Expert answer:Information Technology Security
Solved by verified expert:Write an Executive Summary for the attached article. Cite the article
verizon_article_2017.pdf
Unformatted Attachment Preview
B R E A CH D ATA
HOME
EDITOR’S DESK
CONTROLS IN
THE CLOUD
ROCK-SOLID CISO
HUNTING PRACTICES
BREACH DATA
Q&A:
WENDY NATHER
VERIZON 2017
DBIR: BASIC
CYBERSECURITY
FOCUS
MISPLACED
Fundamental security measures
like limiting password reuse
and implementing multifactor
authentication could have major
benefits, according to the report.
By Michael Heller
14 INFORMATION SECURITY
n
JUNE 2017
A GROWING THEME in recent years of the Verizon Data
Breach Investigations Report is how the lack of basic cybersecurity plays a part in many of the breaches and security incidents every year, but now Verizon suggests that
vulnerability patching may not be as impactful as once
thought.
Dave Hylender, senior risk analyst at Verizon Business, said the aim of the Verizon DBIR was to focus on
the data and to “keep opinion out of it” whenever possible
because it could be difficult to give cybersecurity recommendations to the diverse audience of the DBIR.
However, experts noted that the data alone was
enough to highlight basic cybersecurity practices that
were failing, such as limiting password reuse and implementing multifactor authentication (MFA).
According to the Verizon 2017 DBIR, 81% of breaches
used “stolen passwords and/or weak or guessable passwords,” which marks an 18% increase from last year.
Hylender said the issue was exacerbated by the fact that
almost every website asks you to log in before even minor
(Continued on page 16)
B R E A CH D ATA
HOME
Types of Data Record Loss
EDITOR’S DESK
n Personal
CONTROLS IN
THE CLOUD
n Credentials
n Payment
n Medical
n Bank
n Internal
n Other
ROCK-SOLID CISO
1,603,721,691
HUNTING PRACTICES
1,423,307,950
831,886,584
BREACH DATA
Q&A:
WENDY NATHER
1,058,069,356
278,873,131
249,662,494
2010
2011
2012
2013
2014
NUMBER OF RECORDS PER DATA VARIETY OVER TIME
SOURCE: VERIZON 2017 DATA BREACH INVESTIGATIONS REPORT
15 INFORMATION SECURITY
n
JUNE 2017
2015
2016
B R E A CH D ATA
HOME
EDITOR’S DESK
CONTROLS IN
THE CLOUD
ROCK-SOLID CISO
HUNTING PRACTICES
BREACH DATA
Q&A:
WENDY NATHER
(Continued from page 14)
tasks, so even if the credentials aren’t that important to
one site, they could “be incorporated into a massive attack” based on password reuse.
“Data types that are apt to be stored in bulk have some
monster numbers associated with them, with personal
data and credentials totaling in the billions some years,”
Verizon wrote in the report. “It should be noted that
some of the credentials may be hashed and some may be
salted to strengthen the encryption, but the sheer volume
of records speaks … well, volumes.”
MFA ISSUES AND WEB APPLICATION ATTACKS
Verizon also found that web application attacks were the
No. 1 attack pattern in confirmed breaches with almost
twice as many instances (571) as the second-ranked pattern, cyberespionage (289). And the use of stolen credentials was the most frequent hacking method used in web
application attacks.
Rick Holland, vice president of strategy at Digital
Shadows, said this is especially dangerous because password reuse and “credential theft can be another force
multiplier for attackers.”
“There are so many attack options, and credential exposure has been industrialized, so it isn’t surprising to see
it continue to dominate the headlines,” Holland said. “Exposed email addresses can be targeted for deploying malware. These large data sets can also be used for extortion.
16 INFORMATION SECURITY
n
JUNE 2017
Credential stuffing can be used to automatically submit
usernames and passwords to log in to user accounts. Credential reuse for corporate accounts can result in account
takeovers pivoting from a consumer account to a domain
account.”
“MFA properly deployed does not
have to affect productivity. Leadership
needs to support their respective
cybersecurity program by setting an
example of using strong passwords
and MFA.”
David Shearer, CEO of (ISC)2
Experts, however, were divided on whether there was
hope for improving basic cybersecurity around credentials,
and Verizon even noted the risks of SMS-based MFA.
David Shearer, CEO of (ISC)2, said he would at least
like to “think there’s hope for reducing credential compromises by leveraging MFA.
“There’s still resistance by many users to use MFA because, depending on the solution employed, users complain it’s an additional step that they find inconvenient.
MFA properly deployed does not have to affect productivity. Leadership needs to support their respective
B R E A CH D ATA
HOME
EDITOR’S DESK
CONTROLS IN
THE CLOUD
ROCK-SOLID CISO
HUNTING PRACTICES
BREACH DATA
Q&A:
WENDY NATHER
cybersecurity program by setting an example of using
strong passwords and MFA,” Shearer said via email. “That
said, the bad actors will continue to evolve their tactics,
and MFA may not be enough at some point. I think the
first step for any organization is to do all you can to ensure you’re not an easy target by getting the fundamentals
in place and sustained. From there, you can mature your
cybersecurity program.”
Ilia Kolochenko, CEO of web security company HighTech Bridge, was less optimistic.
“We cannot change people, and people will always
prefer simplicity to security by using same, similar or predictable passwords. We can change a technology but not
really a human,” Kolochenko said. “MFA is often incorrectly implemented and makes account compromise even
easier than before. Moreover, MFA is usually perceived as
‘another useless puzzle’ by the end users.”
Holland also said he doesn’t “expect password reuse to
significantly decrease anytime soon.
“MFA adds friction to the customer experience, and
that friction can cause consumers to go elsewhere,” Holland said. “Organizations must be aware of and balance
the credential-theft risks with customer acquisition costs
and retention.”
