Once more unto the breach:  lessons from Verizon’s Data Breach Investigations Report

In the infosecurity sector, spring is the season of reports, with several leading vendors (AlgoSec included) releasing detailed reports on industry trends and incidents.  One of the most established is the Verizon Data Breach Investigations Report (DBIR), which analyzes the types and frequencies of security incidents globally over the previous year and provides security and networking teams with useful information on how to improve their organization’s security posture.  Here are four of the  report’s key takeaways that we found particularly interesting, and some recommendations on how to address them.

Speed – and segmentation – is of the essence

The DBIR refers to the remarkable speed with which many cyberattacks happen:  it takes an average of 92 minutes or less for cyber criminals to compromise a system, according to the report.  Of course, the real damage occurs after that initial breach.  As we blogged earlier this year, following the initial breach, there is typically an extended period of lateral network exploration where the attacker seeks out sensitive data.

While the initial network breach may be very difficult or even impossible to protect against entirely, intelligent network segmentation can ensure that the damage from an APT is dramatically limited. Rather than fruitlessly try to prevent all network intrusions outright, organizations should focus on making life as difficult as possible for cyber criminals if they should breach the organization’s network perimeter. In fact, network segmentation is a highly effective means of mitigating the effects of almost all of the cyberattacks referenced in the DBIR, from web application attacks to point-of-sale intrusions, insider and privilege misuse to physical theft of devices. With effective network segmentation in place, it doesn’t matter whether the attackers have stolen a set of passwords, social engineered their way to administration privileges or launched some malware into the network; they are prevented from accessing the sensitive data they are ultimately seeking.

After an attack: getting the data out

As we’ve mentioned, the DBIR underlines how quickly most attackers are able to compromise their target network. It also explores how long data exfiltration typically takes; a matter of days in 67.8% of cases.  Here, then, is another crucial opportunity for organizations to limit the damage caused by a successful network breach.  As Matt Pascucci previously recommended, a combination of proxy choke points, setting appropriate firewall rules to prohibit risky outbound traffic as well as open ports, and a comprehensive review of network security zones can help protect against malicious exfiltration of your data.  So while preventing cyber criminals from ever getting into the network is almost impossible, preventing them from taking data out is definitely possible.

Password protected?

63% of confirmed data breaches in the DBIR involved leveraging weak, default or stolen passwords – a clear indication that effective password practices are still not being followed by the majority of employees. Far from the old advice to never, never write down your passwords, AlgoSec’s advice is to ensure a different password is in place for every service a user accesses – and then store them in a secure, remotely wipe-able password manager. Passwords should also be categorized according to importance, and, contrary to common belief, there’s no need to regularly change your password if it is unique to that particular service and if it can’t be broken by an automated password cracker.

Making two-factor authentication work

Another key takeaway from the report is that two-factor authentication is a recommended practice to deal with web application attacks – one of the most common attack types observed in the DBIR.  Two-factor authentication should certainly be used in certain scenarios within your business but, as with any protection designed to govern access to data or network resources, it must be complemented with robust internal network segmentation, to minimize damage if and when it fails.

As the Verizon report concludes, “no system is 100% secure, but too many organizations are making it easy for them … this means a lot of the breaches we’ve seen were avoidable, if organizations had put in place some basic security measures.”