May 12, 2025 • 26 mins
Join G Mark Hardy, host of CISO Tradecraft, as he breaks down the latest insights from the 2025 Verizon Data Breach Investigations Report (DBIR). In this episode, discover the top 10 takeaways for cybersecurity leaders including the surge in third-party breaches, the persistence of ransomware, and the human factors in security incidents. Learn actionable strategies to enhance your organization's security posture, from improving vendor risk management to understanding industry-specific threats. Stay ahead of cybercriminals and secure your data with practical, data-driven advice straight from one of the industry's most anticipated reports.
Verizon DBIR - https://www.verizon.com/business/resources/reports/dbir/
Transcripts - https://docs.google.com/document/d/1h_YMpJvhAMB9wRyx92WkPYiKpFYyW2qz
Chapters
- 00:35 Verizon Data Breach Investigations Report (DBIR) Introduction
- 01:16 Accessing the DBIR Report
- 02:38 Key Takeaways from the DBIR
- 03:15 Third-Party Breaches
- 04:32 Ransomware Insights
- 08:08 Exploitation of Vulnerabilities
- 09:39 Credential Abuse
- 12:25 Espionage Attacks
- 14:04 System Intrusions in APAC
- 15:04 Business Email Compromise (BEC)
- 18:07 Human Risk and Security Awareness
- 19:19 Industry-Specific Trends
- 20:06 Multi-Layered Defense Strategy
- 21:08 Data Leakage to Gen AI
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hey, with all the excitement with RSAC andeverything else this past few weeks, did
(00:04):
you ever get a chance to read this year'sVerizon Data Breach Investigations report?
I did.
I'm gonna share some observationswith you right after this.
(00:25):
Hello, and welcome to another episodeof CISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
I'm your host, g Mark Cardian.
Today we're gonna dive into the oneof the industry's most anticipated
publications, the 18th year of theVerizon Data Breach Investigations Report,
DBIR, or 2025 DBIR to be more specific.
(00:48):
And it's really a cornerstone report.
We look forward to this thing.
It's got a lot of information, a lotof data-driven insights if you want
to go ahead and help make betterdecisions for your organization.
Also to see some of the patterns, thetrends, and the tactics that are shaping
cyber crime as well as security issues.
So today I'm gonna distill what I thinkare 10 critical takeaways for you.
A CISO, a VP director, oraspiring to become a CISO.
(01:11):
this information is for you, so let'ssettle in and, take a look at it.
First of all, you can go aheadand I'll put the link on the.
And the URL on my website, so you cango ahead and download it for yourself.
They do have a squeeze page where theyask you for your contact information,
but once you get to the PDF page, there'snot a squeeze page on that, so you can
go download it as many times as you want.
(01:33):
I will, of course, respect their wishesto go ahead and capture your data.
Your mileage may vary now as publishedon the 23rd of April, and it's 115 pages.
Now, one of the things that I likeabout this, if you remember one of
the, admonitions that was given by.
Warren Buffett.
He said, whenever you read an annualreport, start with the footnotes.
Why would he say that?
Because that's where they put the stuffthat they gotta say, but they don't wanna
(01:56):
say, in this case, I would say for fun,read the 123 footnotes in the report.
there's a lot of, I. Kind of cute stuff inthere, including a reference to a customer
complaint that is over 3,800 years old.
One that I just learned abouttoday when I was looking it up.
I didn't see a puzzle this year.
I know in the past there have beenpuzzles associated with the report.
(02:17):
Dave Schutz is a friend of mine, agentleman I've known who was involved
in the Schoo group that years ago.
He kept winning all of my.
Contest.
I used to do crypto contests forschmo, and this guy would win him
each year at my grand prize, his roundtrip ticket to Vegas to go to Defcon.
So I said, okay, I'm gonnateach you how to do it.
And not only is he great at makingpuzzles, but he's great at solving 'em.
So shout out to Dave if you're listening.
(02:38):
Anyway, let's take a quicklook at the scope of this DBIR.
This report looked at over22,000 security incidents.
Over 12,000 confirmed data breachesacross 139 different countries.
It's really a global snapshot of cybercrime as well as just mistakes that
people make from a security perspective,but it's grounded in data from the
(03:01):
real world, and they look at theirpartners, law enforcement incident
response teams, and a security executive.
You should know the value ofactionable intelligence and
the DBIR delivers just that.
So let's take a look at 10 importantelements for your strategic planning.
Starting with a trend that Ithink is sounding alarms across
boardrooms, number one, thirdparty breaches is doubled to 30%.
(03:26):
30% of all breaches now involvea third party more than twice
of what they had last year.
It's a real wake up call.
If you're relying on vendors, partners,supply chains, if it's a software
vulnerability and a third party platform,a compromised data custodian, these
effects could be significant for youas a CISO, this underscores a need
for robust vendor risk management.
(03:48):
It's not enough to secure your own house.
It's great you got everything patchedand you have all of the different,
updates that are out there, but yougotta worry about your partners.
As well.
Now, what happens if they have a report?
Can you ask for a SOC two?
Sure.
Does that necessarily mean that todaythat they're not gonna be vulnerable?
No.
So realize that a single week linkin your supply chain can unravel
(04:13):
years of security investments.
So what you do for an action item enhanceyour third party risk assessments Mandate
regular security audits have breachnotification clauses in your contracts.
