Exclusive: Public Sector Tops Verizon DBIR Target List


Verizon is out with its latest Data Breach Investigations Report (DBIR). The annual report provides one of the most comprehensive breakdowns of data breaches and the impact on both the public and private sector.

As with previous years, the report looks at individual sectors of the economy and how they are targeted for cyber crime. The top three sectors impacted by breaches this year are public sector, technology, and financial services.

One new change to the report this year, according to Stephen Brannon, Principal — Verizon Cyber Intelligence Center, Verizon Enterprise Solutions, is that researchers are working to quantify the impact of breaches and not just the number of compromises. CivSource spoke with Brannon about the report and what public sector professionals can take away from it.

“We’ve partnered with AIG, which has a new cyber insurance product to look at the potential impact of these attacks. Going forward this could be a valuable data set for public and private sector,” Brannon says.

According to the report, the cost per record goes down as the number of records included in the breach goes up. Additionally, the vast majority of these attacks (70%) use a combination of methods in the attach from phishing to old fashioned social engineering.

Another troubling area singled out in this year’s report is that many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007 – a gap of almost eight years.

“Organizations need to realize that in addition to things like threat intelligence sharing, getting caught up on patching is still a viable and necessary tool to enhance security,” Brannon adds.

Another factor impacting patches is that often, organizations are unaware a breach has taken place whether the type of attack is old or new. Verizon researchers call this the “detection deficit” – the time that elapses between a breach occurring until it’s discovered. In 60 percent of breaches, attackers are able to compromise an organization within minutes.

Figure 24 -- Incident Classification Patterns

Brannon explains that vigilance is key. “The gap between attack and detection is starting to shrink, but it’s too early to tell whether that’s a solid trend. Organizations can get on top of these issues through a combination of training, updating patches, and close monitoring but that requires resources. The public sector will have to work through that issue alongside security.”

For state and local governments considering Bring Your Own Device (BYOD) plans, some data in the report may provide solace about the security concerns. For the first time, the report includes a section on mobile security. The report indicates that, in general, mobile threats are overblown. In addition, overall, the number of exploited security vulnerabilities across all mobile platforms is negligible.

“The core issue with mobile is loss or theft of the device itself, at that point it’s less about malware because an adversary can be in possession of the physical device,” Brannon says.

In all, the report is more or less a follow up to well known trends within cybersecurity. For public sector specifically, Brannon notes that educating individual employees is important as well as watching out for miscellaneous errors. “Miscellaneous errors can be the hardest thing for organizations like governments that deal with high volumes of sensitive data. All it takes is one system administrator to accidentally make something available on the public server that should only be on the private server and you have a breach. Being vigilant isn’t only about information officers and software, individuals have to stay on top of how they conduct regular activities and make sure they are following the rules.”