Security Central: Yesterday’s Mistakes Meet Tomorrow’s Threats – April 29, 2016

Verizon's anticipated ninth-annual Data Breach Investigations Report (DBIR) finally arrived this week. While the publication has given us some groundbreaking insight in the past, this year's edition has some thinking, "This looks familiar." Many year-over-year statistics do seem comparable, although that in itself is really important. In fact, the report's findings give us an important (and unsettling) takeaway: human error continues to plague data security.

After comprehensive analysis of more than 100,000 incidents and 2,260 system breaches across 82 countries, this year's DBIR identified "miscellaneous errors" as the leading cause of data breaches. Specifically, phishing and single-factor authentications remain the most common method by which cybercriminals access organizations. The report found that:

• Nearly a third of phishing messages were opened (a worrying 23 percent increase from 2014),
• 12 percent of victims went on to open the phishing attachment or link (which is nearly identical to 2014 findings)
• 26 percent of errors involved sending sensitive information to the wrong person.

Evidently, social engineering continues to be a troublesome phenomenon for IT security. That being said, we know all too well that not every security issue can be blamed on human error.

Just this week, security and networking solutions provider Blue Coat Systems identified the first Android ransomware that installs without any user interaction. Dogspectus, unlike usual mobile ransomware tools, takes advantage of several Android vulnerabilities to install the malware onto victims' phones or tablets – without them even knowing. The malware then locks up an infected device and demands the user pay a ransom (two $100 Apple iTunes gift cards) to unlock it. (Note: Blue Coat's advisory encourages users to frequently back up their data as a factory reset and restore can sidestep the ransom and prevent data loss).

The Dogspectus ransomware is the latest of the mobile malware discoveries, and it contributes to the growing concern around security risks associated with the Internet of Things (IoT). IoT security products are gaining more consideration as businesses and consumers continue to adopt connected devices. It should be noted that the DBIR itself has not yet found a significant volume of IoT device incidents, although the report cautions that it's "just a matter of time before we see a large-scale breach" involving these new technologies.

Gartner's newest IoT security forecast report supports this prediction. 

According to Gartner, worldwide spending on Internet of Things (IoT) security is expected to reach $348 million this year – a 24 percent increase from 2015. By 2020, more than 25 percent of identified attacks in enterprises will involve IoT. However, this segment is expected to represent less than 10 percent of IT security budgets. Given these budget constraints, security vendors will likely focus most on identifying vulnerabilities and exploits instead of long-term means for IoT protection.

Whether or not the IoT security apocalypse is as imminent a threat as some experts think, no one can argue that IoT is opening up new avenues for cyber crime. Security risks are evolving on what seems like a daily basis. Unfortunately, given the DBIR's indication that we're repeating the same mistakes over and over, we may need to become more proactive if we're going to keep pace with the growing threat landscape.