Your perimeter extends far beyondyour firewall now, and you need
to go ahead and manage that.
All right.
How about number two, ransomware?
(04:35):
it's been around and it refuses to retire.
Ransomware, according to the DBIRreport is present in 44% of confirmed
breaches, up from 32% last year.
Now if you're in the SMB space, a small,medium-sized business, it's even worse.
88% of those breaches that werereported involve ransomware.
The median ransom paymentlast year was $115,000 US down
(05:00):
from 150,000 the year before.
So it's moving in that direction.
It's a significant hit though, if you'rean SMB, that's not round off error.
That could be salaries for a few monthsfor your people, and that's a big deal.
Suggests that the,
maybe vendors are, I'm sorry,not vendors, but victims are
(05:24):
not willing to pay as much.
64% of the victims refuse to pay.
Up from perhaps halfof them two years ago.
this means you got more resilience,probably better backups,
better incident response plans.
And remember, there's kind oftwo approaches of ransomware.
There is the attack againstavailability on the CIA.
Hey, oops, your files aren't encrypted.
(05:46):
Good solid backups.
Being able to have a robust incidenthandling plan can help mitigate that.
And more recently, we've seenattacks on confidentiality.
oops, your files are encrypted.
we don't care.
We can restore them.
Oh yeah, by the way, we've got copies ofthem and we're gonna put 'em on payin.
Or worse yet, we're gonna sendthem to the regulators and let 'em
know that you're outta compliance.
so those problems are still there.
(06:07):
But as an executive, what youneed to do is prioritize endpoint
protection and patch management.
It's gonna go a long wayto keep ransomware entry.
Secondly, invest in offline backupso that those cannot be corrupted.
At the same time, test your recovery.
Regularly.
Don't just assume because it went oneway, that it can come back the other way.
(06:28):
I had an incident in one of myclients, or one of my executives
fairly recently went ahead and gotone of these new type of CAPTCHAs.
he is not a technical person.
Brilliant business person, great guy.
But when this capcha, instead ofsaying identify the buses or the
motorcycles, or click here till therearen't any traffic signals said, type
A, Windows + R then a Control + Vand Enter to prove you're a human.
(06:54):
what's going on there?
it had already, because you'd say run,click on this to prove your capcha,
you've copied something into the buffer.
Windows R is a run, run command.
Control V is a paste andthen enter, and off it goes.
Running PowerShell scripts,making registry entries, trying to
download malware, and essentiallysetting off all kinds of alarms.
(07:16):
we were able to block it.
But the point was, is that could havebeen ransomware and the approach wasn't
a weak endpoint, it wasn't a, unpatchedsystem, it was an unpatched user.
So as a result of that, we went aheadand we did an all hands training on that.
So be aware of that.
good defenses.
You can reduce the leverage onransomware, but you really, I
(07:37):
think you get the most leverage.
By making your people suspiciousand careful about what they do,
and no fear in reporting a problem.
And that's key.
Why?
Because if people are afraid they'regonna get in trouble, they're gonna
try to hide it, it's gonna get worse.
It's gonna fester.
If someone can pick up the phoneand say, Hey, G Mark, I think
I just did something stupid.
Can you help me?
(07:57):
Absolutely.
And there's no blame.
There's no ha at the end, but ratherit's let's work together and solve this.
So try to create that culture.
Okay, third takeaway ahead.
exploitation of thevulnerabilities has surged 34%.
Now, I said that maybe your biggest attackvector is gonna be your people, but.
20% of initial attack vectors are nowcoming through exploited vulnerabilities,
(08:20):
zero days in particular, because youreally can't patch those because as
a result, as we know, a definitionof zero day is something where the
attacker has found a vulnerability thatthe vendor has not yet issued a patch.
And so as a result, if you can go aheadand do that, so the MoveIt software
breach, for example, which had havocacross education, finance, insurance
(08:41):
sectors, kinda remind me of that.
So there's a call to actionon vulnerability management.
How long does it take to patch?
I remember when they first started talkingabout time to patch, it was like 354
days, and that was the old, report fromMandiant, and now it's down to Patching
Edge and VPNF floss to about 32 days.
(09:03):
Still pretty good, but that's an awfulbig long window for someone to take
advantage of you, and really only 54% ofthose vols are getting patched at all.
That's a huge gap.
So have a rigorous patchmanagement program.
Prioritize your critical vulnerabilities.
Use your CVSS scores.
Nine point eights need to get fixed.
Fives, nah, you can probably live with'em And consider automated scanning tools.
(09:25):
Stay ahead of the threat actors.
Speed is important.
You want to go ahead andbeat your opponent to it.
It's the OODA loop.
Observe, orient, decide, act.
You wanna get inside the OODA loop ofyour attacker and you'll do better.
How about number four, credential abuse.
It's still a top threat.
it, so attack vector, 22% ofbreaches if you have stolen
(09:47):
or compromised credentials.
hey, those are the keys to your kingdom,and the threat actors know it Now.
DBIR noted that 30% of the systemsthat were compromised by info
Steelers were corporate devices.
But 46% of those were unmanaged devicesthat hold corporate credentials.
Now, this is a real concern inhybrid work environments where your
(10:07):
personal devices are gonna minglewith corporate device networks.
depends on your BYOD policyand things like that.
