Connected Assets Make Unsatisfying Appearance in 2024 Verizon Data Breach Investigations Report

Last year, when Verizon issued its 2023 Data Breach Investigations Report, we observed “Connected Devices Conspicuously Absent” and wondered why they were not mentioned despite playing a critical role in establishing an organization’s risk profile and affecting an approach to cyber asset attack surface management (CAASM). Vulnerabilities in cyber assets can give threat actors a means of entry into a network, and unprotected/unsegmented assets can make it easier for threat actors to move laterally across a network to get to their target destination.

“Even if IoT, IoMT, and OT are not the initial vector of attack, such systems may be the target of an attack, or used as a path of attack as threat actors, once inside a network, move laterally to their intended destination,” we wrote at the time.

We Wondered Where They Were

We also wondered if identifying connected assets by increasingly granular categories was simply too much for the report, which has tended to keep the focus at a higher level. Understandable, if so. But given the increasing scrutiny given to cyber assets by technology analyst groups like Gartner and Forrester, regulatory attention by the FDA and other agencies, and threat reports from CISA, NIST and independent threat laboratories, it was worth asking the question and, hopefully, starting that conversation.

When the 2024 Verizon DBIR came out recently, my first thought was, “It’s good to know that people pay attention when you take the time to express an opinion.”

There They Are!

Whereas assets and connected devices were absent in 2023, they feature fairly prominently in the 2024 report, including a list and definition of asset categories that contains (lightly edited by me):

• Server: a device that performs functions of some sort supporting the organization, commonly without end-user interaction. Servers are common targets in almost all attack patterns.
• User Device: devices used by Persons to perform their work; usually laptops, desktops, mobile phones, and tablets. Common target in the System Intrusion attack pattern.
• Person: people in the organization. Different types of Persons will be members of different departments and will have associated permissions and access in the organization stemming from this role. Person is a common target in the Social Engineering attack pattern.
• Network: actual network computing devices such as routers, telephone and broadband equipment, and some of the traditional in-line network security devices, such as firewalls and intrusion detection systems.
• Media: mostly portable storage media like thumb drives, but including things like disk drives (and non-connected physical media like printed documents).

Ordr would add things like applications, business services, cloud services and workloads, and just about anything that connects to, communicates over, and shares/collects data from the network.

But… Incomplete Context

While the 2024 DBIR does give attention to connected assets and devices, the report’s emphasis seems to be on physical security and preventing certain assets (like smartphones, tablets, and laptops) from being lost or stolen. In the industry-by-industry breakdowns, we note that assets are called out for their role in phishing attacks and credential/privilege misuse. But even here, the report appears to be more concerned with the security of data contained on the various asset types, and not the role connected assets play in expanding the attack surface, introducing vulnerabilities, and affording threat actors a way of accessing and traversing the network itself.

In our view, that undervalues the risk that connected assets play in keeping networks and data safe. And it doesn’t accurately portray the importance of a Zero Trust posture that requires complete asset visibility, demands real-time asset status and rich insights to ensure an accurate risk assessment and good decision-making, the ability to segment assets to protect high-risk systems and ensure operational resilience, and minimize an attack’s “blast radius.”

Ordr Can Fill in the Gaps

To do that, you must have the ability to See, Know, and Secure every asset on the network in real-time, dynamically update risk assessments and associated security policies, effect segmentation/microsegmentation policies, and respond quickly when anomalous activities or conditions that equate to indicators of compromise are reported. That is what OrdrAI and the Ordr CAASM+ platforms enable. If you want to know more, and learn how Ordr can help your organization reduce your cyber risk and better manage your cyber attack surface, schedule a personalized demo today.

Srinivas Loke

Srinivas Loke is Vice President of Product Management at Ordr. Srinivas has a passion for cybersecurity with a deep understanding of network, end point, cloud and IoT security. Prior to Ordr, he led product teams at Aruba, Pulse Secure, FireEye and McAfee. He loves taking 1.0 products to the market and furthering cutting edge technologies that are solving customer problems.