Phishing license: training and awareness

by Wesley Hamrick
Analyst, Enterprise
Verizon Enterprise Solutions

The Verizon Data Breach Investigations Report (DBIR) has consistently shown that the number one threat to companies– is malicious code injected via successful phishing attacks.  It’s number one in 2016.  It was number one in 2015.  It was number one in 2014.  And so on, and so on.  So if a company were to target one vector and one solution to fix above all others, it would be phishing.

Easier said than done.

Successful phishing attacks exploit vulnerabilities and weaknesses in hardware, software, people and processes.  At the outset, they use data acquired through other means to engage in social engineering attacks against authorized users.  They use “legitimate” channels of communication – email, text, etc. to further their objectives.  They can use stolen or compromised accounts or credentials, spoofed or faked email addresses, or other indications of validity to trick users into clicking on or otherwise taking action in response to the communication.

The fraudsters lie, cheat, steal, cajole, and hack to get in and to get the user to click a link, go to a website, install software, provide information or otherwise respond.  These attacks can be as simple as installing clickbait, or as targeted and sophisticated as spear phishing (email that appears to come from someone you know) or whale phishing (emails targeted at company executives). Just as the attacks are layered and sophisticated, the defenses need to be as well.

Many phishing defenses rely on technology.  They block email from known spammers or known “bad” email addresses.  They filter, block and quarantine communications from suspicious sites, or which contain suspicious content or links.  E-mail links are disabled by default, executables are not supposed to run on the clean system, and known bad IP addresses are not supposed to be resolved.

But much of that is in theory.  You see, phishing attacks are dynamic and ever-changing.  The goal of the phisher is to get in without being noticed.  The phisher takes into account these known technology defenses.  Phishing mail will originate from a trusted IP address and email account, with a compelling subject line, and the link will not self-execute.  The malware will approximate “normal” behavior to avoid detection.  The IP address may be spoofed, proxied or from an anonymous source.

At heart, phishing is a human problem exacerbated by and potentially solved by humans.  Humans presented with phishing attacks often are easily deceived.  And the phishing attacks come back and in greater numbers.  The problem is that users who are the primary vehicle for phishing are poorly  trained.  By that, I mean that we “check the box” that the user sat through a 15 to 50 minute slide show or video extolling the harms of phishing, and then answered a few random multiple choice questions about the problem.  Even when effective,  such training, has a shelf-life of maybe a few weeks.

Anti-phishing awareness is best when  coupled with a bit of “light touch” testing.  A corporate-sponsored phishing attempt can redirect those who click links back to the training program as a refresher.  If it is not reinforced, it won’t be remembered.

Like everything else in security, it’s a matter of people, processes, technology, and policy.  But don’t forget the people because if you forget to teach the people security, they will forget to secure the network.

The Spirit and Intent of the DBIR

Author: Marc Spitler

May 12, 2016

After publishing the Data Breach Investigations Report for the ninth time, we have been on the business end of some sharp criticism for some data in the Vulnerability section. Specifically, a reference to the exploitation rates of vulnerabilities, which included a footnote with specific CVEs. This post is not an assault on any of the people in the information security community who called this out, the fact is valid points were raised and there is a lot that we agree on.

Using the CVEs listed in the footnote as the basis for decision making is not the key to success in vulnerability management and this was not the intended focus on the section. The issues with the underlying data that the list was derived from were acknowledged by the data contributor in several blog posts.  Relying on any Top X list of vulnerabilities is not recommended for any organization.

We felt (admittedly incorrectly) that relegating them this year to a footnote would direct the focus on the other points we wanted to make in this section. We are not discounting the criticism and, in hindsight, should have made our intended focus for the section more clear.

The intended focus of the section, as in the prior year, was to get readers thinking about vulnerabilities and patch management in a different way – to discourage merely playing vuln whack-a-mole and establish a more thought-out approach.

Our security incident and data breach data does not have a lot of CVE-level information in it, so we look to non-incident data to attempt to supplement and support the incident and breach data that is the core of the report. Addressing the specific CVE issue first, one of the main goals of the report is to highlight use of data to make your own decisions and the best data for an organization is going to be their own.

If you need to know what vulnerabilities are likely to affect your organization, don’t use the footnote, use your own vulnerability scan data and analyze those findings in the context of your organization. Prioritize findings with active exploits or proof-of-concept code available. Figure 10 shows at a high-level, that some types of vulnerabilities are typically exploited quicker than others. Again this is a start, no patch management philosophy should be ultra-focused on a single figure/study.

