Tuesday, May 6, 2014

Verizon DBIR: The Hackers are Winning

Verizon has released the 2014 version of their Data Breach Investigations Report with predictable results: The hackers are winning. Cyber-Espionage, DDoS attacks, Crimeware, Web app attacks and credit card theft are among the attacks that Verizon summarizes with “92% of the 100,000 Incidents we've analyzed from the last 10 years can be described by just nine basic patterns.”
Originally published on Tripwire's blog "The State of Security"

I still can't get over how many of these problems would be solved by building-in security rather than building insecurity. How much could the collective world have saved if they had just fixed the Open Web Application Security Project (OWASP) Top 10?
What have we learned from a decade of data breach investigations? The hackers are winning.
Let’s buy toys (tools, IDS/IPS/HIDS/NIDS/NAC) because they will protect us from untrained programmers, bad policies and lack of trained InfoSec professionals. The hackers are winning. Have I said that enough? Obviously not, since the point of every data breach or privacy loss report is that the hackers are winning. Do they have new tools? Are they funded by Wall Street and Startup Funds? Are they better trained or just more motivated?
Toys (tools) are nice, but if your people are well trained, and they care about and have a culture of security and privacy they will be better equipped to catch or prevent a data breach. As an example, the $1.6M worth of tools that Target bought that detected the breach when it first happened and then again when the hackers started to upload the 110 million records to their ‘cloud’ servers. These alerts were ignored.
Did anti-spam and anti-virus products protect RSA who suffered an attack that laid bare their source code? What about the South Carolina Department of Revenue? In both instances the hackers job was easy… Sending in phishing emails. For both RSA and SCDOR it was failed policies and procedures that cost RSA $55M and SCDOR $20M.
The problem is we can’t ‘package’ people. People are not scalable and VCs can’t fund them, and we don’t see billions of dollars in marketing telling companies they need a CISO or CSO. The CEOs, CIOs and CTOs see all the marketing hype about the next silver bullet. (How much in VC funding was announced today for ‘the last security product you will ever need’)?
Trade publications buzz around about a lack of available and qualified information security professionals but the reality is some sectors and industries aren’t ready to trust us(information security professionals). Yes, we have seen a 20% increase in salaries for CISOs nationally, and we read stories about a lack of infosec professionals, but the truth is, the adoption rate is still dismal. (The Hackers are winning!)
Why? Maybe because maybe we (infosec pros) have been crying wolf and asking for toys to do our jobs. We have been lazy. We blame the lack of understanding among the CEO and Board of Directors. I suggest that it is because we don’t understand that the business of business is, well, business. We think our job is to eliminate risks, but it is not. Our job is to ENCOURAGE RISK, responsible risk, measured risk, controlled risk.
We are seen by the CIO and CFO as the adversary, or we see the CIO or CFO as the adversary rather than our business partner. We think our superior knowledge, certifications, ribbons medals (and toys) means we know more about how to protect a company then the CEO who will be called to the carpet when the stock price plunges.
I say show the CFO how you can cut spending on information security and he will be eating out of your hands. Help the CIO increase network capacity while making things more secure and stable and he will light a candle for you and invite you to lunch more often.
If we help our organization deal with risks that are easily fixable and we do it without taking down the whole company in the process or wasting money, we will be trusted to swim in the executive pond; we will be invited to the round table. We will be able to positively affect both the bottom line and lower the risk profile of our company.
On one more note: Mentoring: If you are an experienced information security professional, please use your time and experience to help the up and coming new infosec generation. Give of your time, do presentations at your local ISSA, ISACA, PMI or InfraGard chapters. Not only are you helping with the next generation and the people who will report to you later, but this is good experience for you before you do a presentation before the CIO or CFO.
Maybe next year a new story that reports less data breaches won’t be mistaken for an April Fool’s Day joke, and the hackers won’t be winning.

Michael ScheidellAbout the Author: Michael Scheidell (@scheidell) is a Certified CISO, Senior Member IEEE (Computer Society), Corporate Information Risk Management and Privacy Expert, Managing Director of Security Privateers, and works as a consulting CISO for several multinational corporations in government, finance, manufacturing and health care. A recognized expert in the information security and privacy community with a strong history of innovation and entrepreneurship with a US patent on intrusion detection systems, Mr. Scheidell is a frequent conference speaker and subject matter expert in Information Security, Governance Risk, Compliance, and corporate privacy and has worked to secure US critical infrastructure such as Rail, Transportation and Utility companies. Mr. Scheidell can be reached athttp://www.securityprivateers.com .

No comments:

Post a Comment