By: Bryan T. Newlin, CPA.CITP, CISA
For most people, turning the calendar to June brings hope of warm weather, long days, cookouts and baseball games. For those in IT security, we add to that list the release of the annual Verizon Data Breach Investigations Report (DBIR). This deTech guy has not found a more comprehensive, readable report on the status of information security and how well (or poorly) our companies are doing as we play defense against the bad guys’ offense. Within the free PDF (available here) lies a big, clear scorecard of information security. We encourage you to go grab the DBIR and read it in depth. But since it’s officially summer time and you (and we) are probably getting ready for vacation, here are some quoted highlights and recommended controls, which will be far more valuable to you than adding our smattering of analysis. The following are all quotes or paraphrases from the DBIR, and we focused on issues we thought would be most applicable to the deTech readership.
The majority of phishing cases feature phishing as a means to install persistent malware. The main perpetrators for phishing attacks are organized crime syndicates and state-affiliated actors.
Recommended controls for phishing: Email filtering, employee awareness training, segment the network and implement strong authentication between user networks and anything of importance, and monitor outbound traffic for suspicious connections.
63% of confirmed data breaches involved weak, default or stolen passwords.
Recommended controls for credentials: Raise the bar on passwords-change them and make them stronger. If possible, use multi-factor authentication.
Insider and Privilege Misuse
Insider incidents are the hardest (and take the longest) to detect. Of all the incidents [in the DBIR], these insider misuse cases are the most likely to take months or years to discover.
Recommend controls for insider misuse: monitor employees’ daily activity, especially ones with access to monetizable data and PII. Measure and report on the use of USB drives, and apply user access with the theory of least privilege access.
People make mistakes. Non-malicious errors such as sending sensitive information without encryption or to the wrong recipient, is increasing.
Recommended controls for miscellaneous errors:Keep a record of common errors that have occurred, and train from that list. Document and follow data disposal procedures.
Physical Theft and Loss
In this year’s DBIT data, an asset is lost over 100 times more frequently than it is stolen.
Recommended controls for physical theft and loss:Full disk encryption on mobile devices and removable media; as usual, train employees and try to build a culture of security and awareness, minimize the use of paper.
Bryan is a Manager at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.