The desired takeaways from the section were designed to improve patching processes by providing data that:

  1.  Offers high-level estimates on how quickly to patch new vulnerabilities
  2.  Ensures older vulnerabilities are not ignored
  3.  Promotes acceptance that some vulnerabilities will likely never be patched and to not assume eventual 100% patch implementation as part of your organization’s security strategy.

Bottom line: We don’t want this section to lead readers down an incorrect and/or myopic path any more than our harshest critics. When we reviewed this section we already had the goals in our minds and should have done better to look at it from the standpoint of a reader. This was made apparent by some of the readers and we appreciate your views. Seriously.

I also want to write about the reason that we started this publication in the first place. In 2008, there was a glaring need to arm the public with a study on what was actually happening in the real world. We realized that we had this data available to us in the form of case reports from our Investigative Response team (now RISK Team). Our goal then, as it remains today, was to provide readers information on the actors, their tactics or actions and what assets are targeted and affected. We strive to remain vendor-neutral, not shill our services within the report, be transparent with our methodologies and acknowledge bias.

The 2015 DBIR featured a large section on studies of non-incident/breach data outside of the typical data that underpinned the prior seven publications. This year we put the emphasis back on the incident corpus and the Incident Classification Patterns and hope that the criticism of one section, which is independent of the rest of the report, does not prevent the readership from starting discussions on what we hope will get the most of the attention moving forward.

These include:

  • Static, single-factor authentication was a component of almost two-thirds of the confirmed data breaches. Whether credentials were the data variety compromised, or legitimate credentials were used (either via prior theft or brute forced) our data continues to show that actors are going after credentials to advance their attacks and stronger authentication needs to be more prevalent, not that it or any other control will solve all of our problems, but would disrupt a common attack method.
  • Phishing continues to trend upwards as well. 41% of breaches involved phishing as a threat action leveraged by remote attackers.
  • The combination of Phishing, leading to dropping of malware in the form of a backdoor and/or C2, leading to capture and reuse of credentials is one that we find used across several patterns, and in data breaches that are highly targeted, as well as opportunistic. This provides a foothold onto a desktop/laptop. A major issue is that we are not doing enough to make the attackers invest time and effort once the initial access is gained.

Lastly, I want to reiterate one of the main overarching goals of the report is to encourage organizations to use  their own data to make security decisions. The data that underpins the report is a sample, with all associated biases along for the ride. We do however, believe  that the DBIR  is the best representation (thanks to the diversification of incident data achieved by partnering with numerous organizations) of what is occurring in the real world. That being said, we really want people to try this at home. Having an understanding of what incident patterns are more closely associated with your industry is good. Collecting your own security incident data and incorporating your own analysis as part of your security decision-making process is even better.

Security maintenance: more valuable than gold

Author:  Joan Ross, Managing Principal, Cybersecurity
May 10, 2016

Verizon’s recent annual Data Breach Investigations Report validates what has been a documented and disturbing reality – the lack of methodical security maintenance activities over operations and data — leads to the majority of security breaches.  The empirical evidence proves this out, but after so many years of security practice, why are professionals still struggling?

Kurt Vonnegut’s quote “everyone wants to build and no one wants to do maintenance” partially explains it. Maintenance is not as valued by organizations that are intent on new or more profitable lines of business, it’s not as exciting  as the leader painting grand new visions.  And yet, as those visions are compromised, the leader has turned his or her  attention toward something new, requiring others to mend the security flaws and reinforce the system to operate reliably. CISOs are the pragmatic technologists in an organization, aware that with every change, update and new code release, no business fulfillment vision is complete if it’s not continually secured. Meantime the resources devoted to the implementation have often moved on without ongoing maintenance consideration.

Security requirements and design are essential as part of any business strategy.  To forego these activities predictably leads to weaknesses and vulnerabilities harder to rectify once a system is built and operational.  Is your CISO part of your engineering design team?  Is a security engineer assigned ongoing activities for maintenance? If not, weaknesses will form and be found by others. It’s predictable and inevitable.

Gary Klein has produced notable research into adaptive decisions and incident response that explains the seemingly lack of commitment to maintenance.  Even with multiple safety features engineered to prevent disasters, time and use will often wear these protections down.  Humans are enamored with the rush to perform under adversity and become heroes, but in fact, the heroes he documents undergo rigorous maintenance and testing activities beforehand as normal course.  This focus and practice is what security professionals have to emulate to be successful in preventing data breaches. It’s time to make security maintenance, as ephemeral as it may seem, part of any ROI  equation.

