Data-breach rogue's gallery highlights treachery of human error, executive misunderstanding

A compendium of information-security horror stories contextualises current threat scenarios in a way that makes them more accessible and relevant to senior managers inured to the steady stream of doomsday security statistics, according to a senior security-response executive who notes a continuing scourge of human error and “tremendous commonality” between the experiences of companies around the world.

Released this week, the Verizon Data Breach Digest (DBD) has been positioned as a complement to the company's Data Breach Investigation Report (DBIR), a voluminous annual report that has become a statistical almanac of sorts across the information-security industry.

The names and some figures have been changed to protect the innocent in the 18 different real-world scenarios highlighted in the report, Verizon Asia Pacific and Japan managing principal for investigative response Ashish Thapar told CSO Australia, but the stories they tell are timely and relevant for anyone even a little bit concerned about information security.

CSOs “often have to spend a lot of time explaining the DBIR to non IT-security people,” Thapar explained, “and having it played out in scenarios makes it a lot more concrete. People don't have enless security budgets, and we want to help them understand where there real threats are – and where they can get the best bang for the buck in terms of putting preventative, detective and response type controls in place.”

Scenarios in the report range cover four key categories of attack – the human element, conduit devices, configuration exploitation, and malicious software – and include social engineering, infections from USB devices, CMS compromises, RAM scraping, and data ransomware.

Of these, the human element remains “the weakest link in the security chain,” Thapar said, noting that many attackers have realised “there is no point trying to brute-force or exploit the vulnerability in particular hardware or software when they can just exploit the tendencies of the human. These reports open up the eyes in terms of how things can go so badly wrong.”

Some of the attacks illustrated in the report – dressed up in catchphrases like 'the Bad Tuna', 'the Boss Hogg', and 'the Rabbit Hole' – will resonate a little too closely for CSOs and business executives that have long wrestled with the increasing surge of malicious attacks.

The situation isn't helped by continuing misperceptions that information security is still largely a technological issue: one recent survey of CISOs from security-industry group ISACA, released at this week's RSA conference, found that 82 percent agreed that their boards of directors are concerned or very concerned about cybersecurity – but that only 1 in 7 of those CISOs reports to the CEO.

Given that all indicators suggest security professionals see the threat climate getting worse and not better - just 75 percent said they were confident in their team's ability to detect and respond to incidents in 2015, down strongly from 87 percent in 2014.

Growing use of Internet of Things (IoT) technologies was fingered by those CISOs as a key issue, with 53 percent concerned or very concerned that IoT will expand attack surfaces further and exacerbate cyber risks.

Anecdotes about IoT-related compromises proved to be a surprise for the Verizon team – which investigates hundreds of data breaches every year – when analyses showed how a data-based breach could have a real physical impact: one scenario, for example, saw pirates breaking into a cargo management system to target a real-world theft.

“I see these potential impacts on the world only increasing as we see the Internet of Things growing,” Verizon Enterprise Solutions security solutions consultant Aaron Sharp said. “Having these things interconnected can really impact the real world.”