The 2015 DBIR report continues to provide a large amount of information from Verizon’s case load and those of a number of contributors. The report itself is 40 pages longer than the inaugural 2008 issue and has substantial improvements in the graphs used to communicate information. The authors have worked hard on using data analysis to pull information out of all the data that they’ve gathered. The only real fault I can find in this is that I a bit like a VP of Sales felt when I used to talk to him using technical jargon. I don’t have a background in data science or statistics, so that made reading the report more difficult than I would have liked. Still, it was informative and supported some things that I had suspected from pen tests we’ve done.
Cost of Breaches
The news gets worse when you look at how little time you have to respond before someone clicks the link or opens that attachment. Verizon’s report says that 50% of the users will click on that link during the first hour. If anything, that seems a little long to me. Secure Ideas consistently finds that users will start responding immediately to these emails. It’s also grimly amusing to see how determined some individuals are to get to whatever is promised in the email. It seems like there’s always someone who will try that link a half dozen times before they give up. It’s not unusual to send a campaign with a 25% success rate in users clicking on the target link. A clever and well timed message can do much, much better. In fact, we performed one assessment during the holidays that linked to a survey about locations for the company Christmas party. In this case, we had more responses than emails actually sent. I can only guess that it was forwarded around to others in the organization.
With that bit of grim news, what’s the recommendation? First, pay attention to your email filtering and work to make improvements on its ability to detect this messages while they are still inbound. It might be worth performing some internal phishing tests or having a third party (like Secure Ideas’ User Scout 😉 perform them with the goal of testing and improving the ability of your filtering software’s effectiveness. Don’t just use these tests as a way to see how employees respond. Just how good is that spam app that we bought in the first place? Using these campaigns as part of an interesting and actually useful user awareness program can really help as well. Word gets around fast and lingers for a while when folks find out how their company actually did during a test. Don’t use this as a witch hunt to embarrass or humiliate by listing who messed up, but let folks know that the attack was all too successful without naming names. Verizon also states these assessments and training can actually improve our ability to detect phishing attacks as employees become aware of what phish look like and who to tell about them.
Jason Wood is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at email@example.com or visit the Secure Ideas – Professionally Evil site for services provided.