The Many Faces Of The Verizon Data Breach Investigation Report

For those of us who cover data breaches, the release of the annual Verizon Data Breach Investigations Report is sort of like the motion picture industry's Oscar awards or the annual release of the auto industry's Blue Book -- it doesn't provide all of the answers, but it helps define what the coming year's questions will be.

The Verizon 2013 DBIR went live on Monday night, and it already has generated a ton of discussion and scrutiny. The report, which offers a detailed look at 621 data breaches investigated last year, is set apart from other breach studies because it reports data collected by objective third parties, and not the breached companies themselves.

Less than 48 hours after the report was published, Dark Reading has already posted two news stories on the DBIR. Kelly Jackson Higgins offers an excellent overview of the report, noting the broad range of attacks and victims in this year's report.

Today, Ericka Chickowski posted a piece that offers a look at the DBIR from the insider threat perspective, pointing out that while the frequency of insider-initiated breaches appears to be shrinking, IT and business executives continue to fear data leaks and insider threats more than ever.

In addition, you might enjoy the commentary from Dark Reading blogger and 451 Research analyst Wendy Nather, who points out that the DBIR continues to report that most breaches are discovered by third parties, but falls short on its explanation of why.

I've written about the DBIR every year since Verizon began publishing it more than five years ago, and every year I'm surprised by the new insights it provides on actual data breaches. For example, this year's report shows a marked decrease in the percentage of breaches caused by malware or hacking, and a significant increase in the percentage of breaches caused by social engineering or physical attack.

The study isn't suggesting that hacking and malware -- which still account for the majority of data breaches -- are going away. But it does prove that attackers are both innovative and resourceful, and that they aren't pigeonholing themselves into any one strategy of penetration. If a physical attack on an ATM machine works, then why write complicated malware? It's not about the method -- it's about getting results.

It's this attitude that has led more and more attackers to social engineering, which sometimes is an end in itself, and other times is the first step in a much more sophisticated online attack. Finding a gullible human in a targeted organization is often easier than finding a software vulnerability or an open network port, so attackers are quick to use social engineering as a key part of any exploit. The DBIR reports a radical increase in phishing as a means of attack, and this finding confirms those reported in many other studies this year.

Of course, whether human users can be "patched" or educated to prevent social engineering attacks continues to be a matter of hot debate. Some experts believe that end user education is critical to future online security. Others believe that user education is a waste of time and money that could be more effectively spent on technical controls. It's not clear who's right, and as long as the answer remains elusive, you can be sure that social engineering attacks will continue to be at the heart of any cybercriminal's arsenal.

And as usual, the DBIR data provides a ton of data that may not offer an answer, but helps frame the question. Dark Reading will be doing more coverage of this topic -- and analysis of the DBIR data itself -- in the days ahead.