Ordr Announces Integration with ServiceNow Vulnerability Response Read more here!

The 2023 Verizon Data Breach Investigations Report is out. Like most folks in the cybersecurity industry, we downloaded it and pored over the contents to see what was new and relevant and surprising. As always, there’s a lot of data that quantifies the issues we see everyday: ransomware attacks, social engineering, underlying factors, threat types, etc. For example, the summary of findings identified external actors as the top threat involved in 83% of breaches; said that human error plays a role in 74% of all breaches; and reported that 24% of attacks involve ransomware; and broke down credential theft, phishing, and exploitation of vulnerabilities as the three primary means of attack.

Digging Deeper

Then we gravitated toward findings specific to the industries that Ordr is focused on and that have embraced our technology as a part of their cybersecurity strategies.

  • In financial services and insurance, we learned that “basic web application attacks, miscellaneous errors, and system intrusion represent 77% of breaches,” and that financial gain was the motive in 97% of attacks on the industry.
  • In healthcare we learned that “system intrusion, basic web application attacks, and miscellaneous errors represent 68% of breaches,” and that financial gain was the motive in 98% of attacks on the industry.
  • In manufacturing we learned that “system intrusion, social engineering, [and] basic web application attacks represent 83% of breaches,” and that financial gain was the motive in 96% of attacks on the industry.

Similar results were reported down the line in accommodation and food services, education services, government, IT and so on. Threat actors want money, they are good at finding ways into networks where they aren’t welcome, and whether by their intent, neglect, or error, people inside of breached organizations are a reliable source of help. Each data point illuminates and confirms issues we all intuitively recognize as true.

“Threat actors want money, they are good at finding ways into networks where they aren’t welcome, and whether by their intent, neglect, or error, people inside of breached organizations are a reliable source of help.”

Then we started looking deeper. Our focus at Ordr is on protecting enterprises by securing the growing number of connected devices at work in enterprises across the globe, in every industry. These include categories like the Internet of Things (IoT), Internet of Medical Things (IoMT), Industrial Internet of Things (IIoT), Operational Technology (OT), and the many devices connecting to networks to perform new and exciting tasks in a variety of niche roles (XIoT).

A Threat to Health and Safety

The risks that unsecured devices present to the organizations that own them are well known, and the implications of attacks affecting them are troubling. In healthcare, for example, attacks may have financial motives, as the VDBIR says. But recent research by the Ponemon Institute found that cyberattacks on hospitals correlated to an increase in negative outcomes for patients in 57% of hospitals affected due to delays in performing needed tests and procedures. The problem is so severe that hospitals with no means of protecting the medical devices integral to the delivery of patient care are training staff in “code dark” response, which is the physical unplugging and disconnecting of at-risk systems.

The problem is so severe that hospitals with no means of protecting the medical devices are training staff in ‘code dark‘ response, which is the physical unplugging and disconnecting of at-risk systems.

The dangers associated with vulnerable IoT, IoMT, and OT devices, and the risks they pose to not only critical infrastructure but financial services, manufacturing, and smart cities, are so concerning to our economic and physical security that connected devices are a part of the White House’s National Cybersecurity Strategy, called out in “Strategic Objective 3.2: Drive the Development of Secure IoT Devices.” The FDA has also issued a mandate to ensure new devices entering the market are built to be secure. And over in the UK connected device security is called out as part of that country’s new National Health Services cybersecurity strategy.

Despite the real and troubling issues associated with IoT security, there is no mention of them in the 2023 VDBIR. And OT security is dismissed with the explanation that “we continue to see [a] very small numbers of incidents involving Operational Technology (OT), where the computers interface with heavy machinery and critical infrastructure,” in contrast to the volume of attacks on traditional IT systems.

Vector, Path, or Target

It is worth pointing out that even if IoT, IoMT, and OT are not the initial vector of attack, such systems may be the target of an attack, or used as a path of attack as threat actors, once inside a network, move laterally to their intended destination. It could also be that, because the VDBIR takes a broad and high-level view of the data they collect, the presence of IoT in the report is simply buried in the data. Or maybe it is not known that connected devices are involved. Our analysis following the discovery of devices connected and operating on customer networks shows that as many as 15% of those devices were unknown to IT security and management prior to deployment of Ordr. You can’t secure what you can’t see, and so an attack in which an unknown, vulnerable, and unsecured connected device was the primary vector would also be invisible to security analysts.

More likely is that attacks involving IoT, IoMT, or OT devices are probably too granular a detail to be called out specifically in any report based on broad security analysis. But that doesn’t mean the risk isn’t real, and that the potential effects of an attack involving connected devices are not dire. They are, and that is why we built the Ordr platform to see, know, and secure every device in any network.


Before medical device manufacturers are able to release a product to market, they are subject to Food and Drug Administration (FDA) reviews to evaluate the safety and effectiveness of these devices. Since 2014, those evaluations have included medical device security guidance, with a subsequent update in 2018. Now, with the explosive growth of connected devices used by hospitals and healthcare providers and a growing number of cyberattacks that have crippled healthcare services, the FDA recently released draft guidelines requiring that devices comprising the Internet of Medical Things (IoMT) meet more stringent cybersecurity standards.  

