Verizon has just released its much-anticipated 2015 Data Breach Investigations Report, and in an exclusive interview, Bob Rudis says - contrary to public perception - 2014 was not so exceptional as to be considered "The Year of the Breach."
"I think maybe the media is just paying more attention to the breaches, or maybe they've become more of a media event," says Rudis, a data scientist at Verizon and manager of its security research team. "Honestly, the report really doesn't have anything to suggest that  was 'The Year of the Data Breach,' per se."
Instead, what the past year's breaches revealed, the report finds, is that while attacks indeed are growing in sophistication, many intrusions still rely on tried-and-true social engineering techniques, such as phishing. And far too many attacks are successful because organizations have failed to patch known vulnerabilities.
"99.9 percent of the vulnerabilities that are exploited are a year old," Rudis says. And some are as old as 2007 or even 1999. "The attackers are partying like its 1999 because the exploits of those vulnerabilities are still working."
Beyond the statistics on breaches and investigations compiled from 70 contributors, including major law enforcement agencies, this year's report also explores the cost of a breach, as well as what Rudis describes as "before and beyond the breach."
"We've not just looked at the breaches that occurred last year," he says, "but what is the potential impact associated with those breaches? What actually occurs to cause those breaches to be able to happen?"
In addition to analyzing the threat landscape and threat actors, this year's report also takes a first look at mobile security, the Internet of Things and the financial toll of a breach.
In an exclusive interview about the report, Rudis discusses:
- Noteworthy trends about threats and threat actors;
- Biggest gaps in breach response;
- How to apply the report's key findings.
Findings of the 2015 Data Breach Investigations Report also will be presented and analyzed by Rudis and others at RSA Conference 2015 in San Francisco, April 20-24.
Rudis is a security data scientist at Verizon with more than 20 years of experience using data to help defend global Fortune 100 companies. He is a serial tweeter (@hrbrmstr), avid blogger (rud.is), author ("Data-Driven Security"), speaker and regular contributor to the open source community (github.com/hrbrmstr). He serves on the board of directors for the Society of Information Risk Analysts. Rudis also is on the editorial board of SANS Securing The Human program, and he was co-chair of the 2014 Metricon security metrics/analytics conference.