Briefing the Board: Directing Security Evolvement

Author: Joan Ross, Managing Principal, Cybersecurity
April 28, 2016

If an organization’s Chief Information Security Officer or CISO is not regularly updating the Board of Directors (BoD), there is an inherent disconnect in the security viability of the organization.  The ideal CISO reporting structure would include a dotted line to the BoD; those who act on the behalf of the best interests of shareholders and stakeholders in validating a well-managed company.

A CISO’s agenda for the BoD begins with three primary areas:

  1. 1. What we know and have tested recently regarding security controls.
  2. 2. What we don’t know or haven’t effectively evaluated at this time.
  3. 3. Priorities for risk, budget, and evolving strategy based on a combination of #1, #2, current and planned business model, and current threat intelligence for your industry.

Every year around this time, Verizon publishes the Data Breach Investigations Report (DBIR) and provides this threat intelligence to the global community at no cost.  This intelligence is heavily leveraged for the empirical research and investigation it provides, including trends in the common attack patterns.  Every security organization has it available to them to utilize as the basis for their BoD presentations.

The just released DBIR is again highly anticipated.  CISOs convey that the most important graphic for them to begin their BoD presentation is the DBIR Incident Classification Patterns and percentages for their industry.  Annual budgets and periodic new budget needs rely on  the attack trends to justify requests.  While many security professionals may be aware of the proliferation of these patterns and methods, rarely is the BoD.  Today’s CISO educates their BoD as part of every briefing opportunity on how the organization remains potentially vulnerable.

The BoD is responsible for understanding the routine occurrence of many of these data breaches and asking their organization the tough questions on risk reduction to prevent, detect, defend against and mitigate these vulnerabilities.  Verizon’s Data Breach Digest <insert link> is our other report that illustrates twelve of the most common recurring attacks and methods, and six of the emerging more sophisticated attack types to guard against.

With the publication of these reports and truly brief reads that are easy to understand, there is no excuse for top leadership or BoD not to be aware of the risk, commonality and methods of today’s security breaches against their organization’s intellectual property, employees, and coveted sensitive data.  The measurement of a well-managed company is evolving to where these attacks are prevented with BoD support.


Phishing for W-2 Data – The Business Email Compromise (BEC)

Over the past several months, there has been a sharp increase in the number of breach incidents reported where phishing has been used to gain access to employee W-2 data.  It has become so prevalent that the IRS issued a bulletin warning about the problem.  This incident type is one example of the Business Email Compromise (BEC), and they are on the rise.

These incidents follow a common theme–an email is sent to a selected individual who should have access to W-2 information on the company’s employees–they may have been identified by their social profile on a job website such as LinkedIn.  The email is crafted to look like it came from someone high in the company–frequently the CEO, CFO or other C-level member.  The emails have frequently contained these phrases (although criminals will adapt their message as word spreads):

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

The employee, believing that this is a legitimate request, and wanting to be helpful when someone in authority asks for their assistance, quickly sends the data.  Currently, we are tracking these incidents in the VERIS Community Database.  At last count, there are 33 companies affected, although this will likely grow as new cases are found.

As someone who works with publicly disclosed data breaches on a daily basis, I have seen the uptick in these types of notifications coming across over the past several months.  Clearly, there is a trend here that is capitalizing on the tax season and the appeal to authority that a request coming from a high level executive engenders.

Use this time to inoculate your groups who have this type of information.  They need to be especially vigilant when dealing with requests that look like they come from company executives.  Set up a process for this type of request–with controls in place that will allow them to verify that the person who is requesting this information is actually who they think they are.  This control could take several forms–depending on the needs and culture of the organization.  A pre-established passphrase could be created for the request of any type of sensitive data.  An out-of-band verification requirement is also a good idea.  The request came in through an email–make a phone call to the person who supposedly sent it.  Make sure they know not to just reply to the email they received, since the address may be spoofed.

Another point is that you should verify this hasn’t already occurred in your organization, but the person didn’t realize it was not a legitimate request.  You may already have been hit by this attack, and not know it.  How easy is it for employees to raise this kind of issue with your Information Security group?  Do they have to know someone on the team, or have you established a hotline or group email for people to forward potential security incidents?  How well has it been socialized in the company?  Don’t make people work hard to let you know something may be wrong.