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” is a 45-page document that deals with security design, vulnerability disclosures, Software Bill of Materials (SBOMs), and other documentation requirements that will have to be addressed by medical device manufacturers before their new devices can gain FDA premarket approval. 

In general, this is a step in the right direction for the FDA. Security needs to be built into the design of medical devices. At the same time, because medical devices have longer lifecycles than typical IT devices, it also means that it may be a while years before new devices falling under this new guidance are deployed. Because of the risks inherent with existing medical devices, healthcare organizations need to take action to secure legacy devices now. 

What Is Included in the FDA Guidance for Medical Devices? 

New medical device applicants are advised to submit “a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities, and exploits.” 

 They are also asked to “design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure.” This includes making patches available “on a reasonably justified regular cycle,” and for newfound critical vulnerabilities, “as soon as possible out of cycle.” 

 Finally, manufacturers must provide the FDA with “a Software Bill of Materials,” including any open-source or other software their devices use. This is one of the new changes in the FDA guidance— a complete SBOM requirement instead a Cybersecurity Bill of Materials (CBOM), as outlined in the 2018 guidance.  

 Note that even with a manufacturer-provided SBOM, when a zero vulnerability like Log4J or OpenSSL is discovered, it is almost impossible to find out the real composition of the packages and the dependent libraries that was pulled into each package when the software was built and shipped. Sometimes, the manufacturer may have customized and configured functionality and those additional details aren’t released. 

Therefore, as the FDA determines the format for manufacturer SBOMs, it is important to ensure that these SBOM declarations are detailed enough to include each and every piece of library that is included in the build. With this FDA mandate, if manufacturers release an SBOM that is accurate and complete, along with configuration settings, Ordr (and our vulnerability matching engine) can immediately assess the risk of these vulnerabilities and understand the exposure and exploitability. 

When Does This Mandate Take Effect?  

The new security requirements came into effect when the $1.7 trillion federal omnibus spending bill (the 2023 Consolidated Appropriations Act) was signed by President Joe Biden on December 29, 2022.  

Section 3305 of the spending bill — “Ensuring cybersecurity of medical devices”— is an amendment to the Federal Food, Drug, and Cosmetic Act. It took effect 90 days after the Act became law, and with its new authority, the FDA has given manufacturers six months — until Oct. 1, 2023 — to comply with the new regulations. The new law also requires the FDA to update its medical device cybersecurity guidance at least every two years. 

How Can Ordr Help with This Mandate? What About Existing Medical Devices?  

 Security of medical devices is a shared responsibility. While the FDA mandate can ensure security for a device before it is released to the market, the day-to-day management and security of devices post FDA approvals is the responsibility of healthcare providers and requires a solution like Ordr.  Ordr not only maintains an accurate device inventory and monitors devices for vulnerabilities and threats but also delivers device utilization details to optimize operations. 

 In addition, medical devices are expensive, and a complete upgrade to new devices that adhere to the new guidelines is not operationally feasible or cost effective. Ordr can ensure existing devices (pre-2022 devices) or devices with outdated operating systems in the network can be secured via Zero Trust segmentation policies to restrict access and communications to only enable access required for their role.  

 We recommend the following approach to secure every connected device. Download our Maturity Guide for connected device security for more details:   

  • See every device: You can’t protect what you don’t know about. Security starts with real-time, granular visibility of every device connected to your network and how those devices communicate within your environment and externally to the Internet. Every connected device in the hospital including IoMT, IoT, and operational technology (OT), plays a role in either patient care or hospital operations. Ultimately, the security of every device in the hospital can impact hospital services and patient safety, therefore real-time visibility into every device is essential.  

With regard to the new 2022 FDA mandate, Ordr can ingest SBOMs as manufacturers make them available, to enable easy visibility across the entire organization. Ordr Software Inventory Collector can complement manufacturer SBOMs by identifying applications for devices running Windows, iOS, and Linux operating systems.  

