EPISODE 85
 
The 2021 edition of the Verizon Data Breach Investigations Report (DBIR) Part 1

EP 85: The 2021 edition of the Verizon Data Breach Investigations Report (DBIR) Part 1

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

August 3, 2021
 
Have you read the Verizon DBIR report for 2021? Find out what it contains in the first of two episodes on this extremely useful report with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.
Tags:

Episode Transcript

Voiceover: Welcome to the Cyber Risk Management podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle, and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Jake: So Kip, what are we going to talk about today?

Kip: We're going to do something pretty cool today. We're going to do a repeat of what we did last year with the Verizon data breach investigative report, the DBIR. We're going to take a look at that, and we're going to split what we look at over two episodes, because that's kind of what we did last year. Last year, we kind of backed into it, right? We tried to do it in one episode, and we realized that we were way too ambitious and our eyes were bigger than our stomachs. We had to come back later on and finish it up.

But this time, this year we're going to learn from our mistakes, and we're going to just make it a two episode series. So let's get into it. And I want to thank you because last year, as I recall, I did a lot of the report reading, and I know you did too, but this year you did most of the report reading, and I thought how great is it to have a cohost who is an attorney, but who also has a background in big data? I don't know if our listeners just realize what kind of work you did before you started lawyering, so I thought you should tell them.

Jake: The kind of work I did before I started lawyering?

Kip: Yeah, in biology.

Jake: Yeah. This was totally not in the script, Kip, so you've thrown me for a loop. Welcome to live radio, folks.

Kip: But you deserve some credit, because you've worked in data sciences. Right?

Jake: I guess I have, in a sense. I don't know that people called it that, necessarily. This was 1999 to 2002, but that is true. I did work in science labs, and I guess what you're saying is I have experience looking at charts and graphs, and that is true. I have a hard science background, and it is absolutely the case that I have of experience dealing with this. You know what? Actually, now that you mention it, it does make it a lot easier to read this stuff and not just have your eyes glaze over. I remember reading molecular biology articles in scientific journals where you have to interpret the graphs as well, and maybe it sounds like a silly thing, but it's really not. I think it's a good skill.

Kip: Oh, it's absolutely a great skill. And I, I think one thing in particular that I admire about it is is that just because somebody shows you a chart or whatever, or says, "Well, here's the mean value," or whatever, you really do need to dig a little, because you do really need to understand, well, what is the data set exactly, because there's the distribution curve, what does that look like? There's more to it than just taking the bottom line. If you really want to understand what's going on, you really have to dig down a layer or two. And I just think you're very good at that, and I just want our listeners to know that you're bringing all those skills into the next two episodes, and so just wanted to give you some recognition.

Jake: That's true. I have some scientific analysis here.

Kip: Yeah. And that's what we're trying to do, isn't it? We're taking large data sets and we're trying to do a little science here. We're trying to let the data tell us what's really happening, rather than the headlines. Because I think that's what a lot of people do, is they watch news media, they see what's being reported, or Hollywood has a huge voice in this, based on the shows that they produce and the movies that they put out. And here's an opportunity to actually look at data and let data inform us about what's happening, and I really appreciate that. That's why I like this report, and that's why I'm glad that we're going to cover it.

Now, here's how we're going to cover it. So today, we're going to look at the overall findings, the total data set and what is in there. In the next episode, we're going to look at the industry breakouts, and we're going to actually see which industries are doing well, which ones are under attack, how they're being attacked, because that's something that we see, is that different industries suffer different types of attacks because maybe they have different asset to exploit or assets to capture, and so forth. So that's how we're going to do this, and I think we should start with definitions. Right? Jake, isn't that your favorite thing, as a lawyer?

Jake: Yes. A lawyer's favorite thing is absolutely definitions. They're just so important. And today I want to draw special attention, I think again, to how the DBIR handles incident versus breach. And it's interesting, I think this is a key definition not just for the DBIR, but for all cybersecurity discussions all the time, everywhere, and I've even started to become very particular when I talk with clients about what they're experiencing. People are very quick to toss out the word breach, when they actually mean incident.

Let me just start with the term incident. The DBIR defines it, incident, as a security event that compromises the integrity, confidentiality, or availability of an information asset, period. A breach, and this is critical, is an incident that results in the confirmed disclosure, not just potential exposure, of data to an unauthorized party. So let's do the little all males are... Okay, I'm just going to drop that-

Kip: Logic.

