People power: Turn staff into your greatest security defence
Security statistics are real and scary, but educating your staff can make all the difference
This past week I found myself drinking beer around a swimming pool in Monte Carlo while talking about Mr Robot with a Johnny Depp lookalike - such is the life of an IT security journalist.
It's not quite as glamorous as the location suggests, of course, as I was there to attend the Fortinet 361 security forum, rather than try to break the bank at the casino or race around the Circuit de Monaco.
Johnny was actually Guillaume Lovet, senior manager of threat research at Fortinet (one of the global big three names in enterprise network security) and Mr Robot is a TV series about a security researcher turned hacker that has just finished in the US.
In contrast, Guillaume was once a hacker (doing penetration testing) and is now a security researcher. As someone who took a similar unconventional route into my current profession, it is perhaps unsurprising we found ourselves agreeing on many things when it comes to cybercrime: everyone is a target, the only effective defence is a layered one, and good governance, rather than law, is imperative if the fight is ever to be won.
While some of the 361 forum output was a little too product and marketing driven for me, a number of interesting things fell out of the event, and none more so than a single slide during a presentation entitled 'The FortiGuard Minute'.
Threat research and response group FortiGuard is, for me, the beating heart of Fortinet, where threat intelligence moves out of the lab and into the enterprise. This is the stuff that turns me on, and sadly that includes statistical information. That PowerPoint slide contained FortiGuard's attack data gathered within a single minute sometime in the second quarter of 2015.
In that 60 seconds, 21,000 spam emails were intercepted and 390,000 network intrusion attempts were prevented. Alongside these, nearly half a million (460,000) malware programs were neutralised and 50,000 botnet Command and Control attempts (used in DDoS attacks) stopped. Ramp things up to a weekly view and you see some 8,000 hours of global threat research undertaken, leading to some 1.8 million new or updated AV definitions.
So what?' you may ask, but here's the thing, though: security intelligence (and that is what all these statistics boil down to) is integral to securing your network and, ultimately, your data. While media friendly soundbite stats won't stop the bad guys, the intelligence behind those stats certainly helps in putting together the processes, policies and tools that will.
Where stats do come into play is when we start talking about education and awareness. These topics came up a lot at Fortinet 361, most often just after a PowerPoint slide with the words 'Social Engineering' written upon it. That's hardly surprising given that people remain the weakest link in your organisation and usually represent the easiest route to unauthorised entry into your network.
But people are also your biggest strength, and people power can thwart most common exploits if they become aware of these threats through the right education and training.
The key to that awareness is the intelligence used within your training programmes, which has to be both properly evaluated and actionable. This is where statistics such as these are worth their weight in Monte Carlo casino gold to help understand these threats.
Gemalto's Breach Level Index
So I guess you'll be wanting some more stats then? Good, because as I was flying back from the Cte d'Azur, Gemalto was publishing the latest edition of the Breach Level Index, which covers the first six months of 2015. I used to edit the in-house magazine for Gemalto, the world's largest manufacturer of SIM cards and, like Fortinet, something of a digital security Goliath, and am only too aware of the importance of rock-solid research that comes out of the company.
It came as no surprise, therefore, to find myself both nodding sagely and sobbing into my lukewarm coffee as I flicked through the figures at 20,000 feet. Gemalto's numbers revealed 246 million records compromised across 888 data breaches, which is both good and bad news.
The bad being that breaches were up by 10 per cent on the first half of last year, but tempered by the good news that the number of compromised records was down by 41 per cent on the same period.
Don't get too comfortable in these statistics though, they don't necessarily mean that mega breaches are a thing of the past (the BLI report for the last six months of the year will most likely reflect that) and this can be seen in the Anthem Insurance attack which represented 32 per cent of the total data loss by exposing 78 million records in just one attack, or the OPM attack which exposed a further 50 million.
Although I wouldn't normally put too much emphasis on attack size (how big is far less important in the security scheme of things than simply 'how' after all) it's interesting to note that the top 10 breaches accounted for more than 80 per cent of all compromised records across the six-month period.
Where size does matter is for the bad guys, as Jason Hart, VP and CTO for data protection at Gemalto, confirms when he says "what we're continuing to see is a large ROI for hackers with sophisticated attacks that expose massive amounts data records".
Those bad guys aren't who you might think they are, either. According to Gemalto, 41 per cent of all the compromised records were exposed by just two per cent, by attacker type, of the breaches.
So what was behind that crazily successful hit rate statistic? State-sponsored attacks. This is worrying, and caution must be exercised before jumping to conclusions as accurate attribution in state-sponsored attacks is notoriously difficult.
Gemalto pointed out none of the top 10 breaches from the first half of 2014 were state-sponsored at all. How apt that I started off all James Bond in Monaco, and finish the same way back at Leeds Bradford Airport.