Highlights from Verizon DBIR 2019 - Security Boulevard

SBN Highlights from Verizon DBIR 2019

Here is my traditional “reading the DBIR aloud” post. Read the entire thing, BTW, and not only my favorites below:

  • 56% of breaches took months or longer to discover” <- we need to start this on a depressing note, otherwise, how can we be card-carrying security professionals? 🙂
  • “Errors were causal events in 21% of breaches” <- perhaps mundane, but it reminds us that in many cases (great example), the attacker does not have to work all that much because somebody left the door open…
  • In fact, “… the presence of insiders is most often in the form of errors” (so, nope, still nobody cares … except perhaps this: “healthcare stands out due to the majority of breaches being associated with internal actors.”)
  • “At most, six percent of breaches in our data set this year involved exploiting vulnerabilities.” [What did they involve then? Glad you asked! But, hey, you already know the answer – “phishing and stolen credentials”…]
  • ”Malware delivery method: email – 94%” [Anybody here thinks email security is solved, eh? Is anything solved in security?]
  • “breaches with compromised payment cards [hi PCI DSS!] are becoming increasingly about web servers” [personally, I blame DevOps for this nice bit of depressing backwards security movement :-)]
  • In fact, things are more fun on the web: “The web application compromises are no longer attacks against data at rest. Code is being injected to capture customer data as they enter it into web forms.” [So, stop whining about PCI DSS, will you? This scenario has been well-covered by QSAs for years, its just that some clients didn’t want to hear it and relied on “but we don’t store cards” excuse …]
  • “It is important to acknowledge that there will always be [vulnerability] findings. The key is to prioritize the important ones and have a plan for the remaining actionable vulnerabilities; and to be able to defend acceptance of unaddressed findings.” [this is literally the entire art and science of vulnerability management in one pithy line. Kudos to authors!]

There you have it!

DevOps Experience

P.S. This year the report is again very readable and fun, better than last year’s for sure.Thanks Alex? 🙂

Past blog posts about DBIR:

*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: https://blogs.gartner.com/anton-chuvakin/2019/05/10/highlights-from-verizon-dbir-2019/