Jake: The situation here... yeah, logic... is that all breaches are incidents, but not all incidents are breaches.

Kip: Yes.

Jake: This, I think, is really important.

Kip: It is really important. And I think cyber security in general suffers from overloaded terms. Just it's riddled throughout the work, like policy. The word policy is a wildly overloaded term. We could be talking about a setting in a firewall or in an authentication server, super technical thing, or we could be talking about a written information security program as required by state law, and many other possible definitions. So I'm glad that you did that, because I'm certainly guilty sometimes of throwing my terms around a little loosely.

All right, so now that we've got that cleared up, I think that's an important gateway to understanding the report, and also just improving the quality of our conversations so that when we say incident, we really are being clear about what we're saying. And I think ransomware attacks, for example, are in the news. That's one of the types of attacks that has been making headlines lately, and most ransomware attacks are not breaches, but of course they are incidents. Sometimes the ransomware attack turns into a breach, but that's when we have a confirmed data release to unauthorized parties, not just a suspected one, as you said. Great. Foundation is laid for our conversation.

Jake: Perfect. So tell us the numbers, Kip.

Kip: Okay. Let's take a look at the report. As they do, they segregate these things out, so we've got 79,635 incidents. Now, that's a big number, but they have quality standards. Turns out the DBIR writing team has quality standards. They don't date every incident that comes along, so only 29,207 of those are actually worthy of study, and of the 29,000, only 5,258 were confirmed data breaches, so just a fraction.

Jake: Yep. And still, just for some hard hitting statistical analysis here, I took that 29,000 number and I divided it by the number of days in a year. I'm talking this is some deep analysis. Even with that massive, less than half reduction, that means that on average, we're still talking about 80 quality incidents per day-

Kip: Per day. Okay.

Jake: Per day.

Kip: And that's the mean, not the median, right?

Jake: Yes, that is the mean. Exactly. I just find it interesting, because what does 29,000 mean? Is that a big number? Is it not a big number? I think it's a lot of data, which is great.

Kip: Yeah. If I was in charge of a team that had 80 high quality incidents a day, I'd go crazy.

Jake: Oh, yeah. And this just across the Verizon data-

Kip: Right. And they're regularly finding new partners to get data from, so their data set continues to expand every year, is what I'm seeing. But we're still talking about a subset of all incidents on the internet, so take that for what it's worth. Okay. So the report itself is a monster, 119 pages, and also written in the same sort of tongue in cheek style, which I think is great. I really enjoy that.

If I'm going to read 119 page report every year that's full of spectacular data visualizations and lots of nuance, it's nice to have a little bit of humor injected in there, so I do like that. And lots of maybe what some people would call spaghetti charts. Last year, there were some charts I just could not wrap my head around no matter how hard I tried, which I found surprising because I really, really enjoy data visualization. But most of the times, they do a wonderful job visualizing the data, and I think they've done well again this time.

Jake: Yeah. And, there's really an interesting discussion that I want to highlight right away. It's pages 9 to 11, and I think even though it involves a ton of math and data analysis, I think it's worth talking about. And I think the way to start with this is let me just ask you a question. How often, Kip, do you hear someone say, usually the peanut gallery with respect to a given breach, either they should have seen that coming or that was an advanced attack, nobody could have predicted it? Doesn't it seem to you like basically every breach is one of those two comments. It seems like there's no in between.

Kip: Well, yeah. And usually it's the victim saying the latter, and it's usually the critics or the curmudgeons saying the former. But obviously, not every incident can be accurately put into both of those buckets at the same time. Right?

Jake: Well, you'd think that, but this is what's so fascinating about the real world data is obviously, it is complicated. And think about this, the top 3% of action varieties are responsible for 87% of breaches. This is a lot like the whole taxation and/or wealth distribution type situation where people often say things like, "90% of the wealth is owned by the top 5% of the population." I'm just making these numbers up.

Kip: Well, it's kind of the Pareto principal, where 80% of the results are due to 20% of the effort. Obviously, those numbers are skewed in this sense, but I believe that's the principle in play.

Jake: But what it tells us is that actually, those two responses are statistically not inaccurate. 87% of breaches are caused by only the top 3% of varieties, which means you should have seen that coming, whereas there's a very long tail composed of a whole lot of low probability events where you might be tempted to say, "Oh, that was an advanced attack. What could we say?"

