Verizon Breach Report: An AnalysisSecurity Leaders on How India Must Respond to Trends
Verizon's recently released 2015 Data Breach Investigations Report finds that even as attacks rapidly increase in complexity, cybercriminals still rely on tried-and-true techniques such as phishing to compromise organizations.
Part of the problem: Many vulnerabilities traceable as far back to 2007 still exist and are being exploited, primarily because patches have never been implemented by organizations. With the increasing focus on cybersecurity and data breaches in the mainstream, the findings suggest that defenders continue the tradition of being one step behind the attackers, playing catch-up with basic security hygiene, such as patch management and security awareness.
Verizon's report contains a detailed analysis of almost 79,000 incidents, including 2,122 confirmed data breaches.
"While the report historically focused on data relating to 'data disclosures,' this year the data set was broadened to examine threats that contribute to breaches [but don't yet constitute a breach] and those things that continue to present threats beyond a data breach," says Sumeet Singh, head of security engineering, Asia Pacific, Verizon Enterprise Solutions.
Following the global release of the report on April 14, Information Security Media Group now explores the specific implications for security leaders in India.
"Phishing continues to be on the rise despite organizations, industries and other bodies spending significant efforts on social engineering defense awareness, with 23 percent of recipients opening phishing messages and 11 percent of recipients clicking on attachments," Singh says. Based on available data, defenses are improving, but still are not outpacing attackers.
"Awareness is being recognized as a critical component in the strategy to tackle cyberthreats, but the efforts are like flashes in the pan," says Dinesh Bareja, a leading independent security analyst and founder of the Open Security Alliance. "With no measurement of success, no professional intervention for program delivery, an already difficult task becomes dangerous if you add the Indian cultural disposition to trust divine intervention."
For instance, experts in India are familiar with patch management woes. The IT space stands on technology that has roots older than 2007, and the development process/practice mindset has the same legacy. Unpatched systems are the bane of IT in any enterprise, and many smaller organizations do not even know what patches are, Bareja says.
"Embedded software and the client/server software are all developed without any considerations for security," he says. "Challenges in India are the acceptance of risk in the face of convenience or ignorance."
Technology alone cannot combat cyberthreats, says Sanchit Vir Gogia, chief analyst and group CEO at Delhi, India-based Greyhound Research. Along with investing heavily in security products and services, companies need to spend on people and training. Providing training to local technology service providers to create security awareness will also propel enterprise security adoption in India, he believes.
Mobile Threat Overblown?
The findings indicate that, in general, mobile threats are overblown, with the overall number of exploited security vulnerabilities across all mobile platforms being negligible. Despite the increasing interest in evaluating mobile threats, the findings suggest that it's not a significant source of data breaches.
"Most infections are adware-based and don't include data disclosures. If we strip away 'low-grade', 'adnoyance' malware, we saw 100 mobile devices compromised per-week - seemingly high at first look, but low compared to the sample we analyzed," Singh explains.
Bareja however, argues that mobile is ubiquitous today, and it will be prudent to avoid writing off the mobile threat because enterprise apps are increasingly being built for the mobile platform. And the development practices, at least in India, are inherently weak.
Other Key Insights
Miscellaneous errors, crimeware, insider threats and privilege misuse account for 75 percent of all security incidents, the report finds. Greyhound's Gogia says, given that large number of organizations in India, including SMBs, are moving workloads to the cloud, security threats have become more complex. Furthermore, with increasing dependence on third parties and managed service providers, enterprises first need to identify the existing complexities, both in-house as well externally. Weak data security laws add to the dismal picture, he says.
Malware continues to be a huge problem, with organizations reporting a total of 170 million malware events among them. The report also notes a rise in malware with unique signatures. "Attackers are using sophisticated techniques and customization to make it difficult for organizations to solely rely on signature-based malware detection - between 70 to 90 percent of the malware samples are unique to organizations," says Bob Rudis, a data scientist at Verizon and manager of its security research team, in an interview with ISMG.
This may not necessarily be because they were victims of targeted attacks - hackers now have a very robust infrastructure to uniquely package malware to bypass signature based detection, he says, highlighting the need of smarter and adaptive approaches.
The report finds that sophisticated attacks using "RAM scrapping" have grown, being present in some of the most high-profile retail data breaches of the year.
The research also suggests that although threat intelligence sharing is rapidly on the rise, it is important to focus on quality rather than quantity when it comes to threat intel. Organizations would need access to all threat intelligence indicators in order for the information to be helpful. The intel itself has a shelf life which needs to be recognized, the report notes.
"Threat and Incident Information sharing among public and private agencies is key to success. CERT-IN and other such agencies are already doing some work around this," Singh says. The standard practice of organizing information-sharing groups and activities according to broad industries is less than optimal - it might even be counterproductive, the report notes. More cross-sharing of information is needed to close the gap between attack speed and sharing speed, it states.
Bareja believes that, in India, information sharing is all talk from what he has seen in the industry. "Lately there is talk around a platform for banks. And further such initiatives, if taken up by any agency, will be of immense help in closing the gap," he says.
Security Investments 2015
Verizon's Singh sees continued investment in security awareness as an imperative, especially for a region like India where insider threats are a growing concern. "People are a common denominator when we look at the top patterns across all security incidents - be it sending an email to the wrong person, failing to shred confidential information, or taking advantage of their position to harvest confidential data," Singh says.
The finance sector in India has seen tremendous growth of digital banking through mobile, Web and cell phones over the past few years, and many organizations may now be seriously shopping for data loss prevention systems, he says.
Singh says that identity and authentication will be a focus area for practitioners this year. The use of two-factor authentication for Web applications, even by customers, will go a long way toward keeping organizations secure. Given malware-based attacks are on the rise, practitioners are going to focus on modern malware detection and remediation tools - traditional anti-virus tools are not helpful in zero-day attacks and are ineffective to advanced vulnerabilities. Reviewing user behavior and watching data transfer can be the focus to combat insider threat and misuse, he adds.