Article Authors
Highlights of the June 2024 edition of the HBK Risk Advisory Services webinar series hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, HBK Risk Advisory Services.
For the 17th consecutive year, Verizon has released its annual Data Breach Investigations Report (DBIR), a compilation of data on cybersecurity incidents reported to Verizon by global expert cybersecurity firms. The primary purpose of the DBIR, considered a “go-to” resource by many in the cybersecurity field, is to inform organizations on the cybersecurity threats they face and how to protect against them.
Background
- The 17th annual edition of the Report
- Released early May 2024.
- Covers 20 industries governed by NAICS code.
- Categorized by different regions of the world.
- Seventy-nine contributing organizations (up from 67 in 2023).
- Examined 30,458 incidents and 10, 626 confirmed data breaches (compared to 16,312 incidents and 5212 confirmed data breaches in 2023)
- VERIS system: Vocabulary Event Recording and Incident Sharing
- Started tracking in 2010
- Tracks eight patterns in a wide range of industries: denial of service, lost and stolen assets, miscellaneous errors, privilege misuse, social engineering, system intrusion, web applications, and everything else. Look at the 4As: actor (who), action (pattern), asset (what they’re going after), and attribute (what we want to keep up and running to have access to our data).
- Definitions:
- Incident definition: a security event that compromises the CIA triad (confidentiality, integrity, availability) of an information asset
- Breach definition: an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party
- Reasons definitions exist include for cybersecurity insurance applications.
- Information is based on details that have happened to other companies around the world; categorized by industry to help you assess your risk. Recommend using this along with the vulnerabilities database.
- Find the report via Google search or the Verizon website at Verizon.com/DBIR.
- The full version is about 100 pages with an executive summary of about 17 pages in length this year.
- Also can get insider reports on particular industries.
Key Takeaways from 2024 Report
- Breaches due to exploitation of vulnerabilities tripled.
- Ransomware combined with extortion techniques was 32 percent of breaches.
- Ransomware is a top threat across 92 percent of industries. (Time in your system can extend to several months and allow criminals to determine how much they can request)
- Human element (including non-malicious errors) is 68 percent of breaches.
- Errors increased to 28 percent of breaches.
- Breaches involving a third party were at 15 percent (68% increase from 2023)
- The biggest incidence of attack is system intrusion, then miscellaneous errors, and social engineering.
- Interesting takeaways: a combination of ransomware and extortion, elaboration on the formula attackers use to calculate ransom to ask for (between .13 to 8.3 percent of revenue), and highlighting escalating third-party risk.
- Main reason for attacks is financial gain.
Why do risk assessment?
- Everyone should be working to improve their cybersecurity posture.
- First things to do with limited budget are to focus on security awareness training and vulnerability scanning.
- Of the five-step risk assessment process, DBIR serves to identify risks and analyze risks
Risk Mitigation Recommendations
- Use CIS controls from Center for Internet Security: cissecurity.org
- Implementation Groups based on level of need, from group 1 “foundation” (56 controls) group 2 (74 controls), and group 3 “sophisticated” (23 controls)
Top five attacks
- Malware
- Ransomware
- Web application hacking
- Insider privilege and misuse
- Targeted intrusions
CIS controls to consider:
- System intrusion and ransomware
- Email and web browser protections
- Malware defense
- Data recovery
- Security awareness and skills training
- Social Engineering
- Account management
- Access control management
- Security awareness and skills training
- Incident response management
- Errors
- Data protection
- Vulnerability management
- Security awareness and skill training
- Application software security
Will never be 100 percent protected but pay attention to DBIR because:
- The more you know about cyber threats you face, the better your chances of keeping your data secure.
- Helps you learn where to focus your attention.
- The report is interesting as well as valuable.
"*" indicates required fields