I think that my takeaway as a lawyer at least is that there is absolutely a set of breach varieties where failure to be prepared I think us sheer negligence, maybe even gross negligence. These are so common that you absolutely should be prepared for them. On the other hand, there are tons of ways that a breach can occur that almost never happen, and though those events are worth training for, I don't know how much money should be spent preventing them. It's an interesting issue, and I'm not really sure what else to take from that, other than this stuff is hard.

Kip: Yeah. Well, this is very insightful, but I think it actually does map to my experience, which is the following, and I write about this in my book. Phishing is one of the actions, as this report talks about i. It's one of the varieties of action, but you can get a phish in your inbox that's going to look different today than what you're going to get six months from now, or what you got six months before, because those phishing attacks are customized based on the dominant headlines in the news.

So if there's some kind of a humanitarian crisis, you're going to get a phish that's going to be about donate money to the Red Cross. And so it's absolutely going to be customized, so it's going to look and feel different and it's going to have different effectiveness, but at the end of the day, it's still a phish. So everybody should know, phishing attacks happen, but you may not realize that that appeal that you just got to donate to the survivors of a hurricane is actually a phish. So I guess that makes sense.

Jake: Yeah. And there's a little interesting discussion here, a thought experiment of considering how often your information event management system generates critical alerts that need immediate review. I think most people would say, "Well, that happens every time I'm on call, and it doesn't happen when I'm not on call," which of course is semi humorous, but it may feel that way. The reality, though, is that critical SIM events fall into everyone's laps completely indiscriminately. I like the technical term it's extremely spiky, the graph. And I think this is the type of information that I think I could see this being you used in law as either a pro prosecution or pro defense, depending on the situation. So anyway, I think that's enough of these difficult to understand statistics, so let's just go ahead and dig into the data itself. Would you like to guess, Kip, who the most common actors were this year? One guess.

Kip: It's hardly a fair question to me because I've read the report, but I'll play along and say external threat actors motivated by money, which is the fancy way of saying organized crime.

Jake: Yeah. Bingo. Organized crime, to no one's great surprise, is responsible for about 80% of breaches, and remember the breach incident dichotomy. And in fact, and this is interesting, state-affiliated actors account for only about 5% of all attacks resulting in breaches. I think that the reason that's important is going back very briefly to the discussion we just had, I think there's a sense out there in the community and possibly within society at large that it's not fair to expect any private entity to fend off a state actor. How can any company, with the possible except of the massive, huge tech companies that own the cloud infrastructure, ever really be-

Kip: Able.

Jake: ... able to fight off a military unit being supported by taxpayers in various countries?

Kip: Which is another way of saying unlimited budgets.

Jake: Unlimited budgets, which I think is fair. I think that's a fair thing. However, I think what tends to happen is people, probably as a defense mechanism, tend to blame state actors far more often than it is justified, and this statistic shows that. It is one in 20, but it's also only one in 20, which means 19 out of 20 breaches are not state-affiliated.

Kip: Right, right. And as a CISO, the way that that I think about this is I realize that if I'm connected to the internet and I'm relying on it to do business, which everybody is, it's really not an option to not use the internet. I wish it was, because that would be an easy way to deal with all of this ,is just shut it all off. But because I have to be connected to the internet, and if organized crime is responsible for about 80% of the breaches, well, there you go. There's my threat model, for the most part. At a high level, that's my threat model is organized crime.

Now, there's a long tail of all kinds of other stuff going on here, I get it, but that's what I talk to my customers about. It's organized crime and oh, by the way, there is no digital police. There are no digital courts. There are no digital anythings to protect you. You've got to do it yourself. Anyway. So that makes sense, and it's nice to see that the data this year reinforces that. Now, the report also talks about secondary motives, and so you might say, "Well, if organized crime is 80%, what's that other 20%?"

And these are secondary motives, and it would include things that I think a lot of people take for granted or don't really get too upset about, which is when I want to set up a bot net as a criminal, what I want to do is I want to leach off of the infrastructures of as many companies as possible so that I don't have to set up my own infrastructure, and that just sets me up for success. So I want to steal some CPU cycles, some network bandwidth, and some memory and so forth-

Jake: Wait, you're telling me that criminals don't want to pony up for their own equipment?

