Friday, April 17, 2015

Breach report blames the usual suspects

The annual Verizon data breach investigations report came out this week with findings that show that the biggest threats are not new or unknown, but the same vulnerabilities that have plagued IT for years.


It's been said that the only difference between a problem and a solution is that people understand the solution. Maybe not when it comes to IT threats. 97% of the exploits in the report had a remedy available for more than a year. This means despite solutions being available, they aren't finding their way into the field, whether that mean better patching strategies or even user education like being aware of phishing scams.

90% of the issues in the Verizon report can be attributed to four categories all associated with human error or misuse:

  • Misc Errors
  • Crimeware
  • Insider Misuse
  • Lost/Stolen Devices

Getting humans out of network management can go a long way toward making networks more secure. Routine, repetitive tasks are always ripe for shortcutting, and shortcutting often leads to inadvertent security risks. For example, closing out sessions on a device. It only takes a few seconds, but it's easy to just unplug and move on to something else. Tools like Uplogix can ensure that all sessions with devices are closed out, eliminating that risk.

When it comes to human errors, the report included a friendly sounding chart that summarized human errors that are actually very serious:

  • "D'oh!"        Sensitive information reaching incorrect recipients    30% of incidents
  • "My bad!"   Publishing nonpublic data to public web servers         17% of incidents
  • "Oops!"       Insecure disposal of personal and medical data           12% of incidents
It's a Verizon report, what about mobile? The researchers seemed pretty surprised to find that less than 0.03% of mobile devices had destructive malware. This was less than they expected and attributed it to the fact that the pickings are still so easy on computers, there isn't a big driver to invest the R&D in mobile devices yet.

Pretty much the same story in the Internet of Things. Lots of press, lots of concern about vulnerabilities, but not a lot really actually going on from an attack perspective. No big new threat vectors - just the same core challenges that sit squarely on people being the biggest threat. Still, the goal of the IoT is to get people out of the way and let machines talk to machines. See how Uplogix can help out there too.