  • Know your attack surface: The attack surface for healthcare organizations can range widely. Organizations need to be able to identify the following risks within their connected devices 
    • Vulnerabilities – CVEs need to be prioritized and patched. Ordr offers full lifecycle vulnerability management capabilities to identify these vulnerabilities, prioritize them based on impact to a hospital (I.e., clinical risk), track and tag them for appropriate remediation workflows, and generate reports on them. Ordr also integrates with CMMS, CMDB tools to enrich their view of vulnerabilities, and ITSM systems to create tickets and manage workflows for remediation.  
    • FDA or manufacturing recalls – To meet compliance requirements, it is important to identify devices that have been recalled either by the FDA or manufacturers. Ordr integrates with FDA and manufacturing databases to provide insights and help hospitals identify impacted devices. 
    • Exploits and active threats – To protect healthcare organizations from active threats, Ordr offers an integrated intrusion detection system (IDS) that can inspect East West and North South device communications for active threats. Devices that are impacted by top security issues such as OpenSSL, Log4J, Solar Winds, and Conti, are highlighted in a unique security category in the Ordr dashboard for easy analysis. 
    • Anomalous behavior – Unlike most IT systems and software, medical devices, and many IoT and OT devices have deterministic functions. Ordr uses machine learning (ML) to baseline normal behavior for every device. From that baseline Ordr identifies deviations which can be an indication of attack or compromise including zero-day activity. In addition, Ordr can dynamically create policy to help ensure a rapid response enabling teams to contain and stop an attack. 
    • Track who is using your devices – By tracking and associating devices to users, Ordr can identify compromised devices and potential account misuse. 
  • Reacting to Zero Day events: By ingesting SBOMs and utilizing Ordr’s Software Inventory Collector, organizations can react quicker to Zero Day events. There is no need to wait for manufacturers to determine if devices are running a vulnerable application. Ordr correlates all the application information from both SBOM and Software Inventory Collector into one searchable database. 
  • Secure with automated policies:  
    • During an incident, quickly prevent lateral movement by pinpointing compromised devices and creating policies to quarantine the device, block ports or terminate sessions. 
    • Implement Zero Trust segmentation for vulnerable devices that cannot be patched: Zero Trust segmentation policies can keep these devices in operations by allowing only “normal communications” required for its function, while limiting exposure. 
    • When a new IoC (indicator of compromise) is announced, identify whether a device communicated with the malicious domain in the past 365 days.  

The Ordr platform is trusted by the world’s leading healthcare delivery organizations. Schedule a demo with our product experts to see how we can secure your connected devices. 

 

 


Last year, we shared a number of cybersecurity predictions, most of which either played out as described or are trending that way, with results that remain to be seen. In one instance Ordr CEO Greg Murphy predicted that, “Someone in the U.S. will die as the result of a ransomware attack, resulting in increased push for cybersecurity regulations in healthcare and increased cybersecurity budgets.” Tragically, according to a lawsuit filed in September of last year, that prediction came true.

This year, we asked a number of Ordr cybersecurity experts what they saw unfolding for the next eleven months and are sharing nine of the more interesting responses.

  1. Ransomware attacks will continue to increase (Pandian Gnanaprakasam)

The impacts of double extortion and crimeware-as-a-service will continue to plague businesses worldwide. The number of victims will triple, increasing from 20% to 50%, while the number of companies that pay a ransom to recover their data will increase from 10% to 30%.

Cybercriminals will drive these increases through more aggressive tactics, including data destruction, sensitive data leaks, DDoS campaigns, targeting and breaching high-profile organizations (including wealthy families), and disrupting business operations to force enterprises to pay. We will also see a concerning increase in the use of killware in attacks that once were used to sow only ransomware.

  1. Organizations will adopt a more holistic security strategy to address a shift from traditional endpoints as IoT, IoMT, and OT devices converge in the enterprise network. (Bryan Gillson)

Recent attacks (i.e., Colonial Pipeline) show us that we are not thinking about cyber resilience and as a result, in the case of thousands of industrial and healthcare breaches, we see loss of services (patients diverted, pipelines shut down). This happened even though the IoT/OT infrastructure was not attacked nor compromised.

This will prompt organizations to recognize that what is needed is to embrace a whole-of-enterprise approach to security that encompasses cloud-to-ground visibility, and analysis and control of all connected assets (from traditional IT to vulnerable IoT, IoMT or OT) in order to enable true cyber resilience.

  1. Third party/Supply chain attacks will continue to increase (Brad LaPorte)

2022 will be the Year of the Supply Chain Attack. Already up 430% since 2019, the growth of these types of attacks will increase exponentially and become the #1 global attack vector. As more enterprises adopt more mature cybersecurity practices, criminals will go upstream to weaker targets that can maximize their blast radius and give them an impactful one-to-many attack ratio. Historically, attacks have been spray-and-pray; now, they will become more surgical as supply chain attacks become weapons of mass disruption.

  1. Attackers will begin using AI to infect multiple organizations at a massive scale (Srinivas Loke)

It has taken a few decades, but adoption of automation solutions such as AI, ML, and DL has gone mainstream and worldwide. This is great news for cyber defenders, as Gartner finds “33% of technology providers plan to invest $1 Million or more in AI within two years.” The cybersecurity industry is leading the way on this trend, but easy access to open-source AI tools is both a blessing and curse. Cybercriminals have access to the same resources, and the resulting threat is multiplied by strong ideological and financial incentives to use them. This will accelerate the ability of threat actors to conduct targeted, automated attacks at a massive scale. The war of the machines is on the horizon.

