The DBIR is an interesting dataset in that it only covers breaches that have been covered by the media.
It does not include the vast majority of breaches that happen every year and are reported to federal and state regulatory bodies or as posted to cybercrime / ransomware sites.
One of the coolest things is that this process though flawed is transparent and semi-open to the public.
The dataset and the underlying process for which events are selected takes place in the open on GitHub.
DCMA would not work here since they are hosting a copy of it for archival purposes, and not claiming copyright. The original public URL is included.
Archive.org does respect robots.txt tho. It is possible to completely delete a site's history on Archive.org by modifying the robots.txt (at least in the past, not sure if that is the case now)
It could be considered situational irony for a company reporting on industry data breaches to expect readers to disclose personal information as one would expect them to display sensitivity to unnecessary capture of precisely this kind of data.
Verizon having to publicly disclose that they screwed up protecting the data they collect, and then, like a desperate addict, asking for more data? Yeah, no, you're right, not ironic at all.
That's why reading before commenting is preferred...there's even a synopsis outlying what the report is though at the link and the second page of the report outlines it as well. So even a cursory glance before commenting would have worked here...
Possibly, but even after knowing what TFA is about, the title still reads the other way. It's an unfortunate thing that the majority of readers of the title will assume it is a breach of Verizon rather than an investigation by Verizon. To not understand this and allow the title to go as is, is just naivete at its finest.
What is up with the glib tone featured throughout this document? To cite a few examples (there are many more):
Page 11: "Hello, friends, and welcome to the “Results and analysis” section."
Page 15: "Hey, you, don’t skip this section this year! We know we keep repeating, “It’s always external criminals wanting your money” alongside dated pop culture references, but we have some interesting data points to discuss this year. Does this mean External actors are not the most prevalent? No, of course they are, silly. But since we got your attention, please read on."
Page 37: "In the cybersecurity world, or “the cyber biz,” as we call it, we certainly love our catchy terminology. Terms such as whaling, smishing, quishing, tishing, vishing, wishing, pharming, snowshoeing and plain old phishing are ever-present in the Social Engineering pattern. This makes sense because there are a lot of vectors on which we need to educate our employees and end users, and we’re positive that in another five years, there will be new ones that we will have to add to our list."
As someone who works in the "cyber biz", I don't think we really do like all of these supposedly catchy terms that are just more specific ways to describe the same thing. All it does is confuse end users with more jargon.
This is actually a really solid high-level report. Very well-written. Frankly, it blows my mind that it was made by a company with such infuriatingly asinine, incompetent, and ineffective support processes. I'll bet a non-zero quantity of hiring managers that have been burned by Verizon's support have subconsciously passed over talented candidates coming from there.
Every large organization has good parts and bad parts. What most people forget is a company is just a collection of people. When you have 1,000, 10,000, 100,000, etc. employees, they can't all be good, bad, etc.
Sure, but few orgs have as much surface area with such a ridiculously bad service. And I said subconsciously. I really doubt anyone would deliberately refuse to hire a good candidate because they worked for a company with shit customer service. But our thought processes are influenced a whole lot more by subconscious factors than we like to think they are. People that think their thought process is entirely logical and deliberate usually just lack the introspection to see how wrong they are. It's basically the core tenet of modern advertising.
Honestly, telecommunications companies in general are considered to have bad service.
I worked for a large telco for many years with a lot of history and people honestly hated the company, even if they came in store and had a flawless experience many of them couldn't be curbed.
You have everyday people using mobile and internet services that operate in the background that impact people heavily if they go down or their experience is poor. Then the process for them to get it remediated is speaking with service staff that often don't have the ability to actually fix the problem if it is infrastructure related.
Especially when internet services and speeds around a decade ago were/are struggling to keep up with basic internet usage.
As an employee I had gone above and beyond for many customers and had experienced some crazy stories where the customer was simply horrible.
Breaches by attackers will continue until it becomes prohibitively expensive or dangerous for the attackers to do what they do. This isn't something companies can do; it takes a government to do that.
