I focused on what felt like the most notable points, from #ransomware to MOVEit to web app pwnage to #GenAI and more.
I have insights, quibbles, and hot takes as always — but the fact remains it’s our best source of empirical data on cyberattack impacts. If you’re a #cybersecurity vendor, please consider contributing data to it.
Verizon's Data Breach Investigations Report covers a lot of sectors of society, including #education. This year's #DBIR reports that 98% of breaches and #cybercrime affecting schools was financially motivated.
What was that famous thing a bank robber once said about going where the money is? Is someone going to tell them?
Next week we close the data collection window for the 2024 #DBIR .
If your org has been sitting on YET ANOTHER 3rd party breach affecting your company, please make it public before Oct 31st and help a DBIR author out. 🫠
Anybody know of a good service that tracks total annual US data breaches and number of victims? I know of the Identity Theft Resource Center and HaveIBeenPwned (which doesn't do comprehensive reports, afaik). But ideal would be comprehensive, authoritative historical data that goes back 20 years
I don't like #ITRC for such purposes because they only used data from incidents involving SSN and were focused on identity theft. They never included incidents with only PHI or sensitive personal data if it wasn't likely to lead to ID theft. I prefer #DBIR, but keep in mind it's a bit narrower than what you might want as it only includes confirmed breaches.
Did you check the FTC Sentinel reports to see what they can give you?
For those who blame employees for breaches or who think occasionally running a phishing exercise will suffice:
Looking at Verizon DBIR's key insights:
74% of all breaches include the human element through Error, Privilege Misuse, Use of stolen credentials or Social Engineering
So... is C-Suite really investing enough and doing enough to "human-proof?" With numbers like these, will class action lawyers be able to argue more convincingly that management was negligent if it didn't do more to human-proof against breaches?
read it to sound smart to your colleagues or if you actually enjoy empirical data rather than performing the crude rituals of traditional infosec where risks are divined from the musty ether...
thread incoming with tl;dr snippets for mortals with no attention span:
Yet again, the #DBIR data shows 94.6% of breaches are financially driven.
It's reminder for us to invest in security that addresses reals rather than feels; and a reminder that the best way to hurt attackers, whether at local or macro scales, is to poison their ROI.
For the software engineers among you, remember this when your chicken little security team squawks about APT nation state quantum threats or whatever and throw the evidence in their face.
Pretexting doubled this past year per the #DBIR! Attackers are using employees' email access to insert themselves into existing threads to ask a target victim to perform some sort of task.
I find this funny because I spend a lot of effort avoiding being included in email threads, so honestly I respect the hustle and grind here a bit.
Also worth noting the median payoff of pretexting is 5X that of ransomware...
Log4Shell wasn't quite the bombshell we anticipated -- only ~0.4% of incidents in the #DBIR data -- but I think we should also be proud of our efforts to make it a non-event.
Also worth noting is 73% of Log4J cases were for espionage purposes; I muse on why that might be in the blog post...
According to the #DBIR 41% of breaches involve mail servers (not just sending and receiving email).
Okay, but why the fuck is anyone still rolling their own mail server??? It isn't even convenient! Some real bottom energy there. Entirely unserious behavior.
Desktop sharing isn’t caring... Desktop sharing software was right behind email as the top "action vector" for ransomware in the #DBIR.
I call out Microsoft specifically in my blog post, although I don't have much hope in things changing since they make money off these features to give customers' leadership the ability to spy on employees...
Woohoo, the 2023 Verizon #DBIR is now available. This is one of the best reports out there for real stats on what is going on regarding breaches. Glad that @irisscert continues to be a #DBIT partner
My reading is now sorted for the rest of the week.