  1. Attackers are going straight to recruiting insiders for advanced attacks (Danelle Au)

Organizations have focused (rightly so) on shoring up their identity and access management capabilities, and deploying multi-factor authentication within their networks. These solutions have made it harder for attackers to bypass defenses—and so attackers are going directly to insiders. With the promise of a cut of the haul in exchange for access, ransomware gangs are bypassing traditional methods and are instead working to recruit insiders to use their privileged access to install malware directly. The tactics being used by these attackers are similar to HUMINT espionage and recruitment programs. Unfortunately, this means that every security leader now needs to consider insider-originated malware as part of their ransomware protection strategy.

  1. Laws or sanctions won’t make a big dent in stopping ransomware and cyberattacks (Greg Murphy)

Over the last several years, the urgency in dealing with ransomware and other advanced attacks at the legislative level has grown, as illustrated with bills like Warren-Ross, a 30-country meeting led by the Biden administration to address the threat of ransomware, and efforts by the FBI to crack down on ransomware gangs. However, political and legislative efforts won’t make a difference as long as cybercrime makes sense economically, and as long as Russia has no incentive to bring threat actors to justice. One possible—though controversial—way to reduce these advanced attacks is to eliminate the anonymity associated with cryptocurrency payments. Without an easy way to pay ransom, these attacks will decrease. Additionally, more scrutiny is needed on cyber insurance, as this practice facilitates easy payments for threat actors, and has the adverse effect of fueling more cyberattacks.

  1. Security teams should expect significant Zero Day vulnerabilities (Pandian Gnanaprakasam)

Software development has roared forward for decades without enough thought given to security implications, and we’re suffering the consequences. That was evident to security teams in 2021 with the emergence of vulnerabilities like PrintNightmare in Q2/3, and Log4j in Q4. Similar revelations will continue throughout 2022 and beyond with the evolution and use of malicious, automated scanners leveraging tools like Cobalt Strike to find and exploit new vulnerabilities. In response, software developers should emphasize security best practices, especially when working with open-source software. Manufacturers should also disclose their software bill of materials (SBOM)–nested inventory for software, a list of ingredients that make up software components–to better inform customers and users of the possible security implications of using their products.

  1. Telehealth and telemedicine are here to stay. And healthcare organizations need to keep those systems secure. (Darrell Kesti)

The COVID-19 pandemic brought telehealth and telemedicine into the mainstream, and they are not going away even after the threat of the virus abates. For most healthcare organizations, the popularity of telehealth visits versus physical visits will be dependent on insurance providers, and whether they will pay the same amount for virtual versus physical visits. In the UK, telehealth visits are gaining in popularity because of the reduced number of physicians and the long wait time when it comes to scheduling visits. From a cybersecurity perspective, a lot of telehealth/telemedicine environments connect directly from the patient to the specific telehealth vendor, and therefore there is a lack of security visibility into these visits. That needs to change for the sake of patient and organizational safety.

In the U.S., Mayo Clinic began offering hospital-at-home care for patients with non-life-threatening conditions during the pandemic, and saw success from the strategy; not just for patients but also for freeing up space in the hospital. With Omicron and future variants being inevitable, expect that these will also be included in telehealth and telemedicine at-home care, with corresponding medical devices that also need to be secured.

  1. Cloud infrastructure will be one of the leading attack vectors in 2022. (Brad LaPorte)

Everything is moving to the cloud—including cybercriminals. According to Gartner, by 2023, 70% of all enterprise workloads will be deployed in cloud infrastructure and platform services, up from 40% in 2020. Through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end users. In addition, 96% of third-party container applications deployed in cloud infrastructure contain known vulnerabilities. And 63% of third-party code templates used in building cloud infrastructure contained insecure configurations. Threat actors know this, and they are working hard to take advantage. To say that cloud security needs to be a top priority is the understatement of the year.

Those are our thoughts on what’s in store for the cybersecurity landscape in 2022. We’d love to hear yours.


October is Cybersecurity Awareness Month under the leadership of CISA and the National Cyber Security Alliance (NCSA). The goal is to continue to raise awareness about the importance of cybersecurity across our Nation. This year’s theme is to be #cybersmart, as we all play a role in the security of our own “cyberspace”. Focusing on cybersecurity and being cybersmart can positively impact our lives, but also the organization we work for and our nation.

To kick off cybersecurity awareness month, here are the five tips to be #cybersmart.

  1. Use a password manager – It’s important to have great password hygiene. This means making sure your passwords are hard to crack, that it is long enough and a combination of uppercase and lowercase characters, numbers and special characters. You also don’t want to reuse passwords for various accounts, so the best way to manage this is to use a password manager that will securely store all your passwords for your various accounts.
  2.  Don’t use public hotspots – When you’re at the airport, your favorite coffee place or at the library, do you connect to the public WI-FI network? A safer option is to connect to your phone’s hotspot, or use a VPN. There are no guarantees that public WI-FI networks are secure. In fact, with the flaws discovered in WPA2, the encryption standard that secures modern WI-FI networks, attackers within the range of vulnerable wireless access points can become a “man-in-the-middle”, intercepting passwords, emails and other sensitive data. In many cases, they can also inject malware into the sites that you’re visiting.
  3. Update your applications – whether you’re on your mobile device or laptop, you’re probably running a number of key applications that will come with vulnerabilities. Enable automatic updates on your applications or make sure that you’re updating them regularly with patches. This includes browser updates such as Chrome or Safari.
  4. Use multi-factor authentication – Many applications offer multi-factor authentication. This means you’re required to validate your identify via two or more pieces of credential. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint or faceID). Your credentials must come from two different categories to enhance security. You can add an extra layer of defense to your accounts by enabling multi-factor authentication.
  5. Beware of phishing scams – One of the most common delivery systems for malware is via phishing scams, via attachments that come to you in an email, masquerading as a file you should trust. Once they’re downloaded and opened, they can take over you computer. Avoid clicking on links from people you don’t know about, or clicking on links in email messages with grammatical errors and details that don’t make sense. Some phishing scams are very targeted so beware of oversharing sensitive information on social media that would make it easy for hackers to target you.