Until then, it's a great way to squeeze crypto out of some company to make up for the fact that your country is under sanctions tied to the US Dollar, and since it's hard to prove to the bean counters that an attack will happen with reasonable certainty on a given system in the next quarter, good luck getting resources and priority for mitigations beyond the usual.
> since it's hard to prove to the bean counters that an attack will happen with reasonable certainty on a given system in the next quarter, good luck getting resources and priority for mitigations beyond the usual.
False.
Companies are now liable to report breaches to the SEC and steps taken to remediate.
As I've mentioned several times on HN before, heads do roll and C-Suite does care about security posture now that liability and insurance payouts are on the line.
The annoying thing is HNers will never see the actual successes (because these are obviously kept private) and only see a couple glaring failures.
Furthermore, this report is an advertisement for Verizon's MSSP division (Verizon Business), which companies pay to manage their security posture - all telcos have had an MSSP BU since the 1980s (ATT Global Business Services being the market leader)
You'll see a lot of BS like this for the next 2 months because RSA is in 2 weeks and AWS Re:Invent in a month. It's conference season (great time to stock up on free tshirts and drink Blanton's on the corporate tab)
Stocks are not the "holy grail decide all" when much of UHG and Optum's leadership is in front of Congress as we speak during an election year and with significant liabilities due to potential breaches of contract by failing to produve billing to their customers.
Go on LinkedIn and take a look at who's on the CISO org and below at UHG and Optum today - in 6 months 60% of them will no longer list either as their employer.
UHG the organization will continue to exist, but the people who make up that organization will have their heads roll.
There is no Mr UHG the 3rd running stuff there or in the majority of F1000s - it's professional managers who climb up and down the ladder.
Not everything is some sort of conspiracy with mustachioed men and DEI puppets parroting Milton Friedman and Ronald Regan like the HN hivemind loves to think.
The CISO role is too often just a game of roulette. The big question is whether the CISO is actually able to effect changes that have material impact on their own fate, by improving security posture. If not, then the CISO is merely compensated to play the scapegoat when luck is down.
If it doesn't affect stock price, though, then the CEO, board, and shareholders are all incentivized to keep IS costs low, and ignore any costly security recommendations.
Being dragged in front of Congress on anything related to a computer is not a big deal; if it were, Mark Zuckerberg would not be CEO of Meta. The liabilities will be played out in court over the next decade, and you'll possibly see some legislation passed over that time period limiting liability in these situations, because how can we possibly expect these companies to deliver value to shareholders while shouldering the risks posed by adversarial state-backed hackers?
Personal responsibility as conducted through firings means more for the rank-and-file than for directors and above. It's not about what you've done as much as who you know in those levels.
You stated "Being dragged in front of Congress on anything related to a computer is not a big deal". I do not think you understand how the United States works. The United States government can destroy a company if it wants to. A good example is TikTok. Angering senators, or representatives is a very dangerous thing to do. If you want to see the results, look at the legal problems Google is having, or the problems Microsoft had in the late 1990s and early 2000s.
> how can we possibly expect these companies to deliver value to shareholders while shouldering the risks posed by adversarial state-backed hackers
1. Liability
2. Insurance Premiums
3. Regulation
1 and 2 are already in place, and 3 is currently working it's way over the next couple years.
> TL;DR: I'll believe it when I see it.
Cynicism is valid, but at some point it's just unfounded nihilism, and you as an individual IC will never publicly see these changes as they are well above your pay grade (and you sure as hell won't hear about it publicly)
> Being dragged in front of Congress on anything related to a computer is not a big deal
It is when you are on the hook for that federal bailout to prevent the entire healthcare system from collapsing [0] caused by incompetence surrounding credential management
> Cynicism is valid, but at some point it's just unfounded nihilism, and you as an individual IC will never publicly see these changes as they are well above your pay grade (and you sure as hell won't hear about it publicly)
Weird comment, are we supposed to trade the unfounded nihilism for unfounded optimism? Apparently accountability and transparency[1] are widely available.. behind closed doors.
[1]: yep, transparency is kinda required for having effective insurance, regulation, or liability.
