The admins among you will be unsurprised to discover that, more than a quarter of the time, data breaches across the world originated between the chair and the keyboard of organisation "insiders". And no, we don't mean they clicked on a dodgy link...
The latest edition of Verizon's Data Breach Investigations Report (DBIR) found that 25 per cent of all attacks over the year were perpetrated by said insiders and were driven largely by financial gain, espionage and simple mistakes or misuse.
It also reports that organised criminal groups continue to be behind around half of all breaches, while state-affiliated groups were involved in more than one in 10. Financial gain, unsurprisingly, continued to be the top motivation for cybercriminals.
The healthcare industry was found to be at particularly high risk of insider threats through errors and employee misuse – such as medical workers accessing patient records for simple curiosity or fun.
Companies are nearly three times more likely to be breached by social attacks than via actual vulnerabilities, emphasising the need for ongoing employee cybersecurity education.
The report notes a significant trend in social-engineering and "pretexting" attacks targeting finance and HR departments, with nearly 1,500 incidents and nearly 400 confirmed data breaches reported. In these attacks, hackers may seek to convince finance departments to make a transfer of funds by posing as a company CEO.
[...] Simple errors – such as failing to shred confidential information, sending emails to the wrong person or misconfiguring web services – were at the heart of nearly one in five breaches. More than 20 per cent people still click on at least one phishing campaign during a year.
[...] Over two-thirds (68 per cent) of breaches took months or longer to discover.
(Score: 1, Funny) by Anonymous Coward on Wednesday April 11 2018, @01:37PM (5 children)
More regulatory oversight by smooth-talking, vote-buying, paper-pushing bureaucrats.
That'll do it.
(Score: 2, Funny) by Anonymous Coward on Wednesday April 11 2018, @04:29PM (4 children)
I find your views interesting and would like to subscribe to your newsletter ... but I'm afraid you will purposely leak my data to other organizations. What? That's not a "breach", it's a business model?
(Score: 2) by JNCF on Wednesday April 11 2018, @04:37PM (3 children)
Hmm, if only there was a technical solution to your problem that didn't require bureaucratic oversight. Some way to subscribe to newsletters without sharing any identifiable personal information... too bad, we'll just have to legislate the problem away. Quick, bring me my curly wig and gavel! Whatever laws we come up with will surely be more secure than an RSS feed or a throwaway email address accessed over TOR.
(Score: 0) by Anonymous Coward on Wednesday April 11 2018, @07:55PM (2 children)
Your ridiculous overreaction (trolling as it may be) is one reason why there can't be any real discussions on why both the individual and the companies share responsibility in controlling the individual's data. Making companies accountable for their negligence and/or malicious behavior is not a bad thing. We do it to people everyday.
(Score: 0) by Anonymous Coward on Wednesday April 11 2018, @08:20PM (1 child)
The Market: Voting with your dollars (take your business elsewhere).
Civil Courts: Sue for breach of contract (no contract in place? Go to the market solution.)
Criminal Courts: Prosecute for fraud in advertising (They never promised good security? Go to the market solution.)
(Score: 0) by Anonymous Coward on Wednesday April 11 2018, @10:38PM
Not everyone who has their data exposed are customers or willing participants. See Experian.
That's a great idea! Let's have regular people spend tens of thousands of dollars on legal fees in an attempt to extract some measure of satisfaction. Oh, and let's not forget arbitration for those who accepted any ToS or EULA. For those who who aren't willing participants ... what contact breach can they sue over?
So you're in favor of prosecuting for fraud, but not for negligence or malicious behavior? What if they have very good lawyers who vetted all advertising to ensure it doesn't say "we will make a reasonable effort to protect your data". For those who aren't willing participants ... what fraud has occurred?
(Score: 5, Funny) by The Mighty Buzzard on Wednesday April 11 2018, @01:45PM (3 children)
Shit, I do the "curiosity or fun" thing on SN's db at least a couple times a year. See all of the moderation stats posts I've put up on my journal. Speaking of fun, here's realDonaldTrump's email address [mailto].
My rights don't end where your fear begins.
(Score: 2) by looorg on Wednesday April 11 2018, @02:16PM (2 children)
It might be different between countries and such but here that is a crime and you would/could be fired for doing it. That apparently doesn't stop people from doing it, usually when it involves celebs and people they know and things of that nature.
That said yes USERS are the worst, they are probably the source of almost all the IT-problems.
This happens so often at work I stopped paying attention to it. Also here included are the people that click REPLY-ALL and then proceed to add a few really large attachments to the letter and then send it organization wide to everything from a few hundred to a couple of thousand people. It's probably worse if you have a common name. I assume you get a lot of mail that wasn't supposed to go to you. Mostly since people just assume you are that person with whatever is the common name, not then doing next step in the thought process that yes there are probably a couple of people with that common name in any sufficiently large organization.
(Score: 0) by Anonymous Coward on Wednesday April 11 2018, @03:25PM (1 child)
That said yes USERS are the worst, they are probably the source of almost all the IT-problems.
Exactly. The solution is therefore simple: eliminate the users, and your IT problems will be mostly gone.
(Score: 3, Insightful) by Arik on Wednesday April 11 2018, @04:12PM
"Elimination" sounds a bit extreme but it wouldn't hurt one bit to get the people that don't have a clue and don't want one out of the userbase, one way or another.
Instead for the past 20 years the industry has been going out of their way to do the exact opposite, and the results have been appalling to say the least.
I'm reminded of the saying "It isn't that Unix is not user-friendly, it's just choosy about who it's friends are."
If laughter is the best medicine, who are the best doctors?
(Score: 3, Interesting) by Thexalon on Wednesday April 11 2018, @02:31PM (2 children)
I would have figured it would be a much higher percentage than that. Which is why the Principle of Least Privilege is important.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Runaway1956 on Wednesday April 11 2018, @02:50PM (1 child)
It probably is much higher than that. Most likely, they aren't counting incompetent IT, or careless IT, or IT personnel who just don't give a damn. Not to mention, the IT guy who simply made a mistake. Yes, even competent, careful, disciplined workers can occasionally make a simple mistake.
(Score: 2) by frojack on Wednesday April 11 2018, @06:36PM
Sure blame it on IT. Never mind the order in writing from the CEO to allow XYZ corp unfettered access to the database per contract 2743876B.
No, you are mistaken. I've always had this sig.
(Score: 4, Interesting) by frojack on Wednesday April 11 2018, @06:33PM
Remove the "simple mistakes or misuse" and watch the level of insiders disappear into round off errors.
Simple mistakes include forgetting to change default passwords, failing to filter all inbound ports, permissions errors, or not applying patches timely. Misuse probably entails stuff as simple as forgetting to log out.
Hardly rises to the level of collusion or intentional wrong doing.
While one school of thought says ANYTIME you get hacked its YOUR FAULT, the justifiable response is that the attack surface is beyond the control of Joe Sysadmin, largely due to things unknown, or perhaps only known to governments, maybe developed by government, and a small-ish crew of serious hackers developing novel and elaborate exploits. Then there are things like Management orders to allow outside access.
I'd like to see the numbers related to insiders acting intentionally with mal intent, against company policy. I suspect those numbers are vanishingly small.
Probably the largest insider group is planned and intentional data access and data sales by company management.
No, you are mistaken. I've always had this sig.