54% of those victims had theirdomain show up in credential
dumps, and 40% had email addresscredentials out there in data dumps.
Now, as an security exec, you gottadouble down on MFA across all systems.
(10:27):
I gotta pull out my laptop here, getone of these things, get a UB key.
In fact, get a whole bunch of 'em.
I'm not getting paid topush them, but absolutely.
I find that having that type of aphysical device token is going to be key.
And of course, I just dropped mykey fob, necklace into my water.
(10:51):
Go figure.
Anyway, cheers.
But what we find thenis that if you have MFA.
It's gonna be a lot more difficultfor attacker to get through.
Yeah, I've seen some fairly sophisticatedattacks that allow some workarounds,
but in general, what you wanna beis you wanna be very hard to breach.
You wanna make it such that the difficultyof getting into your system is so great
(11:13):
that attacker's gonna say, it's just noteven worth our time and energy to do it.
Also, look at credential monitoringtools out on the dark web.
Now, I recommend you do not goahead and start doing your own
threat intel on the outside.
Why?
Because if you're poking around onthe dark web and you get caught.
I can come after you and say, Hey,we're gonna teach you a lesson.
There are companies thatdo that for a living.
So let them go aheadand take on that risk.
(11:33):
You can absolutely do threathunting with inside your enterprise,
with inside your network.
'cause you're expected to be doing that.
And if that guy gets caught inside yournetwork, it's Hey, it's part of the game.
But don't go poking around out there.
And again, as I said before,train your employees.
Make sure they recognize phishingattempts, which often will
precede a credential theft.
(11:54):
So assume your credentialsmay be compromised.
If so, what would you do?
Again, MFA, making ita lot more difficult.
Even if someone had an ID andpassword, they're not gonna
get in without that next step.
And also think about maybegeographically locking places down.
I know you can do that in Microsoft Azureso that when someone tries to log in from
a country that we do not do business with,that login should be denied right away.
(12:16):
It also means, of course, you gottacoordinate with travel and HR when
somebody is going over there that youdon't inadvertently lock them out.
All right.
Number five, espionage attacks.
That is surged by 163%from the year before.
Wow.
That's now up to 17% ofthe reported incidents.
Now, it's interesting that you look atthe motivation, the espionage motivation.
(12:40):
89% of threat actors arestill after financial gain.
Alright, but 17% said,yeah, espionage too.
Now you can do both.
This is why the numbersdon't add up to a hundred.
But this increase is a concern.
It's particularly in manufacturing.
Healthcare sectors are being hard.
Hit nation state actors are targetingintellectual property sensitive data.
Web app attacks usuallylinked to espionage are up.
(13:03):
61% of those are driven.
By espionage motives.
And only 34% were motivated by financialgain, which I thought was interesting.
Also, what do you do?
Can you go ahead and interview thepeople who break into your stuff and say,
by the way, what are you looking for?
So I'm not sure how they get thosenumbers, but if you're a CISO in one of
these industries, this is a red flag.
So harden your web apps with robustfirewalls, intrusion detection systems.
(13:23):
Make sure you got, web app fire also.
compensate potentially for yourdevelopers who may not have the world's
best coding or, trying to offloadcode to AI and things like that.
Do regular pen testing.
Identify your weaknesses and collaboratewith legal and compliance teams to ensure
that your sensitive data is identified.
(13:44):
So you know which one it is.
And then you can also go ahead andmake sure that it is in compliance,
often encrypted at risk, encrypted inmotion, and you limit the access to it.
espionage, your high stake games.
You can lose your company,you can lose, country.
And so your secrets are the prizeand your part of the front line.
(14:04):
Number six system intrusions, in apac,so AsiaPac Pacific Region or apac, it's
found out that if you're operating overthere, if you have operations there,
83% of the breaches in the APAC stemfrom system intrusions up from 39%.
Now, that's huge and malwarehas been a key driver.
According to the report, 83% ofthose incidents up from, 58% and
(14:28):
more than half of those breachesinvolve well stolen credentials.
We just heard about that.
So the surge highlights this region'svulnerability to external actors
targeting critical infrastructure.
Now, if you oversee APAC operations,prioritized network segmentation.
Deploy advanced threat detectiontools, and since ransomware was
involved in more than half thebreaches in the region, revisit your
(14:50):
incident response plans to make surethey are tailored to regional risks.
If you're a global organization,you have to not only think
globally, but think locally.
Your APAC defenses have to be asrobust as those of your headquarters.
Number seven BEC BusinessEmail Compromise Losses soar.
(15:10):
$6.3 billion in losses with a medianloss of about $50,000 per incident.
Now domestically, I, went ahead andI looked up the FBI's Internet Crime
Complaint Center, the IC3, and thatjust came out recently as well.
I might do an episode on that.
And that documented 2.77 billion in lossesfrom 21,000 reports or over $129,000 each.
(15:35):
So I guess it pays betterif you're hacking Americans.
Anyway, over 40% of these successfulsocial engineering attacks today are BEC.
Or Pretexting where an attacker is gonnaimpersonate an executive trying to trick
an employee into transferring funds.
Now, unlike ransomware, the BEC incidentsaren't gonna make headlines because
most people don't wanna report them.
They're embarrassed about it.
(15:55):
But the financial impact could be huge.
