90% of security incidents trace back to PEBKAC and ID10T errors

“Apparently, hackers really do still party like it’s 1999,” Verizon said in its 2015 Data Breach Investigations Report (DBIR) regarding how often really old vulnerabilities are exploited and result in data breaches. But the real problem is you. It’s me. It’s each and every one of us as the breakdown of security incidents in 2014 revealed that the “common denominator—accounting for nearly 90% of all incidents—is people.”

Oldies are still goodies as the Verizon team added:

Whether it’s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC and ID-10T über-patterns. At this point, take your index finger, place it on your chest, and repeat “I am the problem,” as long as it takes to believe it. Good—the first step to recovery is admitting the problem.

When it comes to phishing attacks, the Verizon team found that 23% of users open phishing emails and 11% take the extra PEBKAC step of actually clicking on the attachment. Even a small phishing campaign of 10 emails has a 90% chance of hooking at least one victim. IT folks have a tiny window to react to phishing attacks as the average time between email being sent and the first person clicking on the link is a mere one minute and 22 seconds.

Don’t forget to patch old vulnerabilities

According to the report, “99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.” It’s a mistake for any vulnerability management program to ignore the really old CVEs (Common Vulnerabilities and Exposures) since some successful cyberattacks in 2014 exploited vulnerabilities dating back to 1999. A good vulnerability management program should include a “broad coverage of the ‘oldies but goodies.’ Just because a CVE gets old doesn’t mean it goes out of style with the exploit crowd.”

“Ten CVEs account for almost 97% of the exploits observed in 2014,” the report states. “While that’s a pretty amazing statistic, don’t be lulled into thinking you’ve found an easy way out of the vulnerability remediation rodeo. Prioritization will definitely help from a risk-cutting perspective, but beyond the top 10 are 7 million other exploited vulnerabilities that may need to be ridden down.”

Yet Verizon pointed out that other than the CVSS (Common Vulnerability Scoring System) score, there is another attribute of a “critical” vulnerability. “If a vulnerability gets a cool name in the media, it probably falls into this ‘critical vulnerability’ label.” Examples from 2014 included Heartbleed, POODLE, Schannel and Sandworm – all of which were “exploited within a month of CVE publication date.”

The lesson isn’t “Which of these should I patch?” The DBIR said the chart above “demonstrates the need for all those stinking patches on all your stinking systems.”

9 security incident categories and top causes of breaches

The report handed the “Captain Obvious award” to the connection between state-affiliated groups and espionage, but cyberespionage was just one of the leading causes of confirmed data breaches in 2014; others in the top spot included Web application attacks, point-of-sale intrusions and crimeware.

As Lucian Constantin pointed out, Verizon “again split security incident patterns into nine categories: crimeware, cyberespionage, denial of service, lost and stolen assets, miscellaneous errors, payment card skimmers, point of sale, privilege misuse and Web applications.”

Public administration, financial services, manufacturing, accommodations and retail were the top five industries with confirmed data breaches in 2014.

Breach cost per record

We often hear bloated billion dollar figures as the true cost of cybercrime; on the eighth year of publishing its DBIR, Verizon not only took aim at the cost of breaches but also challenged ridiculously overblown breach cost estimates. For example, $201 per record was the estimated cost per record lost in a breach according to a 2014 Ponemon Institute study. Yet Verizon found the average costs to be 58 cents per record.

Part of the problem exists in the way cost-per-record is derived; while smaller breaches cost more per record, larger breaches of 100 million or more records could cost as little as “just a penny or two” per record. Using a new breach-cost model, the DBIR “forecasted average loss for a breach of 1,000 records is between $52,000 and $87,000, with 95% confidence.”

Uncertainty of the real cost increases as the record volume increases, giving a wide range of predicted loss estimates as seen in the DBIR table. While optimists would look at the column on the left, “FUDmongers” would point at the highest cost per record breach estimates on the right.

Mobile malware worries shouldn’t cause insomnia in cybersecurity pros

When you add up the golden oldies being exploited, the cost per record in a breach and other interesting data in Verizon’s DBIR, might that contribute to why two-thirds of cybersecurity professionals suffer from insomnia? According to a Ponemon Institute survey, those cybersecurity pros “are being kept awake at night because they do not know the location of sensitive data;” they also worry over using less-trusted “temporary contract workers” and “migrations to mobile or cloud platforms which can often put data at risk.”

For any pros stressing over mobile malware in a BYOD world, Verizon’s DBIR stated, “I got 99 problems and mobile malware isn’t even 1% of them.” Sure, there’s annoying stuff like adware that Verizon called “adnoyance-ware,” but in reality the number of mobile devices “infected with truly malicious exploits was negligible.” There was almost no iOS data-stealing malware detected and “out of tens of millions of mobile devices” analyzed, only .03% of Android devices were hit by info-stealing malware. So while you might see “mobile” threats hyped a lot at security conferences, “mobile devices are not a preferred vector in data breaches.”