Kip: Well, when they do, it's actually pretty easy. You just steal a credit card and go to AWS, and there you go. But it's still a lot easier to just steal slices of time from victims, and I think a lot of people don't really think of that as a big deal, as long as the criminals aren't stealing too much. They just think of it as shrinkage. Okay, guess what? That server was only operating at 80% average load anyway. If they're going to take 10 to 15% of the available cycles, then that really doesn't bother us. So should we care about that? And I think I've definitely heard some people voice the opinion that why should I be bothered, scraping those barnacles off the hull of my boat? They really don't stop me from generating revenue, but it's an immense cost to take it out of the water and scrape it. Anyway.

Jake: It's an interesting perspective. All right. Well, let's go ahead and look at the action varieties. These are the methods.

Kip: Right. Right, right, right. Yeah. And I just want to express a little exasperation at some of the terminology we use. Action varieties. I don't know, do we really need to do that? Can't we just say methods? I don't know. That's like threat actor. It's so antiseptic and so clinical to say threat actor. It's so much more reasonable to me to just say criminal or attacker, if you like. Anyway, methods. Let's look at the method.

Jake: Yeah. You know, it's funny, going back, that reminded me of our discussion at the very start about definitions. I guess I'll take the contrary position and just say I think that precise terms, even if they're antiseptic, can be critical to discussing these issues. And I think that, in fact, there is a lot of confusion in the industry because of the many, many different terms. Threat actor might be antiseptic, but it does cover all of the possible attackers that are out there.

Kip: And you know what? I'm cool with that when we're doing inside baseball type conversations. Where I think it isn't appropriate and not helpful is when it's appearing in news stories-

Jake: I agree with that.

Kip: ... and people who are not deep into it like you and I are looking at it. And I think that's one of the reasons why their eyes just glaze over, because it's like listening to a doctor talk to another doctor. I don't know what the hell they're talking about. I'm going to watch TV.

Jake: Basically, every single interest on the planet, you can start getting into crazy ass statistics about American football, or baseball. There are so many hyper specific little terms, but let's talk about some of our terms.

Kip: Okay, but last thought. Last thought, and we'll get on with this. What I really am trying to say to the audience is when you are talking to people who are not experts, simplify your language. Okay?

Jake: I agree with that.

Kip: There you go.

Jake: I will also say, dearest audience, that we are rapidly the approaching the danger zone of having to do a third Verizon DBIR episode this year, because-

Kip: There's too much good script to talk about.

Jake: ... somehow, we're already 23 minutes into this episode and not even halfway through the script that I was worried wasn't enough content.

Kip: Okay, okay, okay. crosstalk Let's go.

Jake: Okay. So according to the chart, and we're talking about breaches, not incidents overall, but breaches, you've got phishing, which is a social attack, use of stolen credentials, which is categorized as a hack, and then the always popular other, that round out the top three actions. Meanwhile, for incidents, we've got denial of service, which is hacking, phishing, same as social, and then other. And this is kind of fun, other's unfair, right? It's a whole bunch of stuff. So if you put that aside, it is no surprise at all that the third most common action type is ransomware for this past year. It used to be down, but it is clearly up.

Kip: Yeah. And that's because it works, and it's the straight path to money. I don't have to take a detour to data. And with the way things are changing, I wonder if Verizon should retitle their report, because I think ransomware attacks are actually more important than data breaches have become. Data breaches really aren't discussed as much anymore. People aren't really quite as bothered them anymore. And so anyway, just a little comment. But ransomware's on the rise, and I think that is not surprising. And it's actually going hybrid. So just to make an observation contrary to what I just said, extortionists now are combining the two. "Hey, we own your computers, and if you somehow get them back, we still owe your sensitive data, so you better pay us either way."

Jake: Exactly. Very true. Another interesting data point, shockingly, given that we are discussing a highly statistically analyzed set of information here, when you combine the actions into broader types, and this is sort of depressing but I think is an area for opportunity, you find that error accounts for 17% of all breaches. Let's think about that for a second. Even though this is a decrease from the last three years, I think this is a hugely significant number that really, cybersecurity planners just need to maintain vigilance when it comes to errors being made internally. When I look at this, what I see is look, nobody has to be perfect, but 17% percent error seems high to me.

Kip: It's one in five. That's one in five. I didn't do it numerically, but it occurs to me that if you combine the errors with manipulations, in other words, successful phishes that manipulate people into doing things that they otherwise would not do, well, that percentage has just gone up tremendously. So in other words, as a cyber risk manager, you actually have a lot more control than you think.

