Every now and then you read about analysis of a security incident, a new attack campaign or trend, and you start wondering whether this is something that is really prevalent. And if yes, what can you do about it, avoid it or be more prepared?
Some of the warnings or conclusions from specific threat reports tend to go a little bit overboard, and at the end of the day (or night, depending on your time zone) the readers do not have enough information to assess their organization’s capabilities to deal with the type of threat in question. Check out these blog-posts if you have the time : The Internet Security Marketing: Buyer Beware and The Failure of the Security Industry.
So, where can one get lessons-learned from data breach incidents? Many of the National CERTs produce incident statistics annually. There are also many “in-depth” reports on specific incidents. However, as mentioned earlier, they may not be able to present the bigger picture. So if you have say 40-45 minutes to spare, I highly recommend that you take a look at the Verizon’s Breach Investigation Report 2015 (VBIR2015) .
Without giving too much away (spoiler alert!) here is why I always look forward to reading the VBIR:
- The lessons learned are based on actual security breaches and related security incidents. So this year’s report was based on more than 2,000 confirmed data breach incidents and 70,000 security incidents in 2014. Comparisons were also made with data acquired from the previous reports. Most importantly, all of those data were contributed by 70 participating organizations, representing 61 countries . Now this is massive! Getting entities to share data and especially information related to breaches, is never easy. Kudos to everyone involved for making a difference.
- With that kind of data you can then do different types of analysis that answer a lot of burning questions and help people think about strategies for reducing risks. There are some discussions about trends like IoTs or mobile devices (should we care?), threat intel sharing (should we get more intel?), prioritizing defense (crimeware vs spies vs insider abuse), education (do people still click on attachments?), critical security controls (quick wins?) and so on.
- You’ll get a list of major security breach incidents in 2014 (jump to Appendix A right away). There might be some that had escaped your radar! I was really keen to find out if there were incidents in the AP region that did not know about.
- The report is not only informative, but also a fun read! And I think this will help you to remember the key points and use them in your conversation with other members in the organization.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.