And as a security executive, you cancombat this by having strict verification
processes for financial transactions.
I did a talk, as I mentioned, one of myclients had an executive who had, Done
the Windows + R, Control + V, Enter.
And so what we said is that look todaywith deep fakes and things such as
(16:17):
that, you can get a call that looksand sounds exactly like your CEO, Hey,
CFO, we're doing this sensitive deal.
I need you to transfer money now.
Okay, great.
unless you are doing it faceto face, the concern is, this
person having a deep fake.
So what I recommend is to have theequivalent of a disposable secret.
Probably if your CEO's on the road, he'snot gonna call you five different times
(16:40):
with five different deals in the same day.
And so have something that youcan agree upon that once it's been
used, because it's a possibilityyour communications channels are
monitored, that doesn't work anymore.
And so work out some phrase, someexchange of information that you
could go ahead and validate that.
And it's, I'm busy, you gotta do this.
Oh, I forgot.
Or whatever.
I'm sorry.
That's a red flag.
And.
(17:01):
If you wanna see the real extreme ofthat, go look up the old black and
white movie Fail Safe from the early1960s and, lemme know how that goes for
you if you haven't seen that before.
But help your employee spot red flagsand usual email or domains urgent payment
requests and email security solution.
You can flag impersonationattempts I have in my Microsoft
(17:27):
account there for exchange, you can dosecurity rules and one of the things
I do is have impersonation blocking.
So if a person says that they'reone of these key executives
and it's not coming from.
A known place.
if I know the CEO has a Gmail account,I'll put that as an exception.
But if it's, Mr. Big at Yandex auand it matches Mr. Big as my internal
(17:52):
person, it's gonna get rejected.
It's not even gonna get delivered.
In fact, I delude deliver it.
I deliver it to myself.
It's a CISO and a special thing.
Let me examine it to see if it'sa indication of higher risk.
It's much of a human problems as atechnical one, but your people need
to be your first line of defense.
Number eight, your human risk persists,and the DBIR reports about 60% of
(18:14):
your breaches involve a human element.
Error.
Phishing victims mis configs, so they makea mistake, a slight drop from last year.
But don't let it fool you.
If you read the footnotes.
They said there's a lot of fun.
The footnotes.
It's almost as much fun as the MontyPython, the Holy Grail subtitles, number
35 says they've been, they reclassifiedsome of last year's ransomware breaches
from extortion, which is social to humans.
(18:35):
So it really didn't drop,they just changed the, they
moved the goalposts a little.
But humans remain yourgreatest vulnerability.
As well as your greatest asset.
Now, for a CISO, this means you have toinvest in security awareness training
that's engaging and role specific.
The generic one size fitsall isn't gonna work anymore.
Simulate phishing attacks to testemployee readiness, but again,
create an environment of no fear.
(18:57):
Don't have a wall of shame.
Don't go ahead and score eight peoplewho screw up because they're gonna
not trust anything that comes from it.
Security, and then don'toverlook mis configs.
Remember, regular audits of cloudenvironments can catch an error
before they become a breach.
The DBIR reminds us technology is onlyas strong as the people behind it.
Number nine, industry specifictrends demand attention.
(19:19):
Our ninth element is the DBIRfocus on these industry trends.
Manufacturing and healthcareare facing, as we said before,
rising espionage attacks.
Education, financial and retailsectors are dealing with things like
ransomware and credential abuse.
SMBs, regardless of the industry, aredisproportionately hit by ransomware
with about 88% of the reportedbreaches involving this threat.
(19:41):
And that may not be because 88% of smallbusinesses get reported, but it might
be the only thing they bother to report.
As a security exec, tailor yourdefenses to your industry risk profile.
if you're in healthcare,prioritize patient data encryption.
If you're in retail, focus onsecuring your e-commerce platforms.
These industry breakdowns are veryvaluable, using to benchmark your
defenses against your peers andanticipate some of your threats.
(20:06):
Number 10, the DBIR points to a needof multi-layered defense strategy.
With these third party breaches,ransomware, espionage, human
errors on the rise, there's nosingle solution's gonna work.
So this report emphasizes takingproactive measures, do patch management.
Should be doing that, right?
(20:27):
MFA, do that employee training, do that.
Network segmentation, vendor oversight.
This means you gotta align yoursecurity program with your business
objectives by the way you're doing that.
It's a little bit easier to get fundingas the CISO too, because you can point
to a business value instead of you justbeing a cost center, engage your board.
Secure budget for advanced toolslike AI driven threat detection.
(20:48):
I have a culture of securitywhere everybody feels responsible.
And Chris Novak, who's Verizon's VPof Global Cybersecurity Solution, says
that DBIR IR's findings underscorethe importance of a multi-layered
defense strategy I mandate.
And this ferone I'll decided our top 10.
I'll do number 11.
A data leakage to Gen ai.
(21:10):
Yeah, you're wondering where that is.
So it's a new andrapidly emerging concern.
It's on pages 24 and 25 in the report,and it notes a significant uptick
in incidents where it's sensitivedata, like proprietary code, customer
information, internal documents have been.
Inadvertently exposed through employeeinteraction with Gen AI tools.
12% of the data compromise incidentsin this past year that were
(21:33):
reported involve employees inputtingsensitive information into public or
insufficiently secured AI platforms.