On the afternoon of May 12, President Joe Biden issued his Executive Order on Improving the Nation’s Cybersecurity. The executive order came on the heels of a ransomware attack that shut down operation of a major U.S. refined products pipeline system, a critical infrastructure operator that supplies approximately 40% of the gasoline supply to states along the U.S. East Coast.

As gasoline stopped flowing from suppliers to service stations, prices shot up, shortages broke out and drivers rushed to fill their tanks, unsure of how long the effects would last. The impact of this attack was consequential, dramatically illustrating the vulnerability of key pieces of our economy, but it was not an isolated event. The Executive Order on Improving the Nation’s Cybersecurity was not a knee-jerk reaction to a singular event. It is the result of years of attacks on government, industry, and individual organizations and of a steady cry from both the public and private sector to enlist the resources of our federal government in the fight against cybercrime.

Ordr has been one of the voices speaking in support of greater federal involvement and calling out the need for greater attention to protecting public services and infrastructure. And we were pleased to see that the new executive order called out the need to focus attention not just on information technology (IT), but on operational technology (OT), and the importance of Zero Trust.

OT Security  

Operational technologies are the industrial hardware and software systems that form the backbone of industry. Manufacturing equipment, scientific equipment, facilities management controls, transportation and logistics infrastructure, and, yes, the valves and monitors and other gear essential to managing critical operations.

In many cases these systems were not designed with cybersecurity in mind and have been in place for decades. But, as our world grows more interconnected and dependent on technology, the lines between IT and OT have blurred. Those vulnerable systems are an attractive target for threat actors who can exploit weaknesses in IT infrastructure to move laterally into OT networks and execute attacks intended to extract valuable data, or disrupt operations through sabotage or extortion. Read Jamison Utter’s article on 90% of OT Security attacks being primarily common attacks like ransomware, and our Dir of Product Management Srinivas Loke’s response to DarkSide to understand our perspective more.

Zero Trust for Connected Devices 

We are also pleased to see Zero Trust called out as one of the key architectural tenets within the executive order. When it comes to the volume of connected IT, IoT, IoMT and OT in particular, it is impossible for any security team (even the government) to “react” to potential security alerts with these devices. Visibility into devices and their risks, along with proactive Zero Trust policies for mission-critical or vulnerable devices will limit the attack surface and mitigate risks, reducing the Security Operations Center (SOC) or Cyber Security Incident Response Team (CSIRT) burden of investigating alerts.

We’ve been advocating for Zero Trust for connected device security for several years now, and in fact, our platform is designed to make it simple to not only create Zero Trust network policies but also ensure that they can be properly enforced across existing networking and security infrastructure.

The executive order has set a number of priorities, including:

  • Improve the Federal Government’s ability to detect vulnerabilities and incidents on federal government networks;
  • Standardize the playbook for responding to cybersecurity vulnerabilities and incidents; and,
  • Improve the Federal Government’s investigation and remediation capabilities following cyberattacks.

At first glance, the Executive Order on Improving the Nation’s Cybersecurity seems to set overly ambitious goals for meeting these objectives on aggressively accelerated schedules. In fact, the clock is already ticking on deadlines that arrive in as little as 14 days. But the experience and innovation that has been happening within the private sector puts these goals well within reach.

For our part, Ordr already works with many federal agencies to achieve the goals and objectives the White House has articulated. Our technology is adept at identifying the many vulnerabilities that plague OT, and at executing real-time response to detect and isolate attacks that occur, preventing threat actors from moving laterally to gain the information and leverage they need to disrupt operations. We are also proven in our ability to execute Zero Trust policies in industries like healthcare, manufacturing, financial services, education, and more. We are eager, excited and ready to be a part of the mobilization effort that improves the nation’s cybersecurity.


Each year, Verizon releases their Data Breach Investigations Report (DBIR) for the year prior. In this year’s report, they examine 2020 incident data and non-incident data (ie. malware, patching, DDos, and other data types). It is always good to note, with any research that it does not speak for all data sets and there are still variables that any research team cannot account for. Verizon clearly states that when talking about their Methodology:

“We would like to reiterate that we make no claim that the findings of this report are representative of all data breaches in all organizations at all times. Even though the combined records from all our contributors more closely reflect reality than any of them in isolation, it is still a sample. And although we believe many of the findings presented in this report to be appropriate for generalization (and our confidence in this grows as we gather more data and compare it to that of others), bias undoubtedly exists.” 

