Security Experts:

Verizon 2015 DBIR: Don't Sweat Mobile and IoT

Verizon on Tuesday released its widely anticipated 2015 Data Breach Investigations Report (DBIR), a must read report compiled by Verizon with the support 70 contributing partners, which analyzed 79,790 security incidents and 2,122 confirmed data breaches across 61 different countries.

While the industry is flooded with reports and survey data almost daily, Verizon’s annual DBIR is the top “must read” report of the year.

Verizon’s 2015 DBIR has expanded its investigation into nine common threat patterns and sizes up the effects of all types of data breaches, from small data disclosures to larger, headline-making events.

In Verizon’s own words, if you’re accustomed to reading the DBIR mainly for the headliners and one-liners, you might need to coffee up and put your thinking cap on.

Verizon 2015 DBIR CoverWith the 69-page report filled with interesting data points and insightful analysis by Verizon and its partners, a couple interesting items jumped out, which may disappoint some FUD-loving readers and security vendors.

In short, Verizon suggested that enterprise security teams don’t freak out over the current risks posed by Mobile and Internet of Things (IoT).

Despite numerous headlines (including many published by SecurityWeek) and reports painting a frightening picture of mobile and connected IoT devices, Verizon’s team provided some good advice: Don’t waste your time worrying about mobile and IoT when it comes to data protection priorities.

Noting that it was a data-driven conclusion, Verizon said that mobile devices are not a preferred vector in data breaches. Of the tens of millions of mobile devices on the Verizon Network, the number of ones infected with “truly malicious exploits” was negligible. An average of 0.03% of smartphones per week on the Verizon network were infected with what it described as “higher-grade” malicious code.

“We feel safe saying that while a major carrier is looking for and monitoring the security of mobile devices on its network, data breaches involving mobile devices should not be in any top-whatever list. This report is filled with thousands of stories of data loss—as it has been for years—and rarely do those stories include a smartphone,” Verizon said.

While some may raise an eyebrow over this, Verizon is not saying that organizations should ignore the risks associated with mobile devices.

“Mobile devices have clearly demonstrated their ability to be vulnerable. What we are saying is that we know the threat actors are already using a variety of other methods to break into our systems, and we should prioritize our resources to focus on the methods that they’re using now,” the report advised.

When it comes to mobile devices in the enterprise, Verizon suggested that organizations focus on visibility control.

“Visibility enables awareness, which will come in handy when the current landscape starts to shift. Control should put you into a position to react quickly.”

Mobile Malware

In terms of mobile malware, Android tops the charts to the point that most of the suspicious activity logged from iOS devices was just failed Android exploits, according to the report.

“While we’d love to compare and contrast iOS to Android, the data is forcibly limiting the discussion to the latter,” the authors of report wrote. “Also, the malicious activity recorded on Android is centered on malware, and most of that malware is adnoyance-ware and similar resource-wasting infections.”

IoT Security Challenges

While the number of non-traditional devices connected to corporate networks may be challenging enterprises, no widely known IoT device breaches have been disclosed--unless you count the spamming refrigerator incident which itself was questioned by many security experts.

So far, most of the breach examples in the news have been proofs of concept, and filtering out the hype and hypotheticals, there were few incidents and little data disclosure to report for 2014, Verizon said. 

“When jumping on the IoT bandwagon, perform threat modeling and attack graph exercises to determine who your most likely adversary is, what their motives may be (financial vs. espionage vs. ideology, etc.), and where the most vulnerable components in your IoT services are,” Verizon advised.

Organizations should also determine where sensitive data ultimately resides in the ecosystem. “It may be on very “un-IoT” devices such as cloud-based databases or Hadoop70 clusters.”

“Ensure focus on Internet-visible components. With no incident data to drive decision making, understanding the typical methods used by your adversary and how they map to the data flow in your IoT implementation is a good start,” Verizon said.

According to a study by Atomik Research and security firm Tripwire released in January, 63 percent of executives expect business efficiencies and productivity will force them to adopt IoT devices despite the security risks. Still, 46 percent said the risks associated with IoT have the potential to become the most significant risk on their networks.

Verizon’s report had no mention of industrial control systems (ICS) as IoT devices, likely because Verizon’s DBIR focuses on IT vs. OT (operational technology).

Verizon’s 2015 DBIR explores many other topics, including Malware, PoS Intrusion trends, cost of data breach analysis, insider misuse of data, web application security, and much more.

The 2015 DBIR incident and breach collection processes had no substantial changes from the 2014 DBIR, Verizon said.

The authors also emphasized that the report is making no claim that the findings are representative of all data breaches in all organizations at all times.

“Even though the combined records from all our partners more closely reflect reality than any of them in isolation, it is still a sample,” Verizon said. “And although we believe many of the findings presented in this report to be appropriate for generalization (and our confidence in this grows as we gather more data and compare it to that of others), bias undoubtedly exists.

So fill your coffee mug and read the 2015 Verizon DBIR now. It's available directly from Verizon in PDF format and no registration is required.

view counter
For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the enterprise IT security space and the threat landscape. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.