Oops.
It's a 200% increase from last year.
it's mostly 'cause people are now figuringout it's, Hey, I can do stuff with this.
And so it's really alarming inindustries like technology and
finance where intellectual propertyand client data are gonna be.
Prime targets.
(21:53):
Now many employees areunaware of the risks.
They'll use AI tools for tasks likedrafting an email analyzing data.
They don't realize that these platformscan store share inputs externally.
and so it talks about things such as, hey,which is bigger, 9.9 or nine point 11,
and then you end up getting some othercorporate information leaked with that.
Or how many RS in strawberry?
I dunno if they fixed that yet.
(22:13):
I'll have to take a look.
But, establish cure clearestpolicy on AI tool usage.
Specify which platforms are approvedand require data and anonymization.
Lemme say that again.
Anonymization that sounded better.
Before input.
Try that fast Five times.
What do I mean by that?
It means that if I'm gonna go ahead, I'mgonna set a letter to, client X and I'm
(22:36):
gonna talk about system y. I wanna goahead and substitute something in there.
It's gonna say Bill instead of Joe.
It's gonna say, Big instead ofsmall, whatever the idea is, that
you tokenize it, let it do its thing.
If somebody grabbed the tokenizedword and it's full of code words,
they're not gonna really figureout what you're talking about.
They'll figure out, what you'retalking about, but not for whom.
(22:57):
And I'm pretty sure that there'ssome tools out there when I was
over there at RSAC that I justdidn't catch, as I mentioned, last
week, I had to come back early.
by the way, my little dog is hereon the floor with her laying on her
back and she's healing up nicely.
So if anybody's worried about the fate ofmy little Pomeranian, she's doing okay.
but also, Think about dataloss prevention, DLP solutions.
(23:20):
You wanna block sensitive data fromgoing out to an unvetted AI systems.
Now it turns out that if you don'tpay for your ai, you're not paying
for the product, you're the product.
if you look at, for example, MicrosoftCopilot, they have a deal in there
that actually pay them some money.
They will agree that theywill not train on your data.
It stays local to you.
And of course, if you'vegot enough processing power.
Download a LAMA or do something likethat and do your own AI models locally.
(23:44):
But also, again, it comes downto training programs, helping
people know they use that.
It's, there's a great allure inthat it says, Hey, I can just
throw my work at Gen AI and all myhomework's done and I can sit around
and play with my dog all afternoon.
it's really also for you as a leader anda manager, something you gotta look for.
Now, I had a gentlemanwork for me going on.
Couple years ago now I rememberthe day he discovered GenAI.
(24:07):
All of a sudden his responses wentfrom yes or no, or I'm on it to
whereas it is critical to share thisinformation with your subordinates.
It's important to understand the overall.
And it's no, he doesn't write like that.
Where in the world this stuff come from.
And once I figured itout, it's stop it now.
Eventually it's gonna get goodenough that you're not gonna
(24:27):
be able to tell the difference.
But for right now, I think I can.
There we go.
If you're watching on video, here'smy little doggy, she's back up
here to say hello, which is fine'cause we're pretty much at the end.
So be careful that your AI doesn'tbecome a Pandora's box and have problems.
So this DBIR report isn't just a report.
It's a mirror.
(24:48):
It reflects us back as what we're doing,our challenges and our opportunities.
Cyber crimes evolving, nation stateattacks are involving, but so do our
events as they need to evolve as well.
So as security executives, you'rethe architects of resilience.
Use these elements to guide yourstrategy, tackle your third party risk.
Fortify against ransomware.
Patch your v quicklyprotect your credentials.
(25:11):
Go ahead and come up withdefenses against espionage.
If you're running an apac,have better defenses out there.
Combat your business email compromise.
Train your people,tailor to your industry.
Build layer defenses and, limitwhat your people can put on
AI without knowing what it is.
For you.
This is a daunting threat landscape, butif you have data-driven insights like
the DBIR, you're not fighting blind.
(25:32):
So thank you very much for listening tothis week's episode of CISO Tradecraft.
If you found it valuable,share with your peers.
Go ahead and subscribe.
We're on, LinkedIn.
Also, if you're not followingus on LinkedIn, we have a
lot more than just podcast.
We also have a substack newsletter, whichis a summary of this, so you don't have
to listen to me talk the whole time.
You can read it on a plane or whatever.
(25:52):
Also, if you wanna downloadthe full DBIR report, you go
to verizon.com slant business.
Slant resources.
And of course as they say, they'lldirect you after you give 'em
their capture information to aPDF page where you can do that.
But meanwhile, I think it's well worthyour time to take some time reading
it and, you gotta look good insights.
And again, have fun with thefootnotes and if they still have a
(26:13):
puzzle there, somebody let me know.
'cause I don't know ifthey still do that anymore.
Anyway, this is your host, G Mark Hardy.
I appreciate your time.
thank you.
Until next time, stay safe out there.
Hey, with all the excitement with RSAC andeverything else this past few weeks, did
(00:04):
you ever get a chance to read this year'sVerizon Data Breach Investigations report?
I did.
I'm gonna share some observationswith you right after this.
(00:25):
Hello, and welcome to another episodeof CISO Tradecraft, the podcast that
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
I'm your host, g Mark Cardian.