Jake: I think that's right. I think one of the things that this report really does show over time is that this isn't unknowable. This is not stuff that oh, I just can't figure it out. I think our industry tends to be a little... I'm not sure how to say it exactly. I think we tend to think that we need unlimited budget, and there's never enough money and there's never enough people, and we just can't possibly handle it. And I'm not saying that we don't need more money and we don't need more people. I think we do as an industry, but I do think we need to take a deep breath and realize that in fact, we can understand lot of these patterns.

Kip: Yeah. And not only that, but in my work with my customers, it's often the case when I build them a risk mitigation plan, and I often am doing it from a perspective of like, "Hey, let's be business savvy about this. Let's just not turn it into a technology safari," but what I find is that a lot of the mitigations don't cost a lot. There's a lot of low hanging fruit that can be picked, and you can make a lot of differences without spending a ton of money. You just have to have the will, I think, to do some of these things

Jake: You do, and I'm having a moment of deja vu. I may have said this literally last episode, but again, I come back to this. What's the difference between a mob and an army? It's being organized. And I think so often, at least I see that our customers and clients just haven't thought through some of these issues, and Sun Tzu, The Art of War. If you don't spend the time to know yourself and know your enemy, you're going to lose the battle.

Kip: And that's why I kind of railed a moment ago on the use of all these antiseptic, jargon-y kind of terms, because I think those kinds of barriers are are one reason why a lot of senior decision-makers and organizations feel like this is outside of their grasp. Nobody's really broken it down and made it easy for the them to understand. So anyway, I think that's a factor. Okay. So the report has more to say about action varieties, and this year they actually break them down according to stage of breach. So if you think about breaches have life cycles, there's a beginning, a middle, and an end, and so they've actually, in the report, laid it out. And so hacking, error, and social engineering are in the top three of the beginning of the breaches that they studied.

Jake: Makes sense.

Kip: So hacking, error, and social engineering. So in other words, that's how people get in. That's how these criminals get in, but malware and hacking dominate the middle and the end stages-

Jake: Makes sense.

Kip: ... with social and error rounding out the top three. So if you take a look at figure 25 in the report, and yes, that is my way of encouraging you to go get your own copy of the report and crack it open. Jake and I can't possibly give you all the information you need, even in two episodes or three episodes. You've got to go get this report and read it for yourself. Look at figure 25. That's where you're going to see this.

Jake: Yeah. And this is pretty helpful because what it shows you is it really suggests effective intervention strategies and tactics along each stage. If we know that obviously, at the beginning of a breach, someone's got to get in somehow. We know that that error accounts for almost over a quarter of successful breaches. That's useful information. That means we can really do a lot of good by trying to cut down on those internal errors. I do also want to check in on the top hacking vectors. This is a breakdown of the hacking action type, and look, while the vast majority do involve web applications, this is interesting. New this year is the desktop sharing vector, which is a clear result of the working from home reality of the COVID era. That really is pretty fascinating.

Kip: Yeah. That's something we need to point out, is that the data set this year includes the kinds of things that were going on during the pandemic and the quarantines, and the massive shift to remote work. That's part of this data set.

Jake: It is, exactly. And obviously, web application outweighs them all by huge, but with desktop sharing as hitting that 5% threshold, hey, look, that is one in 20. It's still worth considering. Now, not surprising, the use of stolen credentials or brute force attacks show up in 89% of the hacking varieties, so secure your authentication protocols. All right, Kip, onto assets. Let's see.

Kip: Okay. Yeah. Let's talk about assets.

Jake: So assets, and again, this is all terminology, assets refers to the threat actors chosen targets from web application servers to mail servers, to individual endpoints, to the people themselves. Right? And I think this is important. The data tells us that servers obviously still account for about 80% of assets in incidents, but the person asset is in second place, with about 15%. That means that, and this is super interesting, the people themselves have actually overtaken their own user devices as targets. So in other words, just to restate that, it is more common for the person's behavior to be manipulated or to be tricked somehow to be part of an incident than for someone's endpoint to be manipulated somehow. Think about at that.

