reviewing the 2017 verizon dbir - robert hurlbut...what is the verizon dbir? the verizon data breach...
TRANSCRIPT
![Page 1: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/1.jpg)
Reviewing the 2017 Verizon DBIR
Amherst Security Group May 10, 2017
Robert Hurlbut RobertHurlbut.com • @RobertHurlbut
![Page 2: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/2.jpg)
Robert Hurlbut
Software Security Consultant, Architect, and Trainer
Owner / President of Robert Hurlbut Consulting Services Microsoft MVP – Developer Security 2005-2009, 2015, 2016 (ISC)2 CSSLP 2014-2017 Co-host with Chris Romeo – Application Security Podcast
Contacts Web Site: https://roberthurlbut.com Twitter: @RobertHurlbut, @AppSecPodcast
© 2017 Robert Hurlbut Consulting Services
![Page 3: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/3.jpg)
Disclaimer
I am not an employee of Verizon or their affiliates. All views, opinions, and biases are representative of my own independent research of the 2017 Verizon DBIR, unless noted.
© 2017 Robert Hurlbut Consulting Services
![Page 4: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/4.jpg)
What is the Verizon DBIR?
The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from one organization: Verizon. Since then, this report has been released annually for 10 years.
© 2017 Robert Hurlbut Consulting Services
![Page 5: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/5.jpg)
What is the Verizon DBIR?
The latest report (released April 27, 2017) represents aggregated data breach data from 65 contributing organizations.
© 2017 Robert Hurlbut Consulting Services
![Page 6: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/6.jpg)
Definitions (from report)
Incident A security event that compromises the integrity, confidentiality or availability of a information asset.
Breach An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.
© 2017 Robert Hurlbut Consulting Services
![Page 7: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/7.jpg)
Definitions (from the report)
VERIS Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and responsible manner.
© 2017 Robert Hurlbut Consulting Services
![Page 8: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/8.jpg)
Incident/breach eligibility
The incident must have at least seven enumerations (e.g. threat actor variety, threat action category, variety of integrity loss and so on) across 34 fields OR be a DDoS attack. Exceptions are given to confirmed data breaches with less than seven enumerations. The incident must have at least one known VERIS threat action category (hacking, malware and so on).
© 2017 Robert Hurlbut Consulting Services
![Page 9: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/9.jpg)
Incident Classification Patterns
1. Denial of Service 2. Privilege Misuse 3. Lost and Stolen Assets 4. Everything Else 5. Point of Sale 6. Miscellaneous Errors 7. Web App Attacks 8. Crimeware 9. Payment Card Skimmers 10. Cyber-Espionage
© 2017 Robert Hurlbut Consulting Services
![Page 10: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/10.jpg)
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 3
![Page 11: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/11.jpg)
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 3
![Page 12: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/12.jpg)
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 3
![Page 13: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/13.jpg)
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 3
![Page 14: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/14.jpg)
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 5
![Page 15: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/15.jpg)
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 6
ESP = Espionage motive OR state-affiliated OR nation-state actors FIG = Fun, Ideology, Grudge motives FIN = Financial motivation OR organizational criminal group actors C2 = Stolen credentials Note: Financial motivations and espionage account for 93% of breaches analyzed.
![Page 16: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/16.jpg)
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 7
![Page 17: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/17.jpg)
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 8
![Page 18: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/18.jpg)
Key Industries
Accommodation and Food Services Educational Services Financial and Services Healthcare Information Manufacturing Public Administration Retail
© 2017 Robert Hurlbut Consulting Services
![Page 19: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/19.jpg)
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 9
Incidents (left) vs Breaches (right) counts by Industry
![Page 20: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/20.jpg)
© 2017 Robert Hurlbut Consulting Services Verizon 2017 DBIR, page 10
Incidents (left) vs Breaches (right) by Industry
![Page 21: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/21.jpg)
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 11
![Page 22: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/22.jpg)
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 11
![Page 23: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/23.jpg)
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 12
![Page 24: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/24.jpg)
Example: Financial threat actions
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 20
![Page 25: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/25.jpg)
Example: Financial recommendation
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 21
![Page 26: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/26.jpg)
© 2017 Robert Hurlbut Consulting Services
Example: Healthcare
Verizon 2017 DBIR, page 22
![Page 27: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/27.jpg)
Summary of Industry Findings
The top three industries for data breaches were: financial services (24%), health care (15%), public sector (12%).
