here, Kip, location, location, location.

Kip Boyle: You should have been a realtor.

Jake Bernstein: I know, right? The professional industry holds a ton of valuable personal information. This is not the industry where bad guys go to get credit card numbers. This is the home of lawyers like me, accountants, scientists, engineering firms, and the hackers here want personal data that can be sold and later used in various kinds of financial fraud. And, real fast, say I knew this would happen, I'm already going to go slightly off-script here. I just wanted to point out that the patterns that we talk about here, they're defined on pages 36 and 37 mostly of the DBIR. And it is worth understanding, very quickly, what they mean by web application as the kind of number one attack pattern.

And I'll just read it because it's really short, "Incident in this pattern include anything that has a web application as the target. This includes attacks against the code of the actual web application, such as exploiting code base vulnerabilities, which is considered a hacking exploit vuln in terms of the attack variety, to attacks against authentication, which is use of stolen credentials, for example." So, I think that it's useful to dig in and understand not just kind of at a high level, but also to dig in and really figure out what is Verizon saying here in terms of these patterns?

So going back to our industry, professionals here, it's interesting because the second place, set of patterns here is what the DBIR, in this case, unhelpfully lumps together as everything else. There's a reason they have to do that is that it's actually very difficult to classify some of these things. I think it's worthwhile to mention a very common one that we have talked about many times before, which is the business email compromise. crosstalk why don't you just give a 30-second reminder of what that is.

Kip Boyle: It's fancy phishing, there you go. I've did it in less than 30 seconds.

Jake Bernstein: That's impressive. You did it in two words. Now, I assume that your spelling fancy with ph, right?

Kip Boyle: Of course.

Jake Bernstein: Obviously.

Kip Boyle: Did you hear it?

Jake Bernstein: I did hear it, that's why I asked. So yeah.

Kip Boyle: It's targeted, right? I'm impersonating somebody.

Jake Bernstein: Yes.

Kip Boyle: And maybe I've broken in and taken over an account to do that, I've seen that happen. Or maybe I've just set up a lookalike domain. And I'm sending you messages from a lookalike domain. These are very difficult to detect. We're getting better at detecting them, but they're very difficult to detect and they can lead to huge payoffs.

Jake Bernstein: Yep. When we say lookalike domain, I just want to give a really quick example. So, Kip, actually, your domain itself would be a prime target because it's very long, cyberriskopportunities.com. I can tell you that when I type it, I don't always type it quite right. And so, if someone registered cyberriskopportunities and forgotten I or added an extra I somewhere in there.

Kip Boyle: Or an extra R.

Jake Bernstein: Or an extra R, it'd be hard to see potentially. It's not going to be an automatic. Oh, that's so obvious. So that's what we mean by a domain that's fake.

Kip Boyle: Yeah. At a glance, it looks indistinguishable from the true one.

Jake Bernstein: Yep. So now, here's something that's really interesting. And I would say distressing in a way about the professional industry. And it's a question of submit rate to phishing attacks and ways to get credentials. So good news is that the vast majority of companies involved in these incidents have a 0% submit rate, meaning that their employees are not giving away credentials, which is great. However, just a little bit fewer have also have a report rate of 0%. And that's terrible.

That's terrible because, over the course of this industry group, far too many employees are doing something that maybe they shouldn't have, and keeping quiet about it. So, if you don't tell security about an incident, they can't engage the incident response plan. And that is bad. And before I turn it back over to you, Kip, I just wanted to mention, I think this one is particularly striking to me, is that there were about 7,500 incidents, but only 326 actual breaches.

So, again, we're not able to take a great deal of takeaways from just the raw numbers, but I do think it's worthwhile to point out that we are talking about hundreds of breaches, but a much larger number of incidents.

Kip Boyle: Yeah. And I think this gets back to a theme that we brought up in the beginning, which is, this is data that is inherently biased. And a lot of times, it's biased through reporting bias, which is to say that, especially like we talked about how construction, for example, as an industry doesn't have very many incidents on the record here, and it doesn't have very many breaches. That doesn't automatically mean that they're not attacked very much and that they don't suffer. It could and probably does mean that they don't tell people about it, due to shame, or due to fear of bad consequences by speaking up and saying something.