Finally, if you haven’t already, consider this a good candidate for a tabletop test of your incident response plan (you have one, right?).  It is a scenario that is all-too-common and a good way to verify your plan is up to date.  Your organization may be one of the lucky ones, and you may never experience a BEC.  However, it is always better to be safe in these cases, and ensure your people know they may be targets based on the type of data they have access to.


Anatomy of well-managed malware incident

by Joan Ross, Managing Principal, Cybersecurity

Its 6a.m. when you, the CISO of an organization, are alerted that zero-day malware is running rampant across the Internet, infecting and spreading across your globally connected business.  By now, this type of occurrence is nothing new to you – in fact, some form of malware has existed ever since computing systems evolved. By now you should be well prepared for these types of common events in one of two ways.

Scenario One: You manage the 24/7/365 incident response team of dedicated, trained professionals.  They are experts at detecting and containing exactly these types of incidents.  You’ve ensured they are well funded and adequately staffed and trained for this type of event, equipped with the necessary tools and technologies required to combat this type of situation.  You have established, defined and tested standard operating procedures to ensure no one skips an important step in the heat of the active prevention, containment, and analysis phases.

Your staff is not re-tasked or otherwise diverted onto other projects, but have dedicated “eyes-on-glass” alerting and action in place.  In fact, one of them is notifying you that they are on alert, prepared and performing their standard procedures. They will keep you apprised as the malware spreads across the globe, paying careful attention to business partner and supplier systems and connections.

You educate your entire company personnel, including executives, at least quarterly, on this type of threat. You counsel on how to be cautious, suspicious and resistant to being duped.

Your established process to alert employees and business partners has already been enacted.  Proper preventive procedures have been enacted by your security personnel across firewalls, email systems, and other venues of infiltration.  The malware variant is being analyzed, and your staff is in touch with your vendor for the status of their emergency signature patch.

Scenario Two:  You are an experienced CISO and business professional, pragmatic and astute to know that there is inadequate funding to enact or maintain this type of incident response team.  Incident response is not your organization’s core competency.  Your duty is to inform, advise, and recommend an adequate security solution.  This is when your decisions and actions matter for your career, your company, and your customers.

You recommend an experienced company well-known for their cyber intelligence and global SOC monitoring.  One that authors data breach intelligence reports based on their global backbone, experienced, dedicated, global security operations team that provides value about the cost of a rapid response.  Criteria selection matters.

Your 6am notification is from your SOC partner, providing you with all the information you need to confidently inform your organization you are on alert but all best practice industry standards are effective and ongoing.  Your company does not make the headlines, and your business partners extend further trust for you have managed and invested well.

Weekly Intelligence Summary Lead Paragraph: 2016-03-18

by David Fraga

Several top-tier domains were victims of a large malvertising campaign associated with the Angler Exploit Kit that targeted news sites, entertainment portals, and political commentary sites.  This campaign primarily targeted the United States and looks to have affected tens of thousands of users this past week.   Hackers stole $81 million from Bangladesh’s Central Bank in one of the most brazen attacks to target the financial industry this year.  This past week Palo Alto Networks reported on PowerSniff malware which is used in macro-based phishing campaigns that are targeting point of sale related systems.  KrebsOnSecurity reports that payday lending firm Moneytree is the latest company to alert current and former employees that their tax data was handed over directly to scam artists.  Cyberespionage groups, such as the China-based Suckfly group, are stealing digital certificates to sign malware. ABI Research published an infographic showing a comprehensive view of biometric system vulnerabilities as well as a whitepaper describing the recommendations for enterprise environments.

Protected health information (PHI) breaches: sounding the alarm

Author: Joan Ross, managing principal, cybersecurity, Verizon Enterprise Solutions

Customer data breaches are occurring at an alarming rate. With the recent media attention of yet another laptop stolen containing mass records of sensitive patient medical information, it leaves the greater security and user community to ask what necessary control information is not being provided to organizations.

The Verizon 2015 Protected Health Information (PHI) Data Breach Report provides the supporting empirical evidence executives require to best inform their organizations on factual risk and current exploit. The purpose of the PHI Report is to better inform an organization’s information protection decisions, risk analysis, and to help prioritize their investments. It’s these investment determinations that are personally impacting people, and for which they are primarily responsible and accountable for in conducting their business for their customers, shareholders, and business partners. Alarms clearly sounded in our most recent report that details:

  • Most organizations, regardless of industry, hold some form of protected health information regarding their personnel, their human resource programs, or their actual business.
  • Ninety percent of all organizations, across all but two industries, have experienced a protected health information breach – truly a call for action across industries.
  • Lost and stolen assets are clearly defined as the number one threat vulnerability that is resulting in the PHI security breaches.

