With the release of the 2013 Verizon Data Breach report, Rapid7’s senior manager of security engineering, Ross Barrett made the following comments:
“Reading the 2013 Verizon Data Breach report and one thing is jumping right off the pages: even with all the hype around APTs and Hacktivists last year, an organisation is still far, far more likely to be breached opportunistically, and the most likely vector will be weak or stolen authentication credentials.
Verizon identifies Malware as the broadest and most recurrent threat category. Therefore the counter measures are: reducing the attack surface by removing non-essential applications and services from corporate resources, and, fast and comprehensive patching efforts.
Verizon reports a jump from 56% to 66% in the amount of breaches that move into the “months” range before being detected, which is superficially troubling. This might prompt security teams everywhere to feel that they should step up their logging and analysis. However, it does not necessarily mean that the cost of a breach to an organisation is now growing in proportion with the time it takes to detect the breach.
Most data breach attacks are done within a few minutes to hours. The direct cost to the breached organisation will not vary if the breach is then detected the next day, the next week, or even at the end of the year. If a breach can’t be prevented, or at least interrupted, the net time to correction only matters in the rare case where the persistent threat is continuing to leech information or the attacker(s) keep coming back to the watering hole – which arguably could be called distinct breaches.
It should be pointed out that nothing in this report directly relates to the individual. There are no numbers in the report about how many people have their personal banking compromised because they lost their smartphone or were hit by a drive by malware downloader; however, to some degree we can extrapolate the root theme of opportunistic attacks are equally affecting the average person as they are the organisations.”