[HN Gopher] 2024 Verizon Data Breach Investigation Report [pdf]
___________________________________________________________________
2024 Verizon Data Breach Investigation Report [pdf]
Author : cws
Score : 81 points
Date : 2024-05-01 16:08 UTC (6 hours ago)
(HTM) web link (www.verizon.com)
(TXT) w3m dump (www.verizon.com)
| lenerdenator wrote:
| Breaches by attackers will continue until it becomes
| prohibitively expensive or dangerous for the attackers to do what
| they do. This isn't something companies can do; it takes a
| government to do that.
|
| Until then, it's a great way to squeeze crypto out of some
| company to make up for the fact that your country is under
| sanctions tied to the US Dollar, and since it's hard to prove to
| the bean counters that an attack will happen with reasonable
| certainty on a given system in the next quarter, good luck
| getting resources and priority for mitigations beyond the usual.
| alephnerd wrote:
| > since it's hard to prove to the bean counters that an attack
| will happen with reasonable certainty on a given system in the
| next quarter, good luck getting resources and priority for
| mitigations beyond the usual.
|
| False.
|
| Companies are now liable to report breaches to the SEC and
| steps taken to remediate.
|
| As I've mentioned several times on HN before, heads do roll and
| C-Suite does care about security posture now that liability and
| insurance payouts are on the line.
|
| The annoying thing is HNers will never see the actual successes
| (because these are obviously kept private) and only see a
| couple glaring failures.
|
| Furthermore, this report is an advertisement for Verizon's MSSP
| division (Verizon Business), which companies pay to manage
| their security posture - all telcos have had an MSSP BU since
| the 1980s (ATT Global Business Services being the market
| leader)
|
| You'll see a lot of BS like this for the next 2 months because
| RSA is in 2 weeks and AWS Re:Invent in a month. It's conference
| season (great time to stock up on free tshirts and drink
| Blanton's on the corporate tab)
| lenerdenator wrote:
| > Companies are now liable to report breaches to the SEC and
| steps taken to remediate.
|
| I'm looking at UnitedHealth's stock price over the last year.
| The theft happened in February. There was a dip; it's already
| recovering from that.
|
| The market doesn't particularly care about those disclosures,
| it would seem.
| alephnerd wrote:
| Stocks are not the "holy grail decide all" when much of UHG
| and Optum's leadership is in front of Congress as we speak
| during an election year and with significant liabilities
| due to potential breaches of contract by failing to produve
| billing to their customers.
|
| Go on LinkedIn and take a look at who's on the CISO org and
| below at UHG and Optum today - in 6 months 60% of them will
| no longer list either as their employer.
|
| UHG the organization will continue to exist, but the people
| who make up that organization will have their heads roll.
|
| There is no Mr UHG the 3rd running stuff there or in the
| majority of F1000s - it's professional managers who climb
| up and down the ladder.
|
| Not everything is some sort of conspiracy with mustachioed
| men and DEI puppets parroting Milton Friedman and Ronald
| Regan like the HN hivemind loves to think.
| lenerdenator wrote:
| Being dragged in front of Congress on anything related to
| a computer is not a big deal; if it were, Mark Zuckerberg
| would not be CEO of Meta. The liabilities will be played
| out in court over the next decade, and you'll possibly
| see some legislation passed over that time period
| limiting liability in these situations, because how can
| we possibly expect these companies to deliver value to
| shareholders while shouldering the risks posed by
| adversarial state-backed hackers?
|
| Personal responsibility as conducted through firings
| means more for the rank-and-file than for directors and
| above. It's not about what you've done as much as who you
| know in those levels.
|
| TL;DR: I'll believe it when I see it.
| alephnerd wrote:
| > how can we possibly expect these companies to deliver
| value to shareholders while shouldering the risks posed
| by adversarial state-backed hackers
|
| 1. Liability
|
| 2. Insurance Premiums
|
| 3. Regulation
|
| 1 and 2 are already in place, and 3 is currently working
| it's way over the next couple years.
|
| > TL;DR: I'll believe it when I see it.
