Home » Security Bloggers Network » Highlights from Verizon DBIR 2019

Highlights from Verizon DBIR 2019

Here is my traditional “reading the DBIR aloud” post. Read the entire thing, BTW, and not only my favorites below:

• “56% of breaches took months or longer to discover” <- we need to start this on a depressing note, otherwise, how can we be card-carrying security professionals?
• “Errors were causal events in 21% of breaches” <- perhaps mundane, but it reminds us that in many cases (great example), the attacker does not have to work all that much because somebody left the door open…
• In fact, “… the presence of insiders is most often in the form of errors” (so, nope, still nobody cares … except perhaps this: “healthcare stands out due to the majority of breaches being associated with internal actors.”)
• “At most, six percent of breaches in our data set this year involved exploiting vulnerabilities.” [What did they involve then? Glad you asked! But, hey, you already know the answer – “phishing and stolen credentials”…]
• ”Malware delivery method: email – 94%” [Anybody here thinks email security is solved, eh? Is anything solved in security?]
• “breaches with compromised payment cards [hi PCI DSS!] are becoming increasingly about web servers” [personally, I blame DevOps for this nice bit of depressing backwards security movement :-)]
• In fact, things are more fun on the web: “The web application compromises are no longer attacks against data at rest. Code is being injected to capture customer data as they enter it into web forms.” [So, stop whining about PCI DSS, will you? This scenario has been well-covered by QSAs for years, its just that some clients didn’t want to hear it and relied on “but we don’t store cards” excuse …]
• “It is important to acknowledge that there will always be [vulnerability] findings. The key is to prioritize the important ones and have a plan for the remaining actionable vulnerabilities; and to be able to defend acceptance of unaddressed findings.” [this is literally the entire art and science of vulnerability management in one pithy line. Kudos to authors!]

There you have it!

P.S. This year the report is again very readable and fun, better than last year’s for sure.Thanks Alex?

Past blog posts about DBIR:

• Highlights from Verizon DBIR 2018 [BTW, 2018th was the only DBIR I didn’t quite liked…]

• Highlights From Verizon Data Breach Report 2016

• Highlights From Verizon Data Breach Report 2015

• Verizon DBIR 2013 Highlights and Favorites

Recent Articles By Author

• Anton’s Security Blog Quarterly Q3.5 2020
• Hearing from CISOs at Google Cloud and Beyond
• On Threat Detection Uncertainty

More from Anton Chuvakin

*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: https://blogs.gartner.com/anton-chuvakin/2019/05/10/highlights-from-verizon-dbir-2019/