For financial services, the top two motives were: financial gain (72%) and espionage (21%)
The motives were flipped for the public sector, with: espionage (64%) and financial gain (20%)
© 2017 Robert Hurlbut Consulting Services
![Page 28: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/28.jpg)
© 2017 Robert Hurlbut Consulting Services
Social attacks - Phishing for data
![Page 29: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/29.jpg)
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 35
![Page 30: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/30.jpg)
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 38
Incident Classification Patterns
![Page 31: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/31.jpg)
Recommendations (summaries from “Things to Consider”)
Use two-factor authentication across all websites and privileged access to sensitive internal systems Change default passwords and use strong passwords Ensure DoS protection of external websites
© 2017 Robert Hurlbut Consulting Services
![Page 32: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/32.jpg)
Recommendations (summaries from “Things to Consider”) Insider Threats:
Periodically monitor employee activities Don’t give more permissions to employees than then need Disable accounts upon employee departure Use “warning banners” on systems so employees are aware of policies and ensure employees are aware that their activities are being monitored
Miscellaneous errors: Have second person sign off on publishing content to websites or changes Have a good policy for data handling and disposal of sensitive data (such as data stored on hard drives or printed on paper). Encrypt laptops (use whole disk encryption) and mobile devices Backup systems routinely
© 2017 Robert Hurlbut Consulting Services
![Page 33: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/33.jpg)
Recommendations (summaries from “Things to Consider”)
Have good business continuity and disaster recovery plans for your critical systems and applications. Keep software up to data (OS, web apps, plug-ins). Segregate networks based on data sensitivity (such as retail POS or customer database systems from rest of internal network). Monitor egress points to prevent data loss.
© 2017 Robert Hurlbut Consulting Services
![Page 34: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/34.jpg)
Look at nomoreransomware.org
© 2017 Robert Hurlbut Consulting Services
Verizon 2017 DBIR, page 37
![Page 35: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/35.jpg)
Extra: DRAFT NIST 800-63-3 Digital Identity Guidelines Some password security recommendations: Remove periodic password change requirements Drop the algorithmic complexity song and dance Require screening of new passwords against lists of commonly used or compromised passwords https://pages.nist.gov/800-63-3/
© 2017 Robert Hurlbut Consulting Services
![Page 36: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/36.jpg)
Resources
Verizon 2017 Data Breach Investigations Report (DBIR)
https://www.verizonenterprise.com/resources/reports/rp_DBIR_2017_Report_en_xg.pdf
Verizon 2017 Data Breach Digest – RSA Conference 2017
https://www.rsaconference.com/writable/presentations/file_upload/lab4-r12_data-breach-digest-perspectives-on-the-human-element_copy1.pdf
© 2017 Robert Hurlbut Consulting Services
![Page 37: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/37.jpg)
VERIS Resources
http://veriscommunity.net Features information on the framework with examples and enumeration listings
https://github.com/vz-risk/veris Features the full VERIS schema
https://github.com/vz-risk/vcdb Provides access to database on publicly disclosed breaches, the VERIS Community Database
© 2017 Robert Hurlbut Consulting Services
![Page 38: Reviewing the 2017 Verizon DBIR - Robert Hurlbut...What is the Verizon DBIR? The Verizon Data Breach Investigations Report (DBIR) was first released in 2008 with data breach data from](https://reader034.vdocuments.mx/reader034/viewer/2022050610/5fb1b85b59f02c48d6225581/html5/thumbnails/38.jpg)
Questions?
Contacts
Web Site: https://roberthurlbut.com Twitter: @RobertHurlbut, @AppSecPodcast Email: robert at roberthurlbut.com
© 2017 Robert Hurlbut Consulting Services