|
| Cynicism is valid, but at some point it's just unfounded
| nihilism, and you as an individual IC will never publicly
| see these changes as they are well above your pay grade
| (and you sure as hell won't hear about it publicly)
|
| > Being dragged in front of Congress on anything related
| to a computer is not a big deal
|
| It is when you are on the hook for that federal bailout
| to prevent the entire healthcare system from collapsing
| [0] caused by incompetence surrounding credential
| management
|
| [0] - https://www.wsj.com/articles/calls-mount-for-
| government-help...
| photonthug wrote:
| > Cynicism is valid, but at some point it's just
| unfounded nihilism, and you as an individual IC will
| never publicly see these changes as they are well above
| your pay grade (and you sure as hell won't hear about it
| publicly)
|
| Weird comment, are we supposed to trade the unfounded
| nihilism for unfounded optimism? Apparently
| accountability and transparency[1] are widely available..
| behind closed doors.
|
| [1]: yep, transparency is kinda required for having
| effective insurance, regulation, or liability.
| dantillberg wrote:
| The CISO role is too often just a game of roulette. The
| big question is whether the CISO is actually able to
| effect changes that have material impact on their own
| fate, by improving security posture. If not, then the
| CISO is merely compensated to play the scapegoat when
| luck is down.
| alephnerd wrote:
| CISOs aren't the only heads that roll.
|
| Security incidents will often directly impact platform
| and infrastructure teams, who's leadership and EMs heads
| roll as well.
|
| If there is a very public breach, literally everyone
| director upwards will inevitably get purged over the 12
| months post breach.
|
| I've worked on enough cases like this to see it happen.
| Starman_Jones wrote:
| If it doesn't affect stock price, though, then the CEO,
| board, and shareholders are all incentivized to keep IS
| costs low, and ignore any costly security
| recommendations.
| er0k wrote:
| Kelly Shortridge's post about the DBIR is great
| https://kellyshortridge.com/blog/posts/shortridge-makes-sens...
| hackncheese wrote:
| I was _thoroughly_ entertained by this read, thanks for the rec
| westmeal wrote:
| Kind of ironic they try to collect an email on this page and you
| simply have to hit view only.
| internetter wrote:
| What is ironic about this?
| observationist wrote:
| Verizon having to publicly disclose that they screwed up
| protecting the data they collect, and then, like a desperate
| addict, asking for more data? Yeah, no, you're right, not
| ironic at all.
| Veserv wrote:
| It is a report that Verizon produced about data breaches in
| industry, not a report about a data breach at Verizon.
|
| Please at least click the link before making snarky
| comments or your snarky comments will be misinformed.
| dylan604 wrote:
| You have to admit the title "2024 Verizon Data Breach
| Investigation Report" is very easily interpreted as a
| Verizon data breach.
| nyokodo wrote:
| > What is ironic about this?
|
| It could be considered situational irony for a company
| reporting on industry data breaches to expect readers to
| disclose personal information as one would expect them to
| display sensitivity to unnecessary capture of precisely this
| kind of data.
| ffpip wrote:
| Direct link -
| https://www.verizon.com/business/resources/T5d2/reports/2024...
|
| From the title, it seemed that Verizon had published a postmortem
| of a recent data breach incident they had
| ChrisArchitect wrote:
| Official release, other links:
|
| https://www.verizon.com/about/news/2024-data-breach-investig...
| hk1337 wrote:
| Geez, all 3 major mobile phone providers have had a data breach
| fairly recently.
|
| T-Mobile (2021), AT&T (2024), Verizon (2024)
| selectodude wrote:
| It wasn't a breach at Verizon.
| hk1337 wrote:
| Ah, okay. I misunderstood.
| chefandy wrote:
| This is actually a really solid high-level report. Very well-
| written. Frankly, it blows my mind that it was made by a company
| with such infuriatingly asinine, incompetent, and ineffective
| support processes. I'll bet a non-zero quantity of hiring
| managers that have been burned by Verizon's support have
| subconsciously passed over talented candidates coming from there.
___________________________________________________________________
(page generated 2024-05-01 23:00 UTC)