Shostack + Friends Blog Archive


A Curmudgeon is a Little Confused by the 2009 DBIR

I’ve given Vz’s DBIR a quick perusal.  The data are interesting indeed and the recommendations are obvious.  There is little new here in the way of recommendations – I guess nobody is listening or the controls are ineffective (or a bit of both).

Regardless, I have a few items that confuse and irritate me a bit:

1)  While only 17% of attacks were considered ‘highly difficult’, they account for 95% of the records breached.  Would the recommendations have fixed this issue?  I can’t imagine, since the recommendations seem more focused on what I would consider fixes for simple attacks.  It does appear that fixing SQL injection issues is the obvious first step.  How long have we as a profession been talking about that one?  Someone has failed and it is us.

2)  What is meant by ‘breach’?  The report talks about ‘breaches’ and then mentions that records are also breached.  What is a ‘breach’?  A few definitions would be helpful for simple-minded folk like myself. % of caseload also seems to be an important metric. Are we worried about being penetrated, the amount of cases that Vz has to work, costs incurred by the involved parties or are we worried about actual data theft/destruction? Certainly all, but some should be a higher priority than others and some are more relevant than others.  There appears to be a bit of comparing apples to oranges in this report and more clarity on the terms we’re talking about would be welcomed.

3) “The majority of breaches still occur because basic controls were not in place or because those that were present were not consistently implemented across the organization. If obvious weaknesses are left exposed, chances are the attacker will exploit them. It is much less likely that they will expend the time and effort if none are readily apparent.” – This important statement isn’t supported by the data. See my point #1 above.  I like to think that attackers are lazy; looking for the easy way in, but it appears that attackers will expend the time and effort necessary. It is their job afterall and it appears that there are at least a few out there that are professionals. The data that support this is the fact that 95% of the records breached occurred via ‘highly difficult’ attacks.  Perhaps ‘highly difficult’ attacks require little time and effort?  Do the recommendations around basic controls actually make a difference if 95% of breaches are ‘highly difficult’?  Maybe basic controls are ‘highly difficult’ to bypass; I’m just not sure.  Can script kiddies now execute ‘highly difficult’ attacks now?

4) Where are the losses?  The data are confusing to me because they state that 31% of breaches occurred in Retail and 30% in Financial Services.  However, Financial Services accounted for 93% of records compromised.  To my point #2 above – what the hell do we mean by breach?  Was there data loss?  What was the actual cost involved with the 285MM records compromised?  Did people/companies have to pay for Vz services, data recovery, new cards being issued, identity theft clean-up, etc?  SHOW ME THE $$!  What are the real $$ losses here?  A breach of data may be necessary for $$ losses, but it isn’t sufficient.

5) Finally, just to be a total jerk about it – I love figure 3.  Let’s thrown in a gratuitous graph that has no meaning and tells us nothing. I guess we may, someday, find a correlation between number of employees and insider initiated events.

I guess you could summarize my confusion and bitterness up in a couple items.  First, it doesn’t appear that we’re clear on our terms which leads to overloading and a bit of confusion.  We’re grabbing loads of data and then trying to figure out how to make a cool report with them.  Second, we should be trying to express losses in terms of the monies expended.  Otherwise things look crazy with big numbers that lack context being thrown about.  With all the hundreds of millions of records compromised each year hasn’t everyone been compromised already and we’ve lost the game?

A close friend pointed out that Peter Tippett, VP of Research and Intelligence for Verizon Business Security Solutions, described this report as “a wake-up call.” Really? As opposed to all the other reports that demonstrate how messed up the situation is? If we really wanted to wake up from this we would have awakened long ago rather than continuing to be Rip-Van-Insecure-Winkle. Sleep on, brothers and sisters, sleep on….it’s only a few hundred million records that we can’t seem to figure out the $$ value of.

2 comments on "A Curmudgeon is a Little Confused by the 2009 DBIR"

Comments are closed.