Today we're gonna dive into the oneof the industry's most anticipated
publications, the 18th year of theVerizon Data Breach Investigations Report,
DBIR, or 2025 DBIR to be more specific.
(00:48):
And it's really a cornerstone report.
We look forward to this thing.
It's got a lot of information, a lotof data-driven insights if you want
to go ahead and help make betterdecisions for your organization.
Also to see some of the patterns, thetrends, and the tactics that are shaping
cyber crime as well as security issues.
So today I'm gonna distill what I thinkare 10 critical takeaways for you.
A CISO, a VP director, oraspiring to become a CISO.
(01:11):
this information is for you, so let'ssettle in and, take a look at it.
First of all, you can go aheadand I'll put the link on the.
And the URL on my website, so you cango ahead and download it for yourself.
They do have a squeeze page where theyask you for your contact information,
but once you get to the PDF page, there'snot a squeeze page on that, so you can
go download it as many times as you want.
(01:33):
I will, of course, respect their wishesto go ahead and capture your data.
Your mileage may vary now as publishedon the 23rd of April, and it's 115 pages.
Now, one of the things that I likeabout this, if you remember one of
the, admonitions that was given by.
Warren Buffett.
He said, whenever you read an annualreport, start with the footnotes.
Why would he say that?
Because that's where they put the stuffthat they gotta say, but they don't wanna
(01:56):
say, in this case, I would say for fun,read the 123 footnotes in the report.
there's a lot of, I. Kind of cute stuff inthere, including a reference to a customer
complaint that is over 3,800 years old.
One that I just learned abouttoday when I was looking it up.
I didn't see a puzzle this year.
I know in the past there have beenpuzzles associated with the report.
(02:17):
Dave Schutz is a friend of mine, agentleman I've known who was involved
in the Schoo group that years ago.
He kept winning all of my.
Contest.
I used to do crypto contests forschmo, and this guy would win him
each year at my grand prize, his roundtrip ticket to Vegas to go to Defcon.
So I said, okay, I'm gonnateach you how to do it.
And not only is he great at makingpuzzles, but he's great at solving 'em.
So shout out to Dave if you're listening.
(02:38):
Anyway, let's take a quicklook at the scope of this DBIR.
This report looked at over22,000 security incidents.
Over 12,000 confirmed data breachesacross 139 different countries.
It's really a global snapshot of cybercrime as well as just mistakes that
people make from a security perspective,but it's grounded in data from the
(03:01):
real world, and they look at theirpartners, law enforcement incident
response teams, and a security executive.
You should know the value ofactionable intelligence and
the DBIR delivers just that.
So let's take a look at 10 importantelements for your strategic planning.
Starting with a trend that Ithink is sounding alarms across
boardrooms, number one, thirdparty breaches is doubled to 30%.
(03:26):
30% of all breaches now involvea third party more than twice
of what they had last year.
It's a real wake up call.
If you're relying on vendors, partners,supply chains, if it's a software
vulnerability and a third party platform,a compromised data custodian, these
effects could be significant for youas a CISO, this underscores a need
for robust vendor risk management.
(03:48):
It's not enough to secure your own house.
It's great you got everything patchedand you have all of the different,
updates that are out there, but yougotta worry about your partners.
As well.
Now, what happens if they have a report?
Can you ask for a SOC two?
Sure.
Does that necessarily mean that todaythat they're not gonna be vulnerable?
No.
So realize that a single week linkin your supply chain can unravel
(04:13):
years of security investments.
So what you do for an action item enhanceyour third party risk assessments Mandate
regular security audits have breachnotification clauses in your contracts.
Your perimeter extends far beyondyour firewall now, and you need
to go ahead and manage that.
All right.
How about number two, ransomware?
(04:35):
it's been around and it refuses to retire.
Ransomware, according to the DBIRreport is present in 44% of confirmed
breaches, up from 32% last year.
Now if you're in the SMB space, a small,medium-sized business, it's even worse.
88% of those breaches that werereported involve ransomware.
The median ransom paymentlast year was $115,000 US down
(05:00):
from 150,000 the year before.
So it's moving in that direction.
It's a significant hit though, if you'rean SMB, that's not round off error.
That could be salaries for a few monthsfor your people, and that's a big deal.
Suggests that the,
maybe vendors are, I'm sorry,not vendors, but victims are
(05:24):
not willing to pay as much.
64% of the victims refuse to pay.
Up from perhaps halfof them two years ago.
this means you got more resilience,probably better backups,
better incident response plans.
And remember, there's kind oftwo approaches of ransomware.
There is the attack againstavailability on the CIA.
Hey, oops, your files aren't encrypted.
(05:46):
Good solid backups.
Being able to have a robust incidenthandling plan can help mitigate that.
And more recently, we've seenattacks on confidentiality.
oops, your files are encrypted.
we don't care.
We can restore them.
Oh yeah, by the way, we've got copies ofthem and we're gonna put 'em on payin.
Or worse yet, we're gonna sendthem to the regulators and let 'em
know that you're outta compliance.
so those problems are still there.
(06:07):
But as an executive, what youneed to do is prioritize endpoint
protection and patch management.
It's gonna go a long wayto keep ransomware entry.
Secondly, invest in offline backupso that those cannot be corrupted.
At the same time, test your recovery.
Regularly.
