Jason Wood is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.
When the first data breach investigations report was released by Verizon in 2008, I remember thinking how awesome it was to get some actual data about security incidents and to see someone sharing this type of information. At the time I was a systems administrator who had also become “the security guy” at my employer. Because of this, I was hunting for information that I could use to explain what the attacker landscape was looking like and what risks we may be facing. I did not want to depend on anecdotal information from stories that I would have a hard time backing up when talking to various directors and vice presidents.
The 2015 DBIR report continues to provide a large amount of information from Verizon’s case load and those of a number of contributors. The report itself is 40 pages longer than the inaugural 2008 issue and has substantial improvements in the graphs used to communicate information. The authors have worked hard on using data analysis to pull information out of all the data that they’ve gathered. The only real fault I can find in this is that I a bit like a VP of Sales felt when I used to talk to him using technical jargon. I don’t have a background in data science or statistics, so that made reading the report more difficult than I would have liked. Still, it was informative and supported some things that I had suspected from pen tests we’ve done.
Cost of Breaches
One of the sections that I found to be personally interesting dealt with the financial impact of data breaches. About 5 years ago I sat in an internal meeting and listened as the cost of a data breach was about $110 – $125 per record breached. There are some obvious issues with these numbers. The main problem is that it is too rigid for the varying sizes of data breaches. Verizon also recognized that and in this year’s report tries to break down that cost based on the scale of the incident. One quote from the report states:
“The forecasted average loss for a breach of 1,000 records is between $52,000 and $87,000.”
This would be a pretty small breach (when compared to those that make the headlines), but gives us a pretty good starting place to use when we get asked how much a breach could cost. Verizon went further to provide a table of estimated costs of breaches up to 100,000,000 records compromised.
* Table from the 2015 Verizon DBIR
There’s a huge range between the best case and the worst case scenarios. However, when looking at the columns for the upper and lower bounds of “average” costs, it narrows down quite a bit. I’d be a bit cautious in how I used this information, but the middle three columns give us something that sounds reasonable to use. It’s interesting to see how the costs break down in based on what Verizon and its contributors have found in their experience. Of course, your mileage may vary.
The section on the results of phishing campaigns in larger breaches was not surprising to me at all. Phishing has been a common theme in a number of reports on security incidents for several years. These attacks are really annoying in my own inbox and are alarmingly effective when we perform them during a penetration test. Verizon states that a small phishing campaign of 10 emails has a “90% chance that at least one person will become the criminal’s prey…” by acting on the email message. I wish I could say that this was an exaggeration, but it’s absolutely in line with my experience when doing phishing during an assessment.
The news gets worse when you look at how little time you have to respond before someone clicks the link or opens that attachment. Verizon’s report says that 50% of the users will click on that link during the first hour. If anything, that seems a little long to me. Secure Ideas consistently finds that users will start responding immediately to these emails. It’s also grimly amusing to see how determined some individuals are to get to whatever is promised in the email. It seems like there’s always someone who will try that link a half dozen times before they give up. It’s not unusual to send a campaign with a 25% success rate in users clicking on the target link. A clever and well timed message can do much, much better. In fact, we performed one assessment during the holidays that linked to a survey about locations for the company Christmas party. In this case, we had more responses than emails actually sent. I can only guess that it was forwarded around to others in the organization.
With that bit of grim news, what’s the recommendation? First, pay attention to your email filtering and work to make improvements on its ability to detect this messages while they are still inbound. It might be worth performing some internal phishing tests or having a third party (like Secure Ideas’ User Scout 😉 perform them with the goal of testing and improving the ability of your filtering software’s effectiveness. Don’t just use these tests as a way to see how employees respond. Just how good is that spam app that we bought in the first place? Using these campaigns as part of an interesting and actually useful user awareness program can really help as well. Word gets around fast and lingers for a while when folks find out how their company actually did during a test. Don’t use this as a witch hunt to embarrass or humiliate by listing who messed up, but let folks know that the attack was all too successful without naming names. Verizon also states these assessments and training can actually improve our ability to detect phishing attacks as employees become aware of what phish look like and who to tell about them.
There’s quite a bit more in the report than what I’ve mentioned here. The report is absolutely worth checking out and finding out more for yourself. If nothing else, reading these types of reports should be part of our overall security programs. Even if we disagree with some of the conclusions, it gives us information about what responders are seeing and what may apply to our organization. Just a warning though. Don’t open it up and expect it to be a bit of light reading. Be prepared to read, think, verify and re-read it over time.
You can download the report from Verizon’s web site here.