As director of risk intelligence for Verizon Business, Wade Baker oversees the collection and analysis of data that helps Verizon’s institutional clients and the security community understand and manage information risk.
Baker is the creator, lead author, and primary analyst for Verizon’s annual data breach investigations reports, available free to the public. The 2011 report was produced with cooperation from the U.S. Secret Service and the Dutch National High Tech Crime Unit. Baker speaks regularly to the news media on cybersecurity topics and has published articles in academic and trade journals. After completing doctoral coursework in Pamplin’s business information technology program and proposing a dissertation on a decision support system for managing information security risk, he joined Cybertrust in the Washington, D.C. area.
Verizon bought Cybertrust in the summer of 2007, right after I signed on full-time and moved to Northern Virginia. Turns out, the offices were only about 10 minutes apart, our team remained intact, and the only real change was that we started wearing red jerseys instead of Cybertrust’s grey and black.
Trying to reduce the guesswork
Information security is currently more of an art than a science. Some would call it a religion. We recommend or require various practices that we believe are effective, but we don’t often measure exactly how effective they are. Are our “best practices” really the best? The truth is, we don’t know. We don’t know because we don’t have a lot of data, and since we don’t have data, our models are immature as well. Without these basic tools, making decisions about managing information risk involves a lot of guesswork. In my research, I’m trying to reduce the amount of guesswork involved in the security decision-making process.
My job allows me to essentially continue the stream of research I started in my doctoral work. It’s very interesting — time-consuming, but I enjoy it very much. My biggest challenge is finding the time and motivation to go “backwards in time” and finish the dissertation. I left Virginia Tech after the 2007 school year to work full time; in all honesty, I’ve made little progress on my dissertation since then. I am the poster child for why doctoral advisors tell their students not to leave the university before completing their dissertation.
Bringing research into the realm of practice
I would still like to have some kind of role in academia at some point. I like teaching and research, but most of all I like being involved in bringing that research into the realm of practice. As things stand now, my current position is an ideal mix of research and practice (and I get to teach a little bit too), so I'm content where I am.
Intelligence and research
I do travel and speak a lot. Some of those are public events, and some are with customers. I don’t typically do the “on the ground” part of investigating security incidents, but our team is actively involved in the background of those engagements. In our role of intelligence and research, we’re studying each of those incidents and identifying who did it, what methods they used, how systems were affected, which security practices failed, what types of data were stolen, etc. We collect such data on every incident, aggregate and analyze it, and use that data to support our clients and the general public in managing information risk.
Something useful and valuable
The project that would become the Data Breach Investigations Report started in 2007 as a way to obtain high quality risk data. Good data in the security space is scarce, and we saw an opportunity to create something useful and valuable. Cybertrust/Verizon’s investigative response team had for years handled some of the largest breach cases in the world. They could tell you the kinds of things that happened often, but they didn’t have any hard data or statistics on their caseload. We created a framework for capturing that data, and, once we saw what we had, we decided to publish our findings.
More surgical strikes
If you ask what “leapt out” at me most during our analysis of 2010 breaches (which form the basis of the 2011 DBIR), it was the extreme changes we saw in the number of incidents and amount of data stolen. In 2010, we investigated more incidents than ever in which consumer data — payment cards, bank accounts, personal information — was stolen. And cybercriminals appear to be changing the way they accomplish this. For example, in years past, we studied some huge breaches of large organizations that affected tens of millions of consumers in a single incident. We didn’t see any of those in 2010 — which is a good thing. Unfortunately, it’s not as though the bad guys took the year off; what we did see was a huge number of lighter, faster, and more surgical strikes against smaller organizations. This may be because many of the criminals behind those massive breaches are in jail, under prosecution, or on the run. This increase in smaller attacks may represent a tactical shift toward less risky and lower-hanging fruit.
Using what we already have
The core problem with securing information systems isn’t a lack of innovation, but rather a quality management problem. Sure, we need to develop better tools and tricks, but what we really need to do right now is get smarter about how we use the ones we have. Ninety percent of our problem relates to known threats with known solutions, yet we continue to fall far too easily and far too often to those threats. If we got really serious about eliminating the routine defects and mistakes, I’m convinced we’d be in a much better position to figure out how to handle that last 10 percent.
While security professionals do tend to be a skeptical and suspicious lot, we’re definitely not immune to getting conned. I read a study once that showed a surprisingly high number of security folks were tricked into providing information to some fake social media persona with a pretty avatar.
- 1 An organization’s approach to data security starts with policy and planning. Most large organizations have these in place, but many smaller organizations and franchises don’t — or if they do, they’re not communicated very well to staff.
- 2 Moving on from policy are the processes, technology, and people that must be put in place to uphold these security policies. This is the first and critical line of defense. After studying thousands of data breaches, I would wager that an organization’s next breach will stem from a failure to do what they have stipulated in policy that they should do.
- 3 Which brings me to my third recommendation — implement accountability procedures to check and help ensure that policies are actually being met.
- 4 Fourth, for critical areas, check these things again. Having another set of eyes do this — a third party — is a good idea. That may sound redundant, but I’m not kidding. In our experience, this would help prevent the overwhelming majority of data breaches.
- 5 Most of the time, it takes a very long time for the victim to discover they’ve been breached and when they do learn of this, it’s usually because a third party alerted them. The only way this will change is if organizations increase awareness and visibility into what occurs in their networks, systems, and applications — which is my fifth recommendation.