Don't just assume because it went oneway, that it can come back the other way.
(06:28):
I had an incident in one of myclients, or one of my executives
fairly recently went ahead and gotone of these new type of CAPTCHAs.
he is not a technical person.
Brilliant business person, great guy.
But when this capcha, instead ofsaying identify the buses or the
motorcycles, or click here till therearen't any traffic signals said, type
A, Windows + R then a Control + Vand Enter to prove you're a human.
(06:54):
what's going on there?
it had already, because you'd say run,click on this to prove your capcha,
you've copied something into the buffer.
Windows R is a run, run command.
Control V is a paste andthen enter, and off it goes.
Running PowerShell scripts,making registry entries, trying to
download malware, and essentiallysetting off all kinds of alarms.
(07:16):
we were able to block it.
But the point was, is that could havebeen ransomware and the approach wasn't
a weak endpoint, it wasn't a, unpatchedsystem, it was an unpatched user.
So as a result of that, we went aheadand we did an all hands training on that.
So be aware of that.
good defenses.
You can reduce the leverage onransomware, but you really, I
(07:37):
think you get the most leverage.
By making your people suspiciousand careful about what they do,
and no fear in reporting a problem.
And that's key.
Why?
Because if people are afraid they'regonna get in trouble, they're gonna
try to hide it, it's gonna get worse.
It's gonna fester.
If someone can pick up the phoneand say, Hey, G Mark, I think
I just did something stupid.
Can you help me?
(07:57):
Absolutely.
And there's no blame.
There's no ha at the end, but ratherit's let's work together and solve this.
So try to create that culture.
Okay, third takeaway ahead.
exploitation of thevulnerabilities has surged 34%.
Now, I said that maybe your biggest attackvector is gonna be your people, but.
20% of initial attack vectors are nowcoming through exploited vulnerabilities,
(08:20):
zero days in particular, because youreally can't patch those because as
a result, as we know, a definitionof zero day is something where the
attacker has found a vulnerability thatthe vendor has not yet issued a patch.
And so as a result, if you can go aheadand do that, so the MoveIt software
breach, for example, which had havocacross education, finance, insurance
(08:41):
sectors, kinda remind me of that.
So there's a call to actionon vulnerability management.
How long does it take to patch?
I remember when they first started talkingabout time to patch, it was like 354
days, and that was the old, report fromMandiant, and now it's down to Patching
Edge and VPNF floss to about 32 days.
(09:03):
Still pretty good, but that's an awfulbig long window for someone to take
advantage of you, and really only 54% ofthose vols are getting patched at all.
That's a huge gap.
So have a rigorous patchmanagement program.
Prioritize your critical vulnerabilities.
Use your CVSS scores.
Nine point eights need to get fixed.
Fives, nah, you can probably live with'em And consider automated scanning tools.
(09:25):
Stay ahead of the threat actors.
Speed is important.
You want to go ahead andbeat your opponent to it.
It's the OODA loop.
Observe, orient, decide, act.
You wanna get inside the OODA loop ofyour attacker and you'll do better.
How about number four, credential abuse.
It's still a top threat.
it, so attack vector, 22% ofbreaches if you have stolen
(09:47):
or compromised credentials.
hey, those are the keys to your kingdom,and the threat actors know it Now.
DBIR noted that 30% of the systemsthat were compromised by info
Steelers were corporate devices.
But 46% of those were unmanaged devicesthat hold corporate credentials.
Now, this is a real concern inhybrid work environments where your
(10:07):
personal devices are gonna minglewith corporate device networks.
depends on your BYOD policyand things like that.
54% of those victims had theirdomain show up in credential
dumps, and 40% had email addresscredentials out there in data dumps.
Now, as an security exec, you gottadouble down on MFA across all systems.
(10:27):
I gotta pull out my laptop here, getone of these things, get a UB key.
In fact, get a whole bunch of 'em.
I'm not getting paid topush them, but absolutely.
I find that having that type of aphysical device token is going to be key.
And of course, I just dropped mykey fob, necklace into my water.
(10:51):
Go figure.
Anyway, cheers.
But what we find thenis that if you have MFA.
It's gonna be a lot more difficultfor attacker to get through.
Yeah, I've seen some fairly sophisticatedattacks that allow some workarounds,
but in general, what you wanna beis you wanna be very hard to breach.
You wanna make it such that the difficultyof getting into your system is so great
(11:13):
that attacker's gonna say, it's just noteven worth our time and energy to do it.
Also, look at credential monitoringtools out on the dark web.
Now, I recommend you do not goahead and start doing your own
threat intel on the outside.
Why?
Because if you're poking around onthe dark web and you get caught.
I can come after you and say, Hey,we're gonna teach you a lesson.
There are companies thatdo that for a living.
So let them go aheadand take on that risk.
(11:33):
You can absolutely do threathunting with inside your enterprise,
with inside your network.
'cause you're expected to be doing that.
And if that guy gets caught inside yournetwork, it's Hey, it's part of the game.
But don't go poking around out there.
And again, as I said before,train your employees.
Make sure they recognize phishingattempts, which often will
precede a credential theft.
(11:54):
So assume your credentialsmay be compromised.
If so, what would you do?
Again, MFA, making ita lot more difficult.
Even if someone had an ID andpassword, they're not gonna
get in without that next step.
