I was invited to sit in on the reveal of the 2016 Verizon Data Breach Investigations Report (DBIR), which was formally released today. In the past, the DBIR had some real groundbreaking findings; I believe it was the DBIR that showed just how serious the insider threat was. This year, I don’t think the report contains anything that news making. Instead, what jumped out at me is how we continue to struggle against long-time threats.
For instance, one of the findings in the 2016 DBIR is that old vulnerabilities continue to be leveraged. According to the report, 85 percent of the malicious traffic seen targeted the top 10 vulnerabilities, most of which are more than a year old.
Passwords also continue to plague security efforts, as 63 percent of breaches involved weak or lost/stolen passwords. Marc Spitler, senior manager at Verizon Security Research, and co-author of the report, told Dark Reading that he thought that percentage was “startling” and went on to say:
I knew credentials were a thing, obviously. What I wouldn’t have thought was that over half [of breaches] involved credentials. I knew it was a significant issue and knew we wanted to talk about it in the report, but I didn’t quite know it would be that high.
It’s one of the reasons that the authors of the DBIR strongly suggested that businesses make the move to multi-factor authentication.
And then there is the phishing problem. You’d think that at some point we’d begin to figure out the tricks behind phishing attempts, but it’s clear that too many of us continue to check email on autopilot, rather than paying attention and verifying. According to the report, 30 percent of the emails are opened and 13 percent of the links or attachments in the email are clicked on. On average, it takes less than four minutes for a phishing campaign to get its first click.
That phishing remains such a serious problem shows the shortcomings of the technology-only defensive strategy, Rohyt Belani, CEO and cofounder of PhishMe, told me in an email comment, adding:
The most crucial element in any security strategy is one that is often overlooked – the human. While there is a tendency to rely on increased automation in IT security, organizations must empower employees to forge an additional, final line of defense against these types of human-targeted attacks. Not acknowledging employees as an essential part of an organization’s security posture is resulting in catastrophic repercussions.
As I said earlier, my primary takeaway from this year’s DBIR is how stalled security is, that we continue to fight the same battles – often against the same vulnerabilities – that we did a year, two or five, ago. The report itself acknowledges that with its very first words, quoting Yogi Berra’s “It’s like déjà vu all over again.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba