Here is my traditional “reading the DBIR aloud” post. Read the entire thing, BTW, and not only my favorites below:
- “56% of breaches took months or longer to discover” <- we need to start this on a depressing note, otherwise, how can we be card-carrying security professionals? 🙂
- “Errors were causal events in 21% of breaches” <- perhaps mundane, but it reminds us that in many cases (great example), the attacker does not have to work all that much because somebody left the door open…
- In fact, “… the presence of insiders is most often in the form of errors” (so, nope, still nobody cares … except perhaps this: “healthcare stands out due to the majority of breaches being associated with internal actors.”)
- “At most, six percent of breaches in our data set this year involved exploiting vulnerabilities.” [What did they involve then? Glad you asked! But, hey, you already know the answer – “phishing and stolen credentials”…]
- ”Malware delivery method: email – 94%” [Anybody here thinks email security is solved, eh? Is anything solved in security?]
- “breaches with compromised payment cards [hi PCI DSS!] are becoming increasingly about web servers” [personally, I blame DevOps for this nice bit of depressing backwards security movement :-)]
- In fact, things are more fun on the web: “The web application compromises are no longer attacks against data at rest. Code is being injected to capture customer data as they enter it into web forms.” [So, stop whining about PCI DSS, will you? This scenario has been well-covered by QSAs for years, its just that some clients didn’t want to hear it and relied on “but we don’t store cards” excuse …]
- “It is important to acknowledge that there will always be [vulnerability] findings. The key is to prioritize the important ones and have a plan for the remaining actionable vulnerabilities; and to be able to defend acceptance of unaddressed findings.” [this is literally the entire art and science of vulnerability management in one pithy line. Kudos to authors!]
There you have it!
P.S. This year the report is again very readable and fun, better than last year’s for sure.Thanks Alex? 🙂
Past blog posts about DBIR:
Highlights from Verizon DBIR 2018 [BTW, 2018th was the only DBIR I didn’t quite liked…]
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.