They also follow a standard Vocabulary and Event Recording and Incident Sharing (VERIS) framework with three basic methods:

  1. Direct recording of paid external forensic investigations and related intelligence operations conducted by Verizon using the VERIS Webapp
  2. Direct recording by partners using VERIS
  3. Converting partners’ existing schema into VERIS

The data processing and analysis takes roughly two months and they clearly acknowledge that their data is non-exclusively multinomial, meaning a single feature can have multiple values and there is random bias, sampling bias, and confirmation bias.

Just to clarify before we dive in, here are the definitions for an incident and a breach:

Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.
Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.

Okay, so let’s dive into the areas that we (Jeff, Ben, Jamison and I) found fascinating from the Verizon DBIR:

Security Trends 

While we don’t believe that any of these trends are going to shock the industry, we do think some of these are great for those tricky board meetings where you have to discuss why you want budget to protect your organization. So, we pulled out a few of the security trends we thought were cool:

  • Social Engineering – while we love a good table top exercise (TTX) around social engineering and trying to see if we can craft a great phishing email to our favorite C-Level executive for credentials. This year’s report validates that, “A lot of Social Engineering breaches steal Credentials and once you have them, what better thing to do than to put those stolen creds to good use, which falls under Hacking. On the other hand, that Phishing email may have also been dropping Malware, which tends to be a Trojan or Backdoor of some type, a trap just waiting to be sprung.” Basically, not only do you have to worry about your infrastructure, but you have to worry about the people your organization is hiring and if they are able to spot a suspicious email or Social tactics. Get them on a good KnowBe4 training and refresh that frequently. Also, just share information or good phishing emails that your organization encounters so employees know what to look for.
  • Ransomware Breaches Over Time – well what can we say here. Ransomware as we know well before reading the Verizon DBIR is a crime of passion (as the true crime podcasts say) and now 10% of all breaches now involve ransomware. Since it has been around for more than 30 years, and its entry is usually completely opportunistic, a spam/phishing attack, or vulnerable service on the edge of networks that is easily compromised with very little skill. In addition, most ransomware as a service (RaaS) groups use opportunistic and low skill initial installation techniques like; spam/phishing campaigns, unpatched and vulnerable services exposed on the network, and previously compromised usernames/passwords that remain unchanged. From a mitigation perspective protecting your organization from these opportunistic attacks is the fundamental security best practice around knowing what you have, identifying their risks and monitoring for anomalous behavior.

Some other cool stats that the Verizon DBIR pointed out:

  • The rest of the vectors were split between Email, Network propagation and downloaded by other malware, which isn’t surprising
  • 60% of the Ransomware cases involving direct install or installation through desktop sharing apps
  • The first vector Actors are using is through the use of stolen credentials or brute force
  • 42% of incidents had no financial loss and 90% of ransomware had NO loss – absurd right?! The headlines would make you feel differently.

Before we take a deep dive into Healthcare and Manufacturing which had some cool data we wanted to highlight Education, Financial and Insurance, and Mining, Quarrying, and Oil & Gas Extraction + Utilities.

 

Education 

Financial & Insurance 

Mining, Quarrying,  

and Oil & Gas  

Extraction + Utilities 

Frequency 

1,332 incidents, 344 with confirmed data disclosure 

721 incidents, 467 with confirmed data disclosure 

546 incidents, 355 with confirmed data disclosure 

Top Patterns 

Social Engineering, Miscellaneous Errors and System Intrusion represent 86% of breaches 

Miscellaneous Errors, Basic Web Application Attacks and Social Engineering represent 81% of breaches 

Social Engineering, System Intrusion and Basic Web Application Attacks represent 98% of breaches 

Threat Actors 

External (80%), Internal (20%), Multiple (1%) (breaches) 

External (56%), Internal (44%), Multiple (1%), Partner (1%) (breaches) 

External (98%), Internal (2%) (breaches) 

Actor Motives 

Financial (96%), Espionage (3%), Fun (1%), Convenience (1%), Grudge (1%) (breaches) 

Financial (96%), Espionage (3%), Grudge (2%), Fun (1%), Ideology (1%) (breaches) 

Financial (78%-100%), Espionage (0%-33%) (breaches) 

Data Compromised 

Personal (61%), Credentials (51%), Other (12%), Medical (7%) (breaches) 

Personal (83%), Bank (33%), Credentials (32%), Other (21%) (breaches) 

Credentials (94%), Personal (7%), Internal (3%), Other (3%) (breaches) 

Top IG1 Protective Controls 

These are the CIS Controls Implementation Groups 

Security Awareness and Skills Training (14), Access Control Management (6), Secure Configuration of Enterprise Assets and Software (4) 

Security Awareness and Skills Training (14), Secure Configuration of Enterprise Assets and Software (4), Access Control Management (6) 

Security Awareness and Skills Training (14), Access Control Management (6), Account Management (5) 

Also, for a stack rank on industries and their number of incidents and confirmed data disclosures, here you go:

Industry 

Incidents 

Confirmed Data Disclosures 

Public Administration 

3,236 

885 

The Social Engineering pattern was responsible for over 69% of breaches in this vertical. Clearly, this industry is a favorite honey hole among the phishing fiends.The Social actions were almost exclusively Phishing with email as the vector. 

