By John Gruber
Jiiiii — Free to download, unlock your anime-watching-superpowers today!
We recently attended the RSA conference in San Francisco — security’s biggest event of the year — and we were struck by how infatuated everyone was with the promise of new, shiny solutions to fix new, shiny problems. On some level that’s not surprising — tech is constantly driving toward the future, and security is one of the fastest-moving areas of tech.
But on the other hand, it seems like the security industry is walking away from some of its most foundational problems before they’ve actually been solved. People would rather talk about AI-powered behavioral analytics that can detect when a worker’s mouse is moving strangely than the decidedly un-glamorous work of rolling out patches and managing permissions.
This disconnect was especially clear in the 2024 Verizon Data Breach Investigations Report (DBIR). This year’s report found that “the human element” (accidental breaches caused by human error or victimization in phishing attacks and the like) was the number one cause of breaches. The same was true last year, and the year before that, and the year before that.
The single biggest culprit in breaches continues to be weak and stolen credentials. The 2024 DBIR found that “use of stolen credentials” is the number one initial action during a breach, and that credentials are the number one way attackers get in in non-error, non-misuse breaches, followed by phishing and vulnerability exploits.
What’s frustrating about the persistence of credential-based attacks is that they are eminently solvable! Roll out a password manager to your end users, put SSO and MFA in front of sensitive applications, and implement passkeys when possible. Yet in 1Password’s 2022 State of Access Report, only 29% of respondents said they used a password manager at work.
The same narrative about credentials is also true about compromised devices and, especially, employee training. The DBIR’s authors said as much in a webinar about the report, claiming that “You can address two-thirds of these breaches by training and equipping your employees appropriately.”
But at RSAC, it was tough to fill a room for a talk on employee training or credential management. The popular talks tended to focus on things like the dangers of AI deepfakes, which is ironic, since the 2024 DBIR said that GenAI hasn’t made much of an impact on breaches so far.
This needs to change, and the 2024 DBIR offers a clear look at where we’re falling short and where we go from here.
To get more insights about the report and its implications for security, read the full blog.
This RSS sponsorship ran on Tuesday, 5 November 2024.