And I think that's still present even in the industries where there's a lot of reporting of the incidents. You can report an incident and still bury the idea that there was a data breach or a consequence. Okay, so let's unpack that for a moment. So why would people not be reporting this stuff? Well, typically, it's a culture issue. If you work or operate in a culture where telling uncomfortable truths is punished, messengers are punished, you're not going to be likely to say anything.

And also because in a way, by telling people that there's been an incident or certainly if there's been a breach, well, my goodness, that's going to ruin my day because I have this huge list of things to get done. And if I tell somebody that there's actually been a breach, well then, I'm going to be stuck in meetings for the rest of the day trying to explain this stuff. And this little thing is going to follow me around like a little black cloud for days or weeks. Nobody wants that. They just don't want that. So, there's a lot of resistance to voluntarily putting yourself into that situation. And I think that's why a lot of crimes don't get reported at all.

So anyway, so I think, just to summarize, there's some cultural barriers. And so, if you're a senior decision-maker, or if you have any influence as a leader in your organization, really be thinking about how can we make reporting incidents and data breaches easier to have less bad consequences for the reporters?

Jake Bernstein: That's right. And I think it's worth pointing out that if you get into litigation over a data breach, and a root cause analysis gets performed, litigation is where people dig deep. And your opponent finds that it was the culture that prevented reporting, I don't think this has been litigated at all yet. But I certainly would argue that cultural prevention of reporting is not reasonable cybersecurity.

Kip Boyle: There you go.

Jake Bernstein: It didn't.

Kip Boyle: No, I don't think it's reasonable. And management is responsible for setting the cultural tenants and for shaping and molding them. And it's incredibly difficult to change an organization's culture. I know, I've been there, I've attempted it. It's super difficult. Sometimes it's impossible. I know stories about entrepreneurs that started companies and then either blew them up or sold them off because the cultures that created were allowed to develop organically and haphazardly and were toxic. If you read Tony Shay's book about his entrepreneurial journey, he talks a lot about that in there. So it's management. And it's management's responsibility to the extent that they get that wrong, yeah, that's not reasonable.

Jake Bernstein: Okay. Any final thoughts on professionals?

Kip Boyle: Well, we are a chatty bunch, I guess.

Jake Bernstein: We are.

Kip Boyle: And we have lots of things that bad guys want. So we better get better.

Jake Bernstein: Agreed.

Kip Boyle: Okay. So now, the next one in the list is public sector. But again, we're not really going to dive into that. If you're working in the public sector though, just listen again to what we did to the professional services sector, how we got to break that down. And do that for yourself. But we are going to look at another section, which is IT services. So that's going to be information and it includes IT services, cloud services, and managed service providers, what we would call the tech industry in large. And what do you know? Web application attacks accounts for almost 40% of the total breaches, which emulates the professional services industry a bit.

And another fascinating aspect is that this category of web application attacks is closest to I think what people talk about as real hacking in the media, and in the entertainment industry, movies, television, that sort of thing. But it's enabled a great deal by the use of stolen credentials, the old trope of having your password written down on the underside of your keyboard, or something like that. But these days, you don't even have to step foot into an organization. The internet is absolutely swimming in an ocean of compromised credentials. And the cyber attackers, the adversary absolutely is tapping into that, and is rapid firing those credentials into our web applications, into our remote desktop servers, our VPN servers, and they're having a heyday.

But the second-largest pattern is errors. And so-

Jake Bernstein: Errors. You mean like oopsies?

Kip Boyle: Yeah, mistakes. And you know what, that lines up really well with the dominant narrative in the media right now about cloud data breaches and how a lot of sensitive data is being disclosed over the internet, simply because the data was not sufficiently secure. They didn't get the permissions correct. Or they created a data share or a database and they deliberately tore down the permissions because they didn't want to deal with it. And so, I would call that an error because I doubt very seriously that that company's security policy would recommend that for ease of use, one should remove all permissions.

Jake Bernstein: Definitely not.

Kip Boyle: And so, what do you do about errors? Well, you have to have good policies and procedures. People need to know what's expected. Redundancy would be helpful. So, having somebody who does it a lot, and is very good at it, and can explain to other people, "Hey, these permissions look like a pain in the butt but actually, they're not all that tough. Let me show you how you do this." And I think automation is really important here.

