I was talking about how I think that accidents are the major cause of breaches. I've talked a bit about how important it is to keep things simple here.
If you're an information security professional, hopefully you are familiar with the Verizon Data Breach Investigations Report (DBIR). You can see their page for the latest report.
One of the interesting things they point out in the report is summarized in this table:
So while the mainstream tech press has coverage of APT (Advance Persistent Threat), Nation-state attacks, and organized cyber-crime using sophisticated attack methods, we can see that the overwhelming majority of attacks are simple.
To me, two of these numbers really stand out.
First: 96% of attacks were not highly difficult. This means that, while there are some very talented, sophisticated and dangerous attackers out there, the vast majority of attack methods are not complicated. So spending a disproportionate amount of talent, time, strategic planning or money preparing for advanced attacks is possibly not a good use of your resources.
- password guessing, stealing or brute-forcing
- exploiting insufficient authentication (including sites with no password required)
- keyloggers, backdoors and other simple malware
Next: 97% of breaches were avoidable through simple or intermediate controls. This means that we don't have to have the latest and most expensive tools and controls. Based on the types of attacks observed, simple controls including:
- password policy, testing and enforcement
- using passwords!
- anti-virus (yes, I know this doesn't catch zero-day attacks, but it's very effective on those 5-year-old attacks floating around!)
- education and awareness! (this is a controversial topic, but I'm a big believer)
So let's make sure that our security strategic plans are based around doing the simple things right. If we've got all the processes in place to take care of that, and there's still money and time left over, then go for the more complex.
If you've seen attacks or had breaches, do your findings mirror the DBIR findings? Are you thinking about the simple stuff? What other simple controls and ideas do you have to add?