UBIQUITOUS APPS AND VULNERABILITY PATCHING
Headlines often focus on the latest zero-day vulnerabilities being exploited by attackers, but the Verizon 2017
17 INFORMATION SECURITY
n
JUNE 2017
DBIR showed a slightly different picture.
According to Verizon, one of the most popular ways
to spread malware was through a malicious Microsoft Office document because of the ubiquity of the application.
“Only a single-digit percentage of breaches in this DBIR
“MFA is usually perceived as
‘another useless puzzle’ by the
end users.”
Ilia Kolochenko, CEO of HighTech Bridge
involved exploiting a vulnerability,” the report claimed.
“That is comforting, but it doesn’t mean we are condoning a moratorium on vulnerability scanning or patching
vulnerabilities.”
Kolochenko said this data could be explained by “the
extreme complexity of modern information systems.”
“Our crown jewels can be stored in several clouds on
different continents, while the access to these clouds can
be stored on dozens of computers and mobile devices
across the world,” he said. “Modern targeted attacks involve complicated chained attacks, including social engineering, password re-usage and other not very technical
techniques.”
(Continued on page 19)
B R E A CH D ATA
HOME
Vertical Industry Patch Cycle Comparison
EDITOR’S DESK
CONTROLS IN
THE CLOUD
100%
ROCK-SOLID CISO
BREACH DATA
Q&A:
WENDY NATHER
PERCENT OF FINDINGS FIXED
HUNTING PRACTICES
AUC* COT**
Information
Manufact.
78.8% / 97.5%
83.6% / 92.0%
Healthcare
77.5% / 85.0%
Accomm.
Retail
55.1% / 66.0%
57.3% / 62.0%
Public
Finance
30.6% / 33.0%
25.0% / 33.0%
Education
12.4% / 18.0%
75%
50%
25%
0%
0
2
4
6
8
10
12
WEEKS TAKEN TO FIX FINDING
* AREA UNDER THE CURVE (AUC): A MEASUREMENT OF HOW MUCH POTENTIAL VULNERABILITY IS ADDRESSED DURING THE PATCH PROCESS. MORE SIMPLY, IF YOU PATCH A LARGE PERCENTAGE OF FINDINGS IMMEDIATELY, YOU WILL HAVE A HIGHER PERCENTAGE IN AUC THAN IF YOU ADDRESS THOSE FINDINGS ON DAY 80. **COMPLETED ON TIME (COT): REPRESENTS THE PERCENTAGE OF FINDINGS THAT ARE ADDRESSED AT
SOME POINT WITHIN A PATCH CYCLE. THE “LEFTOVERS” ARE FINDINGS THAT ARE STILL PRESENT IN SCANS AFTER A PATCH CYCLE IS OVER. IN THE FIGURE ABOVE, WE SEE ALL INDUSTRIES LEVEL OFF BY WEEK 12, SO
THAT IS THE DURATION FOR “ON TIME” USED FOR THIS EXAMPLE. SOURCE: VERIZON 2017 DATA BREACH INVESTIGATIONS REPORT
18 INFORMATION SECURITY
n
JUNE 2017
B R E A CH D ATA
HOME
EDITOR’S DESK
CONTROLS IN
THE CLOUD
ROCK-SOLID CISO
HUNTING PRACTICES
BREACH DATA
Q&A:
WENDY NATHER
(Continued from page 17)
Paul Calatayud, CTO at FireMon, said patching still
should be basic cybersecurity for any organization.
“It often fails because the responsibility is shared
across two organizations. Security teams identify the
vulnerabilities. Server and desktops teams then have to
patch,” he said. “If this program is not taking into account how the firewalls and other compensating controls
can reduce the risks of these exploits, IT departments
are often faced with a huge backlog of patches with no
prioritization.”
Verizon’s data on patching vulnerabilities was also
disconcerting when breaking down the proportion of issues fixed and how long it took for each industry. While
information technology, manufacturing and healthcare industries ranked fairly well, the public and financial sectors patched few vulnerabilities—30.6% and 25%,
respectively.
Holland said this failing of basic cybersecurity could
be because “the public sector is often under-resourced
and understaffed.
“As a result of those challenges, it isn’t surprising to
19 INFORMATION SECURITY
n
JUNE 2017
see the low patching metrics,” he said. “Many financial organizations grow through mergers and acquisitions, and
this results in disparate and complex infrastructures. This
can significantly complicate the ability to assess and remediate the environment in a timely manner.”
Shearer was surprised with the findings on patching but noted that not all vulnerabilities are found in
software.
“It is definitely contrary to what the trend has been,
especially the renaissance we’ve been seeing with exploit
kits as a top delivery vehicle for ransomware and data
and credential-stealing malware,” Shearer said. “I will
say that most, if not all, successful breaches are through
some form of vulnerability—people, process or technology. These findings may bode well for stronger adoption
of patching and vulnerability scanning, but cybersecurity
pros still—maybe more than ever—need to ensure they
account for the human vulnerability factor.” n
MICHAEL HELLER is a senior reporter for SearchSecurity. Follow
him on Twitter: @MT_Heller.
Copyright of Information Security is the property of TechTarget, Inc. and its content may not
be copied or emailed to multiple sites or posted to a listserv without the copyright holder’s
express written permission. However, users may print, download, or email articles for
individual use.
…
Purchase answer to see full
attachment
How it works
- Paste your instructions in the instructions box. You can also attach an instructions file
- Select the writer category, deadline, education level and review the instructions
- Make a payment for the order to be assignment to a writer
- Download the paper after the writer uploads it
Will the writer plagiarize my essay?
You will get a plagiarism-free paper and you can get an originality report upon request.
Is this service safe?
All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades