Pratum Blog

As we continue to work through the 2013 Data Breach Investigation Report, I’ve realized that the more things change, the more they stay the same. End user devices were involved in 71% of the reported breaches. This is a significant jump over the last report but not really a new statistic altogether.

Here’s the sad truth. We continue to value usability over security. We always have and likely always will. The ability to access data when, where and how we want is trumping our desire to protect the confidentiality, integrity and availability of the data. Every information security professional wrestles with how to balance the risks of data access in an increasingly mobile workforce.

20 years ago we struggled with virus and other information security threats on the desktop as we moved to a decentralized computing environment. We obviously didn’t learn our lessons very well because we are dealing with the same issues on smartphones and tablets. A lack of security controls on these devices is allowing them to be compromised and used to either access data or further compromise the systems they are connected to.

The lesson is this. Mobile computing isn’t going anywhere. We have to develop a strategy to secure it that doesn’t rely on the devices staying the same. They won’t. We must build security into the strategy of our mobile lives. The bad guys know we’ve failed thus far and will continue to exploit our failures for as long as we’ll let them.

Point #2 in my continuing discussion on the 2013 Data Breach Investigation Report is around physical security.  Over the past 18 months, we have been counseling our clients to take a renewed interest in physical security.  As systems have been given increased security over the years, they are becoming harder for the everyday criminal to hack.  This inevitably will cause the theft of computing resources and data to come crashing back into the physical world. The 2013 report shows this very thing has happened.

It is also interesting to note that the vast majority of attacks in the report were opportunistic and involved end user devices.  Leaving unencrypted laptops or smartphones on the front seat of an unlocked car provides for a lot of opportunity.

Ensuring that we have physical controls in place to secure systems and data is commonly overlooked by information security professional.  We don’t want to get involved in the perils of facility security or personal protection and so we ignore physical security all together.  In order to stop crime that affects our cyber assets, we have to address our physical world as well.

As I read the Data Breach Investigation Report (http://www.verizonenterprise.com/DBIR/2013/ compiled from 2012 data points, there are interesting bits of information I want to share. I’ll spend the next several posts detailing some of the highlights.

There was a sharp rise in attacks against manufacturing, transportation and utility organizations in 2012. Coupled with a decline in attacks seeking financial gain in the form of immediate cash, what does this tell us? Well, it says that while cask is still king, other reasons for hacking do indeed exist.

Some of these attacks were designed to cripple infrastructure and cause social disorder. Others were military or government sponsored attacks. Others were corporate espionage. While you could argue each of these is ultimately related to finance, the direct target of the attack was not a financial account.

If you are responsible for protecting critical infrastructure, it is important to know what you are trying to protect.  Is it a financial account, intellectual property, a utility grid? Attacks will vary based on the intended target. Controls to protect your bank accounts may be different from those protecting a sewer pump station. A proper risk assessment will help prioritize where and how to distribute your resources to protect the systems and data most at risk.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.