VERIS Assets
Please provide the information below to view the online Verizon Data Breach Investigations Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
Analyzing the VERIS Assets helps us understand where all those attacks we keep harping on are focused, and everyone sure needs help in prioritizing how to defend those assets. Even though those results might not be surprising as they have a good correlation with the VERIS Actions we just discussed, it is worthwhile to understand the year-to-year trends in the threat landscape.
Our asset power ranking42 has not changed a lot from last year, but there are a handful of changes that are worth pointing out in Figure 21. Even though the order from the 2023 DBIR is the same and the prevalence of Server assets is roughly the same as well, we find substantial growth in both Person43 and Media assets.
Person as an asset has become more involved this year because of the growth of pure Extortion action-based breaches in our dataset. As a social action, Extortion demands a Person as the direct victim, and the dataset gnomes44 are happy to oblige. What is interesting here is that the Ransomware action, where pure Extortion got its spin-off from, implied that there was an extortion phase where the money was requested without being connected to a Person asset.45
Thus, this growth in Person also makes sense as a more representative truth of the mechanics of such breaches. Your employees need to be aware of how to handle a ransom or extortion demand and follow whatever procedures were established by your organization to handle those. By the way, make sure you have those documented46 just in case.
The Media growth is intrinsically tied with the progression in the Miscellaneous Errors pattern discussed previously. Some of those Misdelivery errors happen via physical documents and fax machines,47 which might limit their scope but does not make them any less breachworthy to regulators.
Digging deeper in Figure 22, we get a better sense of the Server asset breakdown. While the Web application and Mail servers are mostly involved in credential-theft breaches, the File server has been almost dominated by the MOVEit breaches, which explains why more than 95% of breached assets are servers.
All in all, a pretty standard year in the VERIS Assets world. We will be discussing more on how to help keep these assets safe in the “System Intrusion,” “Social Engineering” and “Basic Web Application Attacks” pattern sections.
Asset categories48
Server (srv): a device that performs functions of some sort supporting the organization, commonly without end-user interaction. Where all the web applications, mail services, file servers and all that magical layer of information is generated. If someone has ever told you “the system is down,” rest assured that some Servers had their Availability impacted. Servers are common targets in almost all of the attack patterns, but especially in our System Intrusion, Basic Web Application Attacks, Miscellaneous Errors and Denial of Service patterns.
Person (per): the folks (hopefully) doing the work at the organization. No AI chat allowed. Different types of Persons will be members of different departments and will have associated permissions and access in the organization stemming from this role. At the very least, they will have access to their very own User device and their own hopes and dreams for the future. Person is a common target in the Social Engineering pattern.
User device (usr): the devices used by Persons to perform their work duties in the organization. Usually manifested in the form of laptops, desktops, mobile phones and tablets. Common target in the System Intrusion pattern but also in the Lost and Stolen Assets pattern. People do like to take their little computers everywhere.
Network (net): not the concept but the actual network computing devices that make the bits go around the world, such as routers, telephone and broadband equipment, and some of the traditional in-line network security devices, such as firewalls and intrusion detection systems. Hey, Verizon is also a telecommunications company, OK?
Media (med): precious distilled data in its most pure and crystalline form. Just kidding, mostly thumb drives and actual printed documents. You will see the odd full disk drive and actual physical payment cards from time to time, but those are rare.
41 https://www.cisa.gov/resources-tools/resources/secure-by-design
42 Who would win in a fight—an email server or a file server with prep time?
43 Perhaps not in maturity, as some people assets will have their security attributes compromised to avoid going to therapy.
44 The DBIR authors’ pickleball team name
45 This is likely too much VERIS Standard inside baseball for the average reader, but we are amused very easily by things like this.
46 Just keep it on your file server. It should be fine, right? (Not really)
47 Believe it or not, this is not the 1994 Data Breach Investigations Report.