Two New Cybersecurity Reports Offer Legislative Opportunities and Data Breach Scenarios

This is a tale of two studies. The first report from the Governing Institute was sponsored by the National Cyber Security Alliance (NCSA) and AT&T, and covers the intriguing results of a state government legislative survey on cyber. The second reports offers a “Data Breach Digest” from Verizon which elaborates on 18 different data breach scenarios worth considering. Both reports are free and bring excellent recommendations and worthwhile opportunities.

by / March 13, 2016
Credit: Governing Institute

According to just-released Governing Institute survey results, 80 percent of government officials and their staffs report not knowing if their state has a cyberemergency incident plan in place, according to survey results released March 7 by the Governing Institute.

“The purpose of the survey was to examine current baseline cybersecurity knowledge of state elected and appointed officials in order to identify educational needs regarding this topic,” said Todd Sander, vice president of research for the Governing Institute. “We found that, although legislators know the risks are high, many are not as involved as they could be and significant cybersecurity gaps remain.”

Despite the fact that fully 8 in 10 respondents (83 percent) agree that cybersecurity is a priority for them, and nearly three quarters (72 percent) believe their state’s current level of cyber risk is moderate to high, legislators are not as immersed in state cybersecurity efforts as they could and would like to be, according to the survey. Even as cybersecurity has become an increased priority for states, only 18 percent of surveyed legislators currently sit on a committee with cybersecurity as part of its official mandate.

I really like the infographic offered. Click here to review the full survey data.

Here are some of the top highlights:

  • 18 percent of surveyed legislators sit on a committee that designates cybersecurity as part of its official mandate,
  • 43 percent of survey respondents cited funding as a limiting factor to cyberdevelopment,
  • 50 percent cited personnel as a limiting factor,
  • 43 percent said there is a general lack of cybercomprehension in their state.

New Verizon Data Breach Digest

Meanwhile, Verizon recently released another helpful report that is worth reviewing. The Verizon Data Breach Digest offers 18 cybercrime case studies that were chosen to represent the most common and destructive types of incidents they have seen over the last eight years. For each incident, the report reveals the events leading up to the breach, details of the investigation and how the organization recovered with professional help. The digest ranks each of the 18 types of attack.

It also explains who’s at risk and describes what steps you can take to better protect your organization.

The 18 data breach scenarios are clustered into four groups, each described as follows:

A. The human element — five scenarios highlighting human threats or targets.

B. Conduit devices — five scenarios covering device misuse or tampering.

C. Configuration exploitation — four scenarios focusing on reconfigured or misconfigured settings.

D. Malicious software — four scenarios centering on sophisticated or special-purpose illicit software.

The report also describes “incident classification patterns” involved confirmed data breaches in order of frequency over the past three years. These include:

1. Point-of-sale (POS) intrusions — POS application/system related attacks.

2. Web app attacks — Web application related stolen credentials or vulnerability exploits.

3. Cyberespionage — state-affiliated, targeted attacks.

4. Crimeware — malware used to compromise systems.

5. Insider and privilege misuse — unauthorized insider-related activity.

6. Payment card skimmers — physically installed malicious card readers.

7. Miscellaneous errors — any mistake that compromises security.

8. Physical theft and loss — physical loss or theft of data/IT related assets.

9. Denial of service (DoS) attacks — non-breach-related attacks affecting business operations.

Additional Coverage of the Data Breach Digest

CSO Magazine wrote this story on the new Verizon Data Breach Digest. I like this quote:

 "Everyone is told by their company, 'Do this, don't do that' and they may not understand why," said Chris Novak, director of the investigative response team at Verizon. "This digest explains the why."

According to Novak, the digest is based on 1,175 forensic investigations that Verizon has conducted over the past three years.

Two-thirds of the cases fall into just a dozen scenarios, he said. Another six scenarios are less common overall, but have a bigger impact on targeted companies.

"One of the key take-aways that we're hoping folks will realize here is that there's such commonality between the cases," Novak said. "There's a perception that everyone is in this alone. By putting these stories out there, it shows the industry that they are not alone."

 In addition, IDC ran this interview on the report on the floor of the RSA Conference in San Francisco.

Wrap-Up

You may be wondering, why am I highlighting these two specific reports?

I think that both of these cybersecurity studies are well done and come from telecommunication leaders like AT&T and Verizon. Also, they dive deeper into the trends and actions that can help enterprises make progress in their information security programs.

I strongly encourage readers to take a close look at these two studies.