Author: Matt LaWell / Source: Industry Week
The second edition of The Tech Column kicks off this morning with a little more coverage of the 10th annual Verizon Data Breaches Investigations Report. The DBIR is one of our favorite reads every year, and this year was no different: when it was released Thursday morning, it included a little more coverage focused on manufacturing in particular than in previous years. We talked with Marc Spitler, one of the report’s co-authors, about how cybersecurity might affect manufacturers and what still be to come in 2017.
IndustryWeek: This report seemed to include more focused coverage and analysis than previous reports, and there were a handful of facts that jumped out from that coverage. One was that manufacturing had more incidents categorized as “Everything Else” than any other industry. There was some explanation that those incidents just couldn’t be classified, that more information was needed. Should this be any cause for concern for manufacturing?
Marc Spitler: No, it’s nothing as exciting as that. (Laughs) Typically, what it is is that we’re just not getting the level of detail from certain sources. Say a data base was hacked, or there was a phishing attack, but the level of detail received isn’t up to the level that allows us to put it into another category. A lot of the “Everything Else” incidents, we knew what happened, we knew the story, but it just didn’t fit into any of these other buckets and we hadn’t seen quite enough of it yet for it to get its own pattern. … We have enough of those little data points where those can go into the corpus, but we don’t know the motivation. Was it part of a cyber-espionage campaign? Was it more opportunistic in nature? We don’t know enough about the payload of the malware received for us to classify it further, and that’s really what those are falling into. It’s not an indictment on the industry itself.
IW: With that in mind, the nine categories you do use are pretty well defined. Is there a possibility next year there are more categories, and some industries are maybe classified a little differently?
MS: We would certainly like to see some other categories or patterns develop as a result of the disruption of the nine we see. Right now, though, we haven’t seen a drastic enough switch in tactics for another one to be created. We certainly are seeing evolution in the patterns. … We’re still seeing a lot of similarities in the way adversaries are going after industries from a remote-attack standpoint — we’re still seeing phishing, getting that malware on there, moving around with credentials.
Most mature companies have done a good job of really limiting what they have open to the Internet. So you can look for remote access ports, you can look for things you might have had success with 15 years ago, but we’ve tightened it down pretty well. One thing everybody has is a web presence, so that will be targeted because it’s available. Phishing is still really used a lot, because it’s a way for outsiders to have some level of interaction with somebody on the end of the user device on the internal network. It’s not surprising to us that we see emails and web drive-byes as the No. 1 and No. 2 vectors of malware. That’s where things might change based on industry and data type and the threat actors involved. With manufacturing, we’ve found it’s affected primarily be cyber-espionage, and there will be more sophisticated threat actors, potential state affiliation, looking for a particular type of data.
IW: Do you see manufacturing as maybe a little more susceptible in the quarters and years to come, just because there are so many more connected devices on the factory floor and so many more potential points of entry?
MS: We’ll have to see how it plays out. Certainly if the attack surface changes for manufacturers and there are more things to attack, we may see a more opportunistic style of attack. Different sectors and different industries are based on the people that contribute data to us, which is why the public sector has always had a lot of incidents, and we have a disclaimer saying, “We don’t think it’s any worse than anybody else, we just get a lot of data that’s going to make those numbers increase.” In manufacturing, there is a lot of care and a lot of focus on state-affiliated actors, and we’re looking at those kinds of breaches. Manufacturers might not have the reporting requirements around some of those other data types, like employee information or PII, so I’m always hesitant to say any industry is any better or worse than another.
IW: According to the report, 62% of breaches featured hacking, and 81% of those hacking-related breaches leveraged either stolen or weak passwords. How is this still a thing in 2017?
MS: As far as the weak passwords, those are predominantly small and medium businesses, and a lot of those came in the point-of-sale intrusion section, which is what we have seen historically. The stolen…
Click here to read more