There's a newish idea about infrastructure as code, where you can build virtual environments in AWS, Google Cloud, Azure, and other places, not by manually going in and creating virtual machines by typing on a keyboard and doing everything custom-built, as we used to do, but by actually writing a script to have all this stuff created for you, and putting in the script all of the correct security settings to include permissions, the right permissions. And I think that kind of automation is fantastic because it's really going to give you a much more reliable, default set of security settings.

Jake Bernstein: That's right, it definitely will. So I think that the patterns here, particularly the one about the miscellaneous errors, I think it's a really good argument for robust policies, procedures, and redundancy. The reason is that if, for example, the business email compromise that we talked about, oftentimes, it includes wiring money someplace else. And, you could conceive of ways to spend hundreds of thousands of dollars "securing your system" against receiving emails that might be phishing intended for the business email compromise. But you could also spend 15 minutes making a decision that your company is just not going to do wires without at least two people signing off. And your potential safety has just gone up dramatically, and you've spent next to nothing.

And I think with errors, it's probably not that simple. But if you have well-documented standard operating procedures and policies and procedures regarding how to spin up cloud storage buckets, then, one, the risk that someone's just going to do it is lower because most people don't want to break the rules. Obviously, we have that 20%-ish of insider threats. But if we're just normal people are not trying to break rules. And then if someone does, there's consequence.

Kip Boyle: Yeah. Well, errors, let's think about it. So there's a whole category of insurance policy that you can purchase, and that most organizations have, and it's called errors and omissions.

Jake Bernstein: Yep.

Kip Boyle: It's designed to guard against exactly this sort of thing. And guess what, this is another management issue. If employees, staff, contractors, outsourcers are making errors, it suggests that they are not trained properly or are being put under too much pressure to deliver results, and so are cutting corners like crazy. And all that stuff falls into the lap of management to deal with.

Jake Bernstein: It absolutely does. And I think we could probably continue to talk about this for quite a while, but we're already at 26 minutes. So, at the risk of wanting to do a third episode, don't worry, we won't do it. Let's skip to that most ancient of questions Kip, does size matter? Why are you laughing? What's funny about that?

Kip Boyle: Well done. It isn't an ancient question. It's also a giggly one.

Jake Bernstein: Yes.

Kip Boyle: Okay, but let's stick with the DBIR. And size for the purposes of this analysis is kind of... Well, there's not a lot of granularity here. You're either a small business, which means you have less than 1,000 employees, or you're a large business, which means you have more than that. And the image that I get in my mind immediately is this pyramid, where the line between a small and a large business is drawn way up high because the vast majority of organizations don't have 1,000 employees. So that's pretty interesting.

But anyway, so that's what they say by size. But that's not really helpful for us because we work under 1,000 employee space quite a bit, Jake and I.

Jake Bernstein: Sometimes under a 300, definitely under 500.

Kip Boyle: Yeah, well, I'm working with some startups that are under 20.

Jake Bernstein: Yep. So even with that, I think there's a couple of reasons they did this. First, the DBIR hasn't included a dedicated discussion about size since 2013. And that actually creates a little bit of an issue because those patterns that we talked about, everything else, web applications, point of sale, privilege misuse, miscellaneous errors, they didn't exist. They hadn't been invented yet in 2013. But we can still get some interesting facts, and I think some of them are interesting.

So first, we have the obvious huge disparity in numbers. So, this year's report includes 407 incidents, encompassing 221 breaches for the small businesses, and 8,666 incidents with 576 breaches for the large ones. Now, again, we got a caveat with the numbers and what you can say, and it is skewed, there's obviously reporting bias. And the DBIR folks, they ask the question, is this simply a case of Mo Money Mo Problems? Or is it a case of more nuanced factors like larger organizations having larger attack surfaces, increased visibility, or is it that smaller businesses aren't as good at discovery?

Kip Boyle: Yeah, they might be ignoring stuff or just reporting it because it's not convenient, they're not obligated to, they're not publicly traded, they're not regulated. Yeah. So, did the report actually happen to answer this question? This is a very good question. Doesn't sound like it.

Jake Bernstein: No, it didn't. But there are some interesting things about it, which is that first of all, unlike in ages past, and by ages past I mean 2013, which, let's face it, in computer, cybersecurity world is ages past. Phishing dominates and then after phishing, there's basically hacking malware and everything else as the attack patterns, though they are in reverse order depending on which one you're looking at. But, on a high level, the bad guys are still after money, and it's all about the credentials.