Kip: You know what? I don't find that to be too surprising. That really fits my real world experience, where I tell people that the crown jewels may be on the servers, but that's not where the battle is taking place. Right? The actual clash, the fight to get into your network, is happening on the desktop. Why? Because that's where the phishing attacks happen. Why? Because that's where the soft part of your defenses lie, which is the people, and you have to invest in strengthening their ability to resist that stuff. And for my customers who are really into this, who want to go to the next level, what I encourage them to do is to make clicking on a phishing link irrelevant by doing such things as doing application deny lists, or actually, application allow lists.

What we used to call white listing, the term is changing, and now we're calling it allow listing. I see that as the new way to talk about it, but in essence, if you can distinguish a set of applications that's going to run on your endpoint and none other are allowed except that which are permitted, then malicious code, generally speaking, even if it lands on your endpoint, isn't going to be able to run. And that, I think, is super powerful, and I think that's where we all need to be eventually, but I'll get off my soapbox and just say yes, that pencils, Jake.

Jake: That's good. It does, totally. What about breaches, Kip?

Kip: Yeah. It gets even a little bit more interesting. Servers still dominate, because that's where the crown jewels tend to bee. The person asset dramatically outweighs user devices, and that means that in actual breach scenarios, it's all about servers, and people, and possibly not very much else. And so the DBIR states that this makes sense, because what they're saying is that breaches are moving more towards social and web app vectors, and those are becoming more server-based. So the gathering of credentials, and using them against cloud-based email systems, as an example. And so if you follow this logic, well, cloud-based assets were more common assets in both incidents and breaches than were on prem servers and assets stored on premise.

Jake: That's not a shock, is it?

Kip: No. So guess what? Cloud does not automatically mean secure. I don't think we've ever said that it did, and in fact, I think if you go back into all of our previous episodes, what we're trying to tell you and what this data is actually telling you is cloud is not inherently secure, and you're going to have to do some work, folks.

Jake: We've been consistent on that message.

Kip: I think we have.

Jake: I don't think that the cloud industry as a whole has been consistent on that message.

Kip: They've been consistent on a different message.

Jake: On a different message, yes. Okay. It's going to go a little bit over, but this will allow us to keep it to the two episodes that we planned. There is some interesting analysis on the age of vulnerabilities. And I think when you listen to this component, keep in mind of how much time and effort is spent on the really technical parts of cybersecurity, and then think about how all the things we've previously said about people being targeted. So interestingly enough, there's still a fair number of older vulnerabilities that drive attacks. there was a quip in here that if Tom Brokaw was writing this report, he would call it the greatest generation of vulnerabilities. But here's the reality. Most people are doing pretty well with vulnerabilities in general, with almost 60% of organizations having no unpatched vulnerabilities at all.

Kip: Yeah. That's amazing. What a great change of event.

Jake: But does it matter? Not as much, the bad guys don't need you to have vulnerabilities, they just need you to have people. And for now, that remains true of all orgs I'm aware of.

Kip: Yeah, yeah. So my guidance to my customers is look, in the face of this reality that people are your weakest link, that doesn't mean that the criminals won't try to rattle the doorknobs out back of your facility, because if they can get in really easy that way, that's what they're going to do. They're only going to try to social engineer the receptionist if they can't get in in any other low observable or not observable way. So don't interpret this to mean that you don't have to patch. Okay?

Jake: Oh, agreed completely. You still have to patch. Last piece on the assets that I think is interesting is there's a little chart, figure 34, for those who want to go follow along, basically what this is showing is that you do not have to be particularly large as a company to basically reach 100% probability that one of your members has received either a malicious URL or has actually installed a malicious Android app. And this is specific to Android apps. That's just the state of the industry at the moment. But basically, let's see, around 100 people, the odds of receiving a malicious URL are nearing 100%, and then it's a little bit difficult to say on this scale, but let's say maybe around call it 5,000, maybe less, maybe even 1,000 people. someone has probably installed a malicious APK, which is an Android app.

Kip: Oh, yeah. Yeah, absolutely. But people don't realize that this is going on, and the reason why is because these days, when you get malware on your device, whatever that is, you'll rarely know that it's happening because it's not noisy, it's silent. There's nothing on your screen, your device doesn't all of a sudden behave strangely, or just start exhibiting slowness or whatever. Sometimes that happens, but a lot of this malicious code now is very sophisticated, and it's very difficult to know that you've been compromised. So people think that it's not happening, but it's actually happening quite a bit. Do we have time to look the attributes that were violated, or the assets that were compromised?