Information 

2,935 

381 

If we look at only incidents, we find that this industry tends to be bombarded with DoS attacks, a trend that has been occurring ever since computers were networked, or at least since we’ve been doing this report (Figure 108). Of the incidents, DoS alone accounts for over 90% of the Hacking actions we observed, with the rest being credential-based attacks such as Brute force or the Use of stolen credentials. 

Professional, Scientific and Technical Services 

1,892 

630 

Educational Services 

1,332 

344 

ArtsEntertainmentand Recreation  

7,065 

109 

What was a bit surprising was the high level of Medical information breached in this sector. One would typically associate medical record loss with the Healthcare industry. However, upon digging into the data a bit more, the Personal Health Information (PHI) was related to athletic programs, which fall under this vertical.  

Retail 

725 

165 

Financial and Insurance 

721 

467 

Misdelivery represents 55% of Financial sector errors. The Financial sector frequently faces Credential and Ransomware attacks from External actors 

Healthcare 

655 

472 

Manufacturing 

585 

270 

Mining, Quarryingand Oil & Gas Extraction + Utilities 

546 

355 

Accomodation and Food Services 

69 

40 

“Security postures and principles, such as proper network segmentation, the prevention of lateral movement, least privilege, and “never trust, always verify” have proven to be strong indicators of an organization’s ability to prevent or recover from unauthorized presence in its network environment.” 

Healthcare

Frequency 655 incidents

472 with confirmed data disclosure

Top Patterns

Miscellaneous Errors, Basic Web Application Attacks and System Intrusion represent 86% of breaches

Threat Actors  

  • External (61%),
  • Internal (39%) (breaches)

Actor Motives: 

  • Financial (91%)
  • Fun (5%)
  • Espionage (4%)
  • Grudge (1%) (breaches)

Data Compromised  

  • Personal (66%)
  • Medical (55%)
  • Credentials (32%)
  • Other (20%), (breaches)

Top IG1 Protective Controls: 

  •  Security Awareness and Skills Training (14),
  • Secure Configuration of Enterprise Assets and Software (4)
  • Access Control Management (6)
“In 2020, in the midst of the pandemic, cyber actors increased malware attacks against U.S. victims, including the healthcare and public health sector. The U.S. Secret Service noted a marked uptick in the number of ransomware attacks, ranging from small dollar to multi-million dollar ransom demands. While most organizations had adequate data backup solutions to mitigate these attacks, cyber actors shifted their focus to the exfiltration of sensitive data. These cyber actors, often organized criminal groups, proceeded to monetize the theft by threatening to publicize the data unless additional ransom was paid. The monetization of proceeds was typically enabled by cryptocurrency, in an attempt to obfuscate the destination of proceeds and hamper the ability of law enforcement to locate and apprehend those responsible for the crime.” 

But, you might ask what has changed? Well, in 2020 there was a significant shift in Healthcare, where breaches were no longer Internal actors but moved to be primarily External actors. So, some good news, right? No longer is your primary threat actor your own employees!

And lastly, we found it interesting that for the second year in a row, Personal data was compromised more often than Medical. One could make the leap that Personal data can actually be used more widely than someone’s Medical data.

Manufacturing (not mining, quarrying or oil & gas)

Frequency 585 incidents

270 with confirmed data disclosure

Top Patterns

System Intrusion, Social Engineering and Basic Web Application Attacks represent 82% of breaches

Threat Actors  

  • External (82%),
  • Internal (19%),
  • Multiple (1%) (breaches)

Actor Motives  

  • Financial (92%)
  • Espionage (6%)
  • Convenience (1%)
  • Grudge (1%)
  • Secondary (1%) (breaches)
  • Data Compromised
  • Personal (66%),
  • Credentials (42%),
  • Other (36%),
  • Payment (19%) (breaches)

Top IG1 Protective Controls  

  • Security Awareness and Skills Training (14)
  • Access Control Management (6)
  • Secure Configuration of Enterprise Assets and Software (4)

The Verizon DBIR uses organic almond milk and toilet paper – we will use the example of primed lumber and DIY tools for our examples of shortages that surround the manufacturing supply chain and implications of 2020. While facilities were shut down, you might think…cool we might get some time to relax…the answer to that was a BIG NO. Manufacturing saw ransomware as a significantly increased role in malware associated breaches (61.2%) in relation to previous years, overtaking both DoS and Phishing as the most common varieties of attacks.  

