Data-breach rogue's gallery highlights treachery of human error, executive misunderstanding

A compendium of information-security horror stories contextualises current threat scenarios in a way that makes them more accessible and relevant to senior managers inured to the steady stream of doomsday security statistics, according to a senior security-response executive who notes a continuing scourge of human error and “tremendous commonality” between the experiences of companies around the world.

Released this week, the Verizon Data Breach Digest (DBD) has been positioned as a complement to the company's Data Breach Investigation Report (DBIR), a voluminous annual report that has become a statistical almanac of sorts across the information-security industry.

The names and some figures have been changed to protect the innocent in the 18 different real-world scenarios highlighted in the report, Verizon Asia Pacific and Japan managing principal for investigative response Ashish Thapar told CSO Australia, but the stories they tell are timely and relevant for anyone even a little bit concerned about information security.

CSOs “often have to spend a lot of time explaining the DBIR to non IT-security people,” Thapar explained, “and having it played out in scenarios makes it a lot more concrete. People don't have enless security budgets, and we want to help them understand where there real threats are – and where they can get the best bang for the buck in terms of putting preventative, detective and response type controls in place.”

Scenarios in the report range cover four key categories of attack – the human element, conduit devices, configuration exploitation, and malicious software – and include social engineering, infections from USB devices, CMS compromises, RAM scraping, and data ransomware.

Of these, the human element remains “the weakest link in the security chain,” Thapar said, noting that many attackers have realised “there is no point trying to brute-force or exploit the vulnerability in particular hardware or software when they can just exploit the tendencies of the human. These reports open up the eyes in terms of how things can go so badly wrong.”

Some of the attacks illustrated in the report – dressed up in catchphrases like 'the Bad Tuna', 'the Boss Hogg', and 'the Rabbit Hole' – will resonate a little too closely for CSOs and business executives that have long wrestled with the increasing surge of malicious attacks.

The situation isn't helped by continuing misperceptions that information security is still largely a technological issue: one recent survey of CISOs from security-industry group ISACA, released at this week's RSA conference, found that 82 percent agreed that their boards of directors are concerned or very concerned about cybersecurity – but that only 1 in 7 of those CISOs reports to the CEO.

Given that all indicators suggest security professionals see the threat climate getting worse and not better - just 75 percent said they were confident in their team's ability to detect and respond to incidents in 2015, down strongly from 87 percent in 2014.

Read more: US DoD: we’ll pay* you to ‘hack the Pentagon’

Growing use of Internet of Things (IoT) technologies was fingered by those CISOs as a key issue, with 53 percent concerned or very concerned that IoT will expand attack surfaces further and exacerbate cyber risks.

Anecdotes about IoT-related compromises proved to be a surprise for the Verizon team – which investigates hundreds of data breaches every year – when analyses showed how a data-based breach could have a real physical impact: one scenario, for example, saw pirates breaking into a cargo management system to target a real-world theft.

“I see these potential impacts on the world only increasing as we see the Internet of Things growing,” Verizon Enterprise Solutions security solutions consultant Aaron Sharp said. “Having these things interconnected can really impact the real world.”

Join the CSO newsletter!

Error: Please check your email address.

Tags data-breachInternet of Things (IoT)information-securityhuman errorsecurity statisticsCSO AustraliaVerizon Data Breach Digest (DBD)

More about BossCMSCSOISACARSASharpVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place