Jake: Yeah. I really want to, because I love this section of the report. I have a personal love of the CIA triad. I think for me, maybe it's because it's one of the first things I felt like I really learned about cybersecurity and info sec, but I just think it's great. Confidentiality, integrity, or availability, and I just love that it calls to mind the Central Intelligence Agency as well. I don't know why, just for some reason, it just tickles. I just get excited about it.

Kip: Okay. So let's take a look at that, and I'm going to make a little side comment here that these three attributes are fine as a starting point, but these days, there's actually three other attributes that we're going to have to start talking about because ransomware has made it required that we do, because ransomware actually starts to get more sophisticated, where we can still possess digital assets, but not have access to them, so there's some subtleties that are coming along. And I'm just going to refer people for now to the CIA triad successor, which is the Parker Hexad.
And maybe we'll do an episode on those later on, but that was my mentor, Don Parker, and he published his six attributes back in 1998. I'll just leave that as homework for those of you who are interested, but let's just focus on CIA. Now, confidentiality as a violation. What's at the top of the list, credentials and personal data. Well, you probably could guess that, based on what we shared with you so far. You didn't even have to crack the report to figure that out. But when a breach is caused by error, then personal data is in the top place, followed by medical information. And what this really means is that attackers want credentials, and that a mistake is most likely to result in the disclosure of personal data.

Jake: Yeah. That does make sense. We talked about those. Just to remind people, an error is when someone just screws up in the organization. This is a typical, "Oops, I meant to configure that cloud storage bucket differently, but it turns out I've just left it sitting there wide open on Shodan," or something. It's no surprise that personal data and medical information would show up there, because you're talking about things that people are using. So I really like how DBIR discusses the integrity violations, and the reason is that they're talking about the results of either social or malware actions, so social engineering or malicious software, and how you can think of phishing and pre-texting, which are social, as altering behavior of the targeted victim, and that is the form of integrity violation. I haven't historically thought about integrity that way, but I really like it, and I'm going to start internalizing that definition because I think we really need to be aware that look, the behavior of the targeted victim is a violation of the integrity principle, and I think that's really fascinating.

Kip: Yeah. And you know what? Yes, I'm on board with you. As a senior decision-maker, you want your people to behave as expected when they're handling sensitive data, and when they don't, that is a violation of your expectation, and I can see how you can say, "Well, the integrity of the process was not honored by this person because they got manipulated," so that's how I see it.

Jake: Oh gosh, and you just said that, and it just triggered something. Isn't that just very experience of the BEC? It's a process violation. It's the integrity of the process that gets obliterated, so there you go. To me, that just cements it. Okay, so for malware actions, no surprise at all, software installation is the second place on these charts, and that's just because of the high number of system intrusion pattern cases that involve a malware component. Really no surprise there.

Kip: Yeah. And that's why I go back to my challenge, is make the downloading of a piece of malicious code irrelevant by not even allowing it to execute. And one of the easiest ways you can do that, in a lot of cases, is just don't let your folks browse the internet and read email with their admin accounts. That's not going to stop everything, but that's going to really help. So malware, it continues to be a problem. All right. We're just about done. What's the final attribute?

Jake: Final attribute. This is no surprise, availability. Guess what? Obscuration and loss are the top two varieties, with obscuration 80%. All that means is ransomware. It's you have the data, but you can't read it. That's just what that means, no surprise. I'd like to hit on the timeline data, but I think we'll have to do that next time.

Kip: Okay. Well, that's not a problem, since we're going to come back. We'll just roll that over into the next episode. And so folks, you need to come back and we'll pick up this conversation there, and then we'll continue next episode by diving into the industry-specific information, which I think is super useful when you are talking to your board or senior decision makers about what's actually going on in your industry. When you contextualize it, you make it more relevant and you make it more compelling. So, any final words, Jake?

Jake: Download the report and keep it handy.

Kip: Yeah. See if you can get ahead of us too, and get ready for the next episode. So we're going to wrap up today's episode of the Cyber Risk Management podcast right now. So we did part one of our analysis of the 2021 edition of the Verizon data breach investigations report, the DBIR, and hopefully you learned along with us. Next time, again, we're going to get the industry data, and so we hope you'll will be back. So we'll see you next time.

Jake: See you next time.

Voiceover: Thanks for joining us today on the Cyber Risk Management podcast. Remember that cyber risk management is a team sport, so include your senior decision-makers, legal department, HR, and IT for full effectiveness. So, if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com, and focallaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.