Now, I think one of the conclusions that the DBIR authors come to, which I actually do agree with is that they say that the move to the cloud has, in a sense, leveled the playing field between large and small businesses. And it's interesting. On the one hand, the capabilities that were once reserved for the largest of large businesses are now open for a relatively small price to mom and pop. However, that means that your problems that were once reserved for the largest of large businesses are now also problems for mom and pop with their cloud.

Kip Boyle: It is. crosstalk nearly the resources or sophistication.

Jake Bernstein: They do not. And I do want to, again, point out that you cannot say that small businesses are less likely to be targeted using these numbers. That's not a conclusion that they draw.

Kip Boyle: Yeah, please don't do that. Please don't go there.

Jake Bernstein: One thing that you can say though, is that the differences and types and nature of attacks between large and small businesses, whereas they were one significant differences, those are starting to disappear, those differences are disappearing and they're coming new. Now, I think there's good news there, which because it means to me that the techniques and technology that the big guys have been using are also useful for the smaller businesses.

Kip Boyle: They're liberal people. crosstalk

Jake Bernstein: Yes. Hey, you know what, I'm a little person in this regard.

Kip Boyle: So am I.

Jake Bernstein: I'm a small boutique firm. And particularly as the cost come down. So, I think that, if you're really interested in this, I would recommend that you go back, and it's chapter four, they talk about it. And like I said at the beginning, it was less interesting, and also very interesting to me in this case, which is... But that's really all I want to say about the differences between large and small businesses. So, for our final piece here, and again, apologies for this slightly longer episode. Kip, you heard a rumor about SIEMs. So what was that?

Kip Boyle: Yeah. So, SIEM. So what this is just for people who aren't familiar with this acronym, Security information and event manager, it's a category or a class of tool. And what it does is it aggregates, event logs from different devices, very disparate devices, in some cases, and it harmonizes those logs, and then it attempts to detect patterns of things that you don't want to have going on in your environment. So it attacks advanced persistent threats on your network, snooping around, trying to figure out how to launch an attack against you. And so that's what that is.

And so, what I'd heard is that they're only picking up about 1% of of all attacks, which, if that's true, then that makes this technology which is very expensive to acquire and to operate. It absolutely repudiates this entire class of defense.

Jake Bernstein: So, I think I get to surprise you a little bit. So, I think it was... I'm not 100% sure where that rumor came from. Because when I went in and searched the entire DBIR for SIEM and that concept, I did find something. But the number was not 1%. It was actually two and a half percent, which inaudible

Kip Boyle: Oh, my God, that's two and a half times... That's a 250% better performance, not what I heard.

Jake Bernstein: They're just mocking them.

Kip Boyle: It's just so much fun with numbers, isn't it that what's this is all about?

Jake Bernstein: It is. But it was actually a reference to alerts involving exploitation of a vulnerability.

Kip Boyle: It's not a full answer.

Jake Bernstein: It's not a full answer. And it's still actually pretty interesting. So here's the thing. If you talk to security engineers and IT guys, turn security engineers, you're going to hear them talk a lot about patching and vulnerabilities.

Kip Boyle: Yeah, we talk to our customers about that a lot.

Jake Bernstein: We do. But I bet you're thinking, "I bet the actual attacks involving those things aren't nearly as common, are they?"

Kip Boyle: Are they?

Jake Bernstein: And you would be correct. But again, it's a bit nuanced. So, first thing is to understand the DBIR talks about survivorship bias. And it's important. And basically what it means is, if you spend a lot of time looking at malware logs that didn't kill you, in other words, they didn't beat your security, you probably are going to tend to overestimate the prevalence of that attack type. And if you do that, you may underestimate what you should really be looking for.

Kip Boyle: More psychological head games. All right, what are these guys really trying to get to?

Jake Bernstein: So we're running out of time. But to boil it down, yes, vulnerability exploitation is quite rare. In fact, it hit its peak of just 5% back in 2017, and has been trending down since then as an attack variety. The rumor you heard about SIEMs was probably really about the low number of attacks involving exploitation of vulnerabilities. But here's the key thing, attackers are trying it anyway. And the DBIR team went a little deeper to figure things out. And basically, this is important. If you are good at patching, you are handling vulnerabilities pretty well. And if you are bad at patching, you aren't handling those vulnerabilities pretty well. Mind-blowing, isn't it?

Kip Boyle: Okay, well, there's some logic there.

Jake Bernstein: Yap.

