Verizon is the Agatha Christie of cyber thrillers. Verizon’s 2017 Data Breach Digest is not only a good read because the short stories are interesting and call for a hot chocolate and cookies but also useful to anyone within within the field of Cyber Security or on the Board of Directors.
Verizon is the largest US telecommunications provider with the large network infrastructure in more than 82 countries, with such contributing partners as law enforcement agencies. The 100-page Data Breach Digest [here] is the companion publication to 85-page Verizon’s annual Data Breach Investigations Report [here]. The two make the most anticipated publications not only for the fine sense of humour and thrilling suspense but mainly for their integrity, scientific approach, and the deep insights.
The Breach Digest
The Digest complements the report by grouping the breach incident patterns into two categories:
Most Common and Most Lethal:
It then goes on to describe real life scenarios in a digestible form. The aim is to give the companies an idea of how to go about their data breach incidents because knowing which patterns affect certain industries more often helps companies allocate cybersecurity resources adequately.
Each scenario is based on the data breaches that Verizon’s risk team had to deal with and is told from the viewpoint of each different stakeholder. That way, the readers can see the critical decision points and actions taken by the stakeholder. Each case finishes with a summary of lessons learned and recommendations made.
The real names and locations, as well as crucial details regarding stolen records and financial losses, were altered to protect the victims. As anonymous as the stories are, every reader can find a story or a stakeholder to empathize with. The readers will find advice on how to prevent, identify and mitigate data breach incidents, and also to improve their cybersecurity strategy.
The most important takeaway from the digest is that the wealth of cybersecurity incidents can be safely divided into common types. This means that the majority of attacks are not unique, and the majority of victims have the pool of data to draw from when they need advice.
“There are recurring combinations of actors, actions, assets and attributes.”
Over 90% of data breaches fall into one of nine patterns:
- Employee Error & Privilege abuse – employees accessing data in a malicious manner.
- Cyber-espionage – attacks from external spies
- Web app attacks – stealing credentials, exploiting vulnerabilities.
- Crimeware – Financially motivated, mostly opportunistic malware incidents
- Point-of-Sale intrusions – credit card data breaches.
- DDoS attacks – External attacks to the network
- Payment card skimmers – tampering with ATM machines.
- Miscellaneous Errors– an error causing data loss.
The digest then simplifies the patterns into clusters, data breach scenarios, which are specific examples of how a certain scenario plays out in real-world environments:
- The human element – scenarios dwelling on targeted victims or malicious insiders.
- Conduit devices cluster – device misuse and tampering.
- Configuration exploitation – re- or misconfigured settings.
- Malicious software – sophisticated or off the shelf illicit software-related attacks.
Each scenario falls under “prevalent” or “lethal” category. Prevalent are cases that occur most frequently; lethal are not as frequent, but most destructive.
For example, the mobile assault case – the Secret Squirrel – is dubbed as lethal and sees a CSO traveling with a laptop and a smartphone. During the trip, the CSO left his devices in a hotel room on one occasion and used a public Wi-Fi to call home without roaming costs via a mobile VoIP-based application on another occasion. Upon return, the CSO notices odd behavior, and the endpoint forensics examiner is asked to complete a revision of both devices to identify if the odd behavior is anything serious enough to call for an investigation.
Both the laptop and the smartphone returned numerous positives on opportunistic malware. The VoIP app was known to be vulnerable to code injections, and its logs proved the injections took place when the device was connected to the public Wi-Fi. The laptop was infected with a drive-by injection from an ad on a web page which is even more opportunistic, and would have affected the device even it wasn’t used during the trip. Since the incident was quickly identified, no corporate data was compromised, but the potential lethality of the incident urged the company to re-assess its traveler-related cybersecurity.
- Provide traveling employees with separate travel devices.
- Limit access to corporate networks from these devices to provide access to data needed during travel only.
- Keep known baselines for the future forensic review.
- Wipe and rebuild the travel devices upon employee’s return.
- Task employees to note the times and locations they use the device, as well as the accounts and connections.
- Train employees on proper data protection and device handling.
- Provide employees with country-specific legal information before travel.
- Do not give employees admin access to the travel devices. If admin access is necessary, enact a restricting policy or ban installation of non-approved third-party apps.
In reference to data security on BYOD devices, Verizon’s digest stresses the importance of having a clear BYOD policy that institutes a “business’ authority to seize or even wipe a personal device.” Sometimes, companies choose to wipe corporate data and leave personal data selectively. One of the areas that is overlooked on BYOD is data back up.
Some devices have automatic data backups which are scheduled for daily cloud backups at night (iCloud, Google Drive, Dropbox, OneDrive etc). If corporate data is part of the backup, the company loses control over its digital assets, even if the employee’s personal device is wiped, he/she only needs to login to the cloud service to access or download the backup data.
Companies are overlooking the seriousness of this issue and failing to understand that the majority of any cloud applications do NOT encrypt customer data neither in transit nor at rest. By deploying end-to-end encryption for your company’s data stored in the cloud, all files, chats, teleconferencing, calendars and other confidential information in securely protected in an environment such as the FortKnoxster platform.
Each scenario does a great job of summing up the lessons, and the digest’s final words sum up the most important takeaways:
- Keep the forensic evidence; consider consequences of each action.
- Be flexible and adaptive.
- Have consistent communication methods.
- Know your limitations, collaborate with stakeholders.
- Document everything and be prepared to explain your actions and findings.
Roundup of tips from Verizon’s Data Breach Digest:
- Know your threat actors and learn to recognize their methods, tools, and capabilities.
- Know your employees, educate them on threat tactics and techniques.
- Train your stakeholders to act as a team when a breach occurs.
- Know your devices, monitor/log activities.
- Patch your devices and software.
- Know your systems and deploy proper configurations, review code and patch often.
- Regularly scan your systems and applications for security incidents.
- Segment, configure and know your network.
- Monitor file integrity, keep your antivirus updated.
Always encrypt and secure your data and communications with end-to-end military-grade encryption just like FortKnoxster!
Please also join our Telegram group and visit our Facebook page and Twitter page for more inspiration.