Bryan Sartin, VP of investigative response for Verizon Business, made it his goal to try to convince insurers that preventing cybersecurity isn’t as complex as it’s perceived to be.
Presenting on Tuesday at the PCI Technology Conference in San Antonio, Sartin said “There are certainly sophisticated threats out there, but I want to poke at the myth of unpredictability and constant change and the perception of hopelessness; I want that perception debunked as just having a lack of information about the threats. Understanding the motives that drive your adversaries and the data you have, it gives you a good starting point for anticipating the types of threats you have, and therefore, the types of security measures you should have. We can do a lot of things to better understand the state of risks out there.”
A data breach investigation report (
Sartin pointed out that the report showed 80 percent of breaches are “opportunistic,” where a door is left open and a threat takes advantage of that; the rest are organized threats.
The data reveals that among the top 20 threats, tampering (32 percent), spyware (malware; 30 percent) and backdoor (27 percent) threats appear most often in incidents, which usually consist of a series of threats; more importantly, the 20th ranked threat, SQLi (hacking) appeared in 4 percent of incidents, and the top 13 have appeared in more than 10 percent of incidents. Sartin explained that this means the threats prevalent enough to consider focusing on actually make up a small portion compared to the dozens and dozens of types of threats that exist.
Breaking out that data, Sartin showed that small organizations have much more problems with spyware than larger organizations, which struggle far more with tampering than their smaller counterparts. This suggests that large organizations have the basic password and protective services in place to prevent hacks.
Nevertheless, the top threat (as opposed to incidents) causing data breaches is brute force hacking. This means that authentication, especially among smaller organizations, is the most susceptible, vulnerable point of entry.
“If you’re placing bets on what needs to be fixed with security, odds are authentication. That’s the way they’re infiltrating our networks, and then they do all sorts of things once they’re in,” Sartin said. “Once they find something that works, they’re going to try to use that for years if we let them. Because what we’re seeing in aggregate is that they’re being successful with similar techniques.”
Indeed, phishing is the most common type of brute force method, Sartin said. “You would think that they would be using some space age technology, but they’re practical, and the more we understand that the better,” he added, explaining that they’re being practical by persisting with phishing methods because, as his next chart showed, the success rate is such that if a hacker sends 10 e-mails, the odds that at least one recipient will click through reaches 90 percent.