Kip Boyle: I can see that. That's good.

Jake Bernstein: But the key here is that the research shows that you cannot stop patching. What they did is they wanted to look at servers... There were some questions being asked like, "Is it true that the internet gets more vulnerable and more dangerous with every vulnerability that's exposed?" And the fact is that it actually doesn't, because what tends to happen is that servers that are vulnerable to a new vulnerability, tended to be vulnerable to vulnerabilities from 10 years ago. In other words, unpatched servers are unpatched servers and patched servers are patched servers.

Kip Boyle: Okay. So this makes the argument that just because you missed one patch, you're not as vulnerable as you may think you are because the servers that tend to get exploited are the ones that just are never patched at all?

Jake Bernstein: Exactly. That is part of it. And the key takeaway here also gives me an opportunity to use what I think is the best sentence in the entire DBIR.

Kip Boyle: It's really good.

Jake Bernstein: Yes. And here it is. There is no outrunning the bear in this case, because the bears are all being 3D printed in bulk and automated to hunt you.

Kip Boyle: And that's a take-off of the old joke about, if a bear attacks you in the woods, you don't have to outrun the bear, you just have to outrun your body.

Jake Bernstein: Right. Exactly. Except that you don't. In this case, you can't get complacent because the bad guys aren't breaking a sweat testing for easy vulnerabilities. If you become lax, you will get owned or pwned.

Kip Boyle: Yeah.

Jake Bernstein: It's a really good reminder of what this is all about. And the differences between perception and reality when it comes to the automated nature of cybersecurity attacks, which is, again, those bears are being 3D printed in bulk. And like little toy soldiers, they're just being sent out to hunt. It does not cost anything to do that for the bad guys. And it really doesn't take them much time and effort.

Kip Boyle: And it's a really striking contrast to the vision or the image that Hollywood puts out to us. Going all the way back to WarGames, that movie with Matthew Broderick, that came out in 1983. And it depicted hackers as just these bored teenagers who just were futzing around on their keyboards and never really mean to harm anybody, but sometimes go oops, and do something that it mean to cause trouble. We clean it up slap on the wrist and we get going again.

And you would think that the depiction of the threat would be updated for the times, it's not. Mr. Robot is a fantastic show that came out of Hollywood and yet it still depicts while very authentic hacking, it still depicts the threat as a loner, as somebody who is socially maladjusted, and so on. And so, we just don't have a popular media image of what's really happening today. Which is this automated hacking, the 3D printing of these bears. And they just swarm and swarm and swarm constantly. They're ravaging their locusts, they're eating everything. It's such a different reality from what we're being led to believe.

Okay, I could go on. I could talk about that for a long time. But let's wrap up the episode. And just a recap. How should you use the DBIR? Once you understand your industry in-depth, and you get the overall sense for what happened last year, you're definitely going to want to reference these statistics in your budget requests. So, it's about budget time. By the time you're listening to this, you should be preparing your proposals for your 2021 budget, and use this information. If necessary, borrow their charts and graphs. They have released high-resolution versions of them free for you to use, don't just do crappy little screenshots, just take a moment and go out and get the actual high-resolution ones and use those.

Make sure that you're looking at geography as well as the industry, put those two things together, so that you are well-founded in what's actually going on in your area of the world and the industry that you're working in. And anytime somebody criticizes you about the spend, your budget, what you're choosing to focus on in terms of threats, with that report out, keep it handy and be ready to cite your sources and provide the data to justify what you're doing to people who just want your budget for other things that they think is going to make the world a better place. And I can't wait for next year's report because COVID-19 disruption is real. And it is disturbing our patterns and the attackers' patterns. The amount of criminal activity and cyber attacking that the adversary is engaged in right now is super high.

Jake Bernstein: Super high.

Kip Boyle: Yeah. And I think next year, the report is going to be very different.

Jake Bernstein: Yeah, it's interesting. And in a total disruption caused by COVID-19, we're going to switch. I'm going to say, Well, that wraps up this episode of the Cyber Risk Management Podcast. Today, we did part two of our analysis of the 2020 edition of the Verizon Data Breach Investigations Report to see what we could learn. So we'll see you next time.

Kip Boyle: And sorry for being so chatty. We'll see you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that Cyber Risk Management is a team sport. So include your senior decision-makers, legal department, HR, and IT for full effectiveness. So, if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.