Blog post

Highlights from Verizon DBIR 2019

By Anton Chuvakin | May 10, 2019 | 5 Comments

Here is my traditional “reading the DBIR aloud” post. Read the entire thing, BTW, and not only my favorites below:

  • 56% of breaches took months or longer to discover” <- we need to start this on a depressing note, otherwise, how can we be card-carrying security professionals? 🙂
  • “Errors were causal events in 21% of breaches” <- perhaps mundane, but it reminds us that in many cases (great example), the attacker does not have to work all that much because somebody left the door open…
  • In fact, “… the presence of insiders is most often in the form of errors” (so, nope, still nobody cares … except perhaps this: “healthcare stands out due to the majority of breaches being associated with internal actors.”)
  • “At most, six percent of breaches in our data set this year involved exploiting vulnerabilities.” [What did they involve then? Glad you asked! But, hey, you already know the answer – “phishing and stolen credentials”…]
  • ”Malware delivery method: email – 94%” [Anybody here thinks email security is solved, eh? Is anything solved in security?]
  • “breaches with compromised payment cards [hi PCI DSS!] are becoming increasingly about web servers” [personally, I blame DevOps for this nice bit of depressing backwards security movement :-)]
  • In fact, things are more fun on the web: “The web application compromises are no longer attacks against data at rest. Code is being injected to capture customer data as they enter it into web forms.” [So, stop whining about PCI DSS, will you? This scenario has been well-covered by QSAs for years, its just that some clients didn’t want to hear it and relied on “but we don’t store cards” excuse …]
  • “It is important to acknowledge that there will always be [vulnerability] findings. The key is to prioritize the important ones and have a plan for the remaining actionable vulnerabilities; and to be able to defend acceptance of unaddressed findings.” [this is literally the entire art and science of vulnerability management in one pithy line. Kudos to authors!]

There you have it!

P.S. This year the report is again very readable and fun, better than last year’s for sure.Thanks Alex? 🙂

Past blog posts about DBIR:

Comments are closed


  • Fortune Barnard says:

    Thanks Anton. May I add the interesting one for me… 34% of attacks involved internal actors.

  • Karthik Krishnan says:

    By no one cares about insiders, are you saying it is not “malicious insiders” but “accidental insiders”?
    Because 34% is a large number

  • Amazing that 94% of malware is delivered via email, but roughly 1% of the security market $ is focused on email security? Mis-allocation?