I was reading through a number of security breach reports and came across some puzzling statistics that maybe someone can help explain. Some are more serious than others but any explanation could give some insights that could prove useful.
Here are some statistics from the Mandian/FireEye threat report for 2015: (M-Trends 2015: A View From the Front Lines)
Puzzle #1: Why are most phishing emails sent on Saturdays?
Although the report states that 72% of phishing emails were sent on weekdays, there is no explanation as to why Saturday is the most popular day to send such emails. Any ideas? There is also no explanation as to why Monday is the least popular day; even less popular than Sunday. I know that holidays are often targeted for some attacks because the attackers think that fewer security personnel are around to disrupt their plans. Could this be the thought behind sending phishing emails on Saturdays? I considered the idea that a difference in time zones could explain this. If it’s Saturday morning in China, for example, (not that China would ever participate in such exploits), it would still be Friday evening in the US. But why not send emails on Monday so that employees would have them waiting for them when they arrived for the new work week? Is it better to have such emails arrive while the employees are already at work? Are employees, for some reason, more likely to open them then? The report claims that most phishing emails are security-related, often attempts to impersonate someone from the security department or the security software vendor. Shouldn’t these be the easiest to filter out by the security team? This seems to indicate some kind of a BYOD or MDM problem. Otherwise, I have no real answers.
Puzzle #2: Why do breaches remain hidden for so long?
The average time before a breach is discovered is 205 days or almost 7 months. The longest a breach went undiscovered is 2,982 days. That’s about 8 years, folks. You would tend to think this would just be a case of bad security or, in the extreme example, no security at all. And it gets worse. Factor in that 69% of breaches were discovered by an external entity, not the company itself, so either attackers are getting better at hiding their malware or security isn’t doing its job. Maybe it’s a little of both. It could also be that companies are having more problems managing endpoints; a case of too much data and not enough time or staff to analyze it. In any event, you have to figure that after 200 days the attacker must have gotten what he or she came for. Any other answers for Puzzle #2?
Keeping in mind the foregoing information, here are some puzzling statistics from Threat Track Security.
Puzzle #3: 81% of security professionals say they would personally guarantee their customers’ data will be safe in 2015. Where does all this optimism come from?
Really? Somehow the word, ‘denial’, comes to mind here. Optimism is good in certain situations, but shouldn’t security professionals be a bit less complacent? Lest you think this is a product of the survey, other surveys have found much the same thing: unbridled optimism (see the Ponemon study below). The odd thing is that these same security professionals expect more attacks in 2015. The same report states that “68% of respondents said their companies are more likely to be targeted by cyber-attackers in 2015”. This blind optimism extends into other areas as well. Many IT professionals bemoan the problems BYOD (Bring Your Own Device) policies are giving them yet, according to the report, they “downplayed mobile threats, with only 22% citing them as a top concern.” The puzzle: what’s behind all this optimism?
Puzzle #4: Healthcare suffers more breaches than any other sector but is least likely to enforce security policies. Why?
According to a Healthcare News survey, “nearly 44 percent of respondents admitted that within their company or organization, security and compliance policies are at most only moderately enforced. More than three-quarters of respondents said they believe employees at least occasionally violate their company’s compliance and security policies, and more than one in five said those who do so are aware of what they are doing, but violate it anyway to simply get their job done.” Such a lax attitude appears not to have escaped the notice of attackers. Another survey reported that “emails from a healthcare company are 4x more likely to be fraudulent”. Could it be that cyber criminals have accessed numerous healthcare databases and used that information to target individuals? Why would you suspect an email from your own healthcare provider, especially if it had the proper logos and so on? But this would not be possible without bad security practices in the first place. It looks like people implicitly trust healthcare organizations when the opposite should be true.
The following statistics are taken from a Ponemon study.
Puzzle #5: How can you explain the gap that exists between IT professionals and their network users?
78% of IT professionals claim that negligent employees, who do not follow security policies, are their greatest risk. In fact, 50% of security professionals believe they cannot control the behavior of negligent employees at all. There seems to be an ‘us’ against ‘them’ mentality operating here, whether it is based on fact or not. One of the main bones of contention between the two camps seems to lie in the use of the cloud. Security professionals see it as a risky area with 73% agreeing that the cloud constitutes the highest security risk. Nonetheless, user demand for cloud access is strong. 71% of the professionals believe cloud usage will increase this year. The problem can, in the most basic terms, be stated as ‘we’ll do what we want to do, you worry about the security.” You would think that something would be done to bridge this gap, like having employees pass a training program before allowing them onto the network. However, on average, only 11% of security budgets are used on employee education. There is some sense that IT professionals have given up trying to control employee behavior. Instead of trying to prevent attacks, 95% have opted to employ a ‘detect and respond’ strategy. The following tables from the report sum up the foregoing points.
There do exist security architectures that allow users on a BYOD network to do whatever they want without affecting sensitive corporate data*; however, corporations seem to be overlooking them while choosing more outdated security setups. These older architectures force IT departments to control certain user behaviors in order for them to succeed. Unfortunately, in the process, these controls alienate the users, thus, widening the gap between the two sides. The cloud just seems to be one place where these differences between the two sides flare up the most.
Yes, there are many confusing results when one looks at security statistics, but I felt that any light that could be shed on these particular puzzles could give us a perspective on other dilemmas as well.
*One example of such an architecture is InZero Systems’ use of hardware separation to effectively split any BYOD device into two distinct devices, each with its own operating system. This prevents a network from being compromised by negligent employee behavior while giving the employee the freedom to use their devices in any way they want.