Verizon, the US-based telecom giant, has been publishing one of the most looked out reports on cybersecurity for the past 12 years. The data set captured by Verizon is sizeable that gives holistic and industry-specific views on the entire cyber threat landscape. In a conversation with Business Today, Anshuman Sharma, principal consultant (investigative response), Verizon RISK Team, talks about the key findings of the 2019 edition of the report. Edited excerpts:
Business Today: What are the key findings of the current Data Breach Investigations Report (DBIR), and the difference between current findings and the findings of the past years?
Anshuman Sharma: This is the 12th edition of the report. This is totally data-driven statistical report, and we have the highest contribution this year - 73 contributors spreading across 86 countries. This time, we have analysed 41,686 security incidents, and 2,013 confirmed data breaches. It gives a view to most of the organisations that where should they concentrate more - whether things are getting bad at the web application level for their industry vertical or there's more insider threat.
Last year and the year before were dedicated to ransomwares like Petya. The use of weak passwords and default credentials were the key talking points along with phishing, which has been there since the inception of the report. This year, one of the key things is the targeting of the C-suite. The reason: They have access to almost all the sensitive information, and most of the times, the access is privileged. If somebody dupes them into a wire transfer, they can easily go and do it if somebody tricks them. The other thing is that most of the senior executives, compared to the last year's report, are 12 times more prone to security incidents and nine times more prone to data breaches.
We have the first-time contribution from the FBI (Federal Bureau of Investigation). We also saw business emails being compromised, which were majorly web-based emails.
It's been consistent with the past reports as well that outside attacks are more prevalent than insider attacks. The outside attacks constitute 69 per cent of all attacks. Of all the data sets that we have evaluated on incidents and breaches, 69 per cent had originated outside of the organisations. It can be state-sponsored or it can be somebody doing out of grudge or fun.
In 2014 DBIR, we came up with nine patterns like web applications, denial of service, point of sale compromise, skimming attacks, crimeware (ransomware, malware), privilege misuse, physical asset compromise, cyber espionage and miscellaneous errors. This year, we saw 98.5 per cent of the incidents and 88 per cent of the confirmed breaches fit in these nine categories.
One of the other findings is that malware was not the first entry point into an organisation. It was hacking. Malware comes at the second or third stage of the compromise. We also saw that many of the attacks were fast.
On the motives part, financial remains on the top followed by cyber espionage. We are tracking 10-12 verticals - healthcare, BFSI, education, manufacturing and public. As more and more organisations move their assets towards the cloud, the bad guys are also moving there.
BT: These security incidents and data breaches analysed by you are within Verizon's network?
Sharma: It's been tracked by 73 contributors. We have a couple of contributors from India - one is a government entity and another is a decent-size company, which is into hardcore cybersecurity. Globally, there are federal policies, CERTs, and large corporations who contribute to this report. They can be on anybody's network. As Verizon, we are ourselves a contributor to the DBIR report.
The report is a result of all the good organisations trying to come together to contribute for the rest of the world to help them efficiently spend their security budgets and build preventive and detective strategies. The report doesn't talk about any products.
BT: Who are the big perpetrators according to the report?
Sharma: The report doesn't mention it. We don't talk about geographical locations, and who did it. We are living in a connected world - whatever happens tomorrow, let's say in Japan, it can happen in India as well. The bad guys are sitting everywhere. There's no point in making it regional. It's better to give a global view.
BT: What's the nature of attacks on CXOs?
Sharma: They are financially-motivated. For example, targeting a CFO for wire transfer. Espionage is second.
BT: Do you see possibility of cyberattacks getting bigger in the future?
Sharma: The report is not futuristic. It's more of what has happened, and basis that analysis, what can be learned for the future. If I have to take a decision on the basis of DBIR report; and if I know that ransomware is second-most prevalent type of attack, I would have my strategies built in to tackle ransomware attacks.
BT: With the kind of data that India is consuming, do you see the need to have a larger data capturing from India?
Sharma: We are totally neutral to any country who wants to contribute. We would love to work with CERT-In if they want to contribute data. More the data set we have, the more we move towards reality. We try our level best to reach as many organisations as possible for contributions. We will try to have CERT-In (in the future reports), and if that happens, the data set will be huge.
BT: There are simple cyberattacks, and then there are sophisticated attacks on the critical infrastructure of a country, what level of attacks have you covered in this report?
Sharma: You will never see any reference to any group. Most of the things [in the report] are aligned to the nine categories that I have mentioned a while ago. We could have tracked the most sophisticated sequel injection attack, but the report will never mention it.
BT: How well is India prepared as compared to other developed countries in terms of cybersecurity threats?
Sharma: India is doing a decent bit of efforts. The Reserve Bank of India has set up their arm. We have a lot of banking customers, and whenever we meet them; they are undergoing some kind of audit. RBI is doing quarterly audits, and they are doing red-teaming and blue-teaming exercises. The CERT-In is doing its bit. We are working on getting a privacy law. India is going in the right direction.