How Ordr Can Help 

It wouldn’t be a good vendor blog if we didn’t also mention that we are willing to help out and give you a 30 day free trial. For more information on how Ordr delivers visibility and security of all connected devices — from traditional servers, workstations and PCs to IoT, IoMT and OT devices, contact us at info@ordr.net. Also, if you want to see how we map to the CIS Controls you can take a look at our new CIS Controls Solutions Brief, here: https://ordr.net/solution-briefs/ordr-cis-controls-solutions-brief


In the first week of National Cybersecurity Awareness Month (NSCAM), we covered the theme, If You Connect It, Protect It. This week, we will cover Securing Devices at Home and Work.

2020 saw a major disruption in the way many work, learn, and socialize online. Our homes are more connected than ever. Our businesses are more connected than ever. With more people now working from home, these two internet-connected environments are colliding on a scale we’ve never seen before, introducing a whole new set of potential vulnerabilities that users must be conscious of. Week 2 of Cybersecurity Awareness Month will focus on steps users and organizations can take to protect internet connected devices for both personal and professional use. 

Bring Your Own Device vs. Bring Your Work Device Home

In the early 2000s, we saw the onset of Bring Your Own Device (BYOD), where organizations were allowing the use of personal devices for work functions. It can range by organization but can be a cell phone or laptop that is able to connect to the corporate network so that an employee can execute their daily functions from the comfort of their selected device. Now, in 2020, we have almost the opposite happening, organizations are supporting devices that are connecting on unmonitored home networks. Not only are the employees leveraging their home networks, but potentially so are the others that reside under the same roof.

When home life and work life bleed together, like they have for so many folks in 2020, we find that a general set of guidelines on how to protect your devices works best:

  • Have a solid inventory of your connected devices – do you know all the devices that are connected and how they are behaving
  • Make sure that your devices are updated with the proper operating system, there are no recalls on the devices, and all applications are verified and not listed on any blocklist
  • Use caution with every email, link, and application – slow down during your workday or when just perusing, never click on links from unknown sources, and try to understand the risks associated with engaging on any platform
  • When in doubt, always reach out to your IT or security team if something looks suspicious or is acting inappropriately

How Ordr Can Help 

In the true spirit of Ordr’s mission of protecting all connected devices and creating a safer network infrastructure. Recently, we began an IoT Discovery Program that allows you to:

  • Gain high-fidelity visibility into devices that you may not know are in your network
  • Understand risks including communication patterns and vulnerabilities
  • Discover usage patterns for your devices
  • Map these devices to your Layer 2 and Layer 3 architecture
  • Identify appropriate segmentation policies to secure your devices

If you feel this program would be a good fit for your organization, register here: https://ordr.net/sensor/

Through the Cybersecurity Awareness month of October, we will be releasing a set of blogs to focus on weekly topics. Next Tuesday, catch our blog on “Securing Internet – Connected Devices in Healthcare”.


United States of America – National Cyber Security Awareness Month (NCSAM) 

As the Fall weather starts and we begin to overindulge in pumpkin spice lattes and candy, another great seasonal reminder is presented, Cybersecurity Awareness Month! Started in 2004 by the National Cyber Security Division within the United States Department of Homeland Security and the nonprofit National Cyber Security Alliance the dedicated month aims to raise awareness about cybersecurity. The focus is both on how consumers can protect their data and how organizations can take steps to safeguard their infrastructureSince 2004we have seen a global adoption of Cybersecurity Awareness Month with Canada and the European Union (EU) joining the US. 

 

European Union – European Cybersecurity Month (ECSM) 

The ECSM is dedicated to promoting cybersecurity among citizens and organizations, and to providing up-to-date online security information through awareness raising and sharing of good practices. ‘Think Before U Click’ is the official motto of ECSM 2020. 

 

Canada – Cyber Security Awareness Month (CSAM) 

The Canadian CSAM is to inform the public of the importance of cyber security. This campaign is focused on helping all Canadians be more secure online, by being informed and knowing the simple steps to take to protect themselves, their families, their workplace, and their devices. The month is divided into two themes which highlight different aspects of cyber securityfocusing on protecting devices.  

 

October 2020 – If You Connect It, Protect It 

As we embark on another October of bringing awareness to the importance of cybersecurity, this year’s theme is, “Do Your Part. #BeCyberSmart.” Encouraging individuals and organizations to do their part, stressing personal accountability and the importance of organizations taking proactive steps to enhance cybersecurity. 

 

Through the month of October the emphasis will be on “If You Connect It, Protect It,” and we will be releasing a set of blogs to focus on the weekly topics, give tips on how to protect your connected devices, and what the future looks like: 

October 6 (Week 1): If You Connect It, Protect It 

October 13 (Week 2): Securing Devices at Home and Work 

October 20 (Week 3): Securing Internet-Connected Devices in Healthcare 

October 27 (Week 4): The Future of Connected Devices 

 

For more information on what you need to know about IoT Security, we’ve created an IoT Knowledge Hub. To learn more about IoT Security, click here.