The PHI report provides the basis to convey industry standard security requirements for mobile devices containing potentially sensitive information. There is little to no need for PHI data to be stored on mobile devices, and every reason for robust, layered security controls to be present.

Let’s examine the limited business rationale to date.

Field or remote health workers: These personnel travel to the patient to collect vital health information. Because connectivity can be difficult and they have limited timeframes to collect the necessary information to assist the patient, sessions may be entered locally into the mobile device. Prudent organizations require the personnel to routinely and securely upload the data to a more protected, central system, not only for security, but to track access and use of the patient information. There is no reason for sensitive information to remain on the mobile phone or on the laptop for several days. Mature, more secure-focused organizations will ensure that the data cannot be copied or transferred elsewhere either digitally or physically through monitoring and preventive controls.

Business continuity strategy: Smaller organizations have implemented business continuity budget and planning for all personnel to transport their primary mobile work device to and from work each day. In this manner, if a business disruption occurs, the employee in the affected regions can still be productive while the disruption gets resolved. This may present additional risk to the organization and requires at a minimum the same mandated controls, processes, and validations as for field and remote workers listed above.

If there exists other business rationale for PHI to exist on mobile devices without these necessary controls, by all means we’re ready to listen and recommend essential, effective controls and processes.


RSA Conference was one for the books

By: David Grady, Principal Client Partner, Security Solutions

Security solutions providers of all flavors and sizes showcased their wares at the recent RSA conference in San Francisco, but the big money seemed to be in book sales, if foot traffic in the show’s pop-up bookstore was any indication. We saw at least 400 different information security-themed titles for sale, many costing $50 or more, and we saw plenty of perusing and purchasing going on between keynote addresses and vendor presentations.

The sheer diversity of book topics for sale at RSA reflects just how challenging (and sometimes overwhelming) it can be for security professionals to keep current. There were books about secure coding; books about data analytics; books about cloud computing and social engineering and IoT. There were also titles about how to get a job in information security and how to keep your job as a CISO and how to deliver a TED talk and how to pass one of a dozen types of certification exams. There were even books in the “pleasure reading” pile consisted of fictional cyber-thrillers meant to be read during a security practitioners’ rare vacation break.

A few hours after it opened on Day 1 of the conference, bookstore staff reported brisk sales of CISSP exam prep guides. By mid-week, books about how to succeed as a CISO were flying off the shelves.

By week’s end, what was the most popular topic? “Pretty much everything,” the bookstore manager said (with a smile).

For a good read – and a free one, no less – get your copy of Verizon’s brand new Data Breach Digest report at

Back to (Security) Basics

by Brianna Carroll Boyle

Simple is best.  Follow basic rules.  The best offense is a good defense.  We have all heard these adages countless times.  They apply to school, to sports, even to combat.  And they are just as applicable to cyber security.

Year after year, the Verizon Data Breach Investigations Report (DBIR) tells us that basic security measures are critical.  And, yet, on a daily basis, new data breaches appear in the headlines, many of which could have been prevented by implementing those very same basic, foundational security measures.  For instance, it was recently reported that poor password protection contributed significantly to several breaches recently in the news,  in spite of evidence that two-factor authentication helps to prevent unauthorized access.  At last week’s RSA conference, Martin Roesch, vice president and chief architect of the Cisco Security Business Group, addressed the very real issue of complexity bogging down security.

With all the differing cyber security recommendations floating around, what’s a business to do?  The 2015 DBIR combined real-world attack methods with Critical Security Controls (CSC) to create evidence-based recommendations.  The report identified where a simple CSC control could be applied against a vulnerability for a fascinating result: the controls deemed to be most effective by the DBIR are also considered “quick wins” in terms of risk reduction through CSC.

What does the evidence tell us here?  It tells us simple security controls are extremely effective at immediately reducing risk against common attacks, and that these measures can be put into place without requiring significant changes to an environment.  While they may not be flashy, implementing basic, foundational security measures give the most bang for their buck.

To learn more about how to “make informed cyber risk decisions,” please join our webinar on Thursday, March 17 at 11:00 am ET by clicking here.