And also think about maybegeographically locking places down.
I know you can do that in Microsoft Azureso that when someone tries to log in from
a country that we do not do business with,that login should be denied right away.
(12:16):
It also means, of course, you gottacoordinate with travel and HR when
somebody is going over there that youdon't inadvertently lock them out.
All right.
Number five, espionage attacks.
That is surged by 163%from the year before.
Wow.
That's now up to 17% ofthe reported incidents.
Now, it's interesting that you look atthe motivation, the espionage motivation.
(12:40):
89% of threat actors arestill after financial gain.
Alright, but 17% said,yeah, espionage too.
Now you can do both.
This is why the numbersdon't add up to a hundred.
But this increase is a concern.
It's particularly in manufacturing.
Healthcare sectors are being hard.
Hit nation state actors are targetingintellectual property sensitive data.
Web app attacks usuallylinked to espionage are up.
(13:03):
61% of those are driven.
By espionage motives.
And only 34% were motivated by financialgain, which I thought was interesting.
Also, what do you do?
Can you go ahead and interview thepeople who break into your stuff and say,
by the way, what are you looking for?
So I'm not sure how they get thosenumbers, but if you're a CISO in one of
these industries, this is a red flag.
So harden your web apps with robustfirewalls, intrusion detection systems.
(13:23):
Make sure you got, web app fire also.
compensate potentially for yourdevelopers who may not have the world's
best coding or, trying to offloadcode to AI and things like that.
Do regular pen testing.
Identify your weaknesses and collaboratewith legal and compliance teams to ensure
that your sensitive data is identified.
(13:44):
So you know which one it is.
And then you can also go ahead andmake sure that it is in compliance,
often encrypted at risk, encrypted inmotion, and you limit the access to it.
espionage, your high stake games.
You can lose your company,you can lose, country.
And so your secrets are the prizeand your part of the front line.
(14:04):
Number six system intrusions, in apac,so AsiaPac Pacific Region or apac, it's
found out that if you're operating overthere, if you have operations there,
83% of the breaches in the APAC stemfrom system intrusions up from 39%.
Now, that's huge and malwarehas been a key driver.
According to the report, 83% ofthose incidents up from, 58% and
(14:28):
more than half of those breachesinvolve well stolen credentials.
We just heard about that.
So the surge highlights this region'svulnerability to external actors
targeting critical infrastructure.
Now, if you oversee APAC operations,prioritized network segmentation.
Deploy advanced threat detectiontools, and since ransomware was
involved in more than half thebreaches in the region, revisit your
(14:50):
incident response plans to make surethey are tailored to regional risks.
If you're a global organization,you have to not only think
globally, but think locally.
Your APAC defenses have to be asrobust as those of your headquarters.
Number seven BEC BusinessEmail Compromise Losses soar.
(15:10):
$6.3 billion in losses with a medianloss of about $50,000 per incident.
Now domestically, I, went ahead andI looked up the FBI's Internet Crime
Complaint Center, the IC3, and thatjust came out recently as well.
I might do an episode on that.
And that documented 2.77 billion in lossesfrom 21,000 reports or over $129,000 each.
(15:35):
So I guess it pays betterif you're hacking Americans.
Anyway, over 40% of these successfulsocial engineering attacks today are BEC.
Or Pretexting where an attacker is gonnaimpersonate an executive trying to trick
an employee into transferring funds.
Now, unlike ransomware, the BEC incidentsaren't gonna make headlines because
most people don't wanna report them.
They're embarrassed about it.
(15:55):
But the financial impact could be huge.
And as a security executive, you cancombat this by having strict verification
processes for financial transactions.
I did a talk, as I mentioned, one of myclients had an executive who had, Done
the Windows + R, Control + V, Enter.
And so what we said is that look todaywith deep fakes and things such as
(16:17):
that, you can get a call that looksand sounds exactly like your CEO, Hey,
CFO, we're doing this sensitive deal.
I need you to transfer money now.
Okay, great.
unless you are doing it faceto face, the concern is, this
person having a deep fake.
So what I recommend is to have theequivalent of a disposable secret.
Probably if your CEO's on the road, he'snot gonna call you five different times
(16:40):
with five different deals in the same day.
And so have something that youcan agree upon that once it's been
used, because it's a possibilityyour communications channels are
monitored, that doesn't work anymore.
And so work out some phrase, someexchange of information that you
could go ahead and validate that.
And it's, I'm busy, you gotta do this.
Oh, I forgot.
Or whatever.
I'm sorry.
That's a red flag.
And.
(17:01):
If you wanna see the real extreme ofthat, go look up the old black and
white movie Fail Safe from the early1960s and, lemme know how that goes for
you if you haven't seen that before.
But help your employee spot red flagsand usual email or domains urgent payment
requests and email security solution.
You can flag impersonationattempts I have in my Microsoft
(17:27):
account there for exchange, you can dosecurity rules and one of the things
I do is have impersonation blocking.
So if a person says that they'reone of these key executives
and it's not coming from.
A known place.
if I know the CEO has a Gmail account,I'll put that as an exception.
But if it's, Mr. Big at Yandex auand it matches Mr. Big as my internal
(17:52):
person, it's gonna get rejected.
It's not even gonna get delivered.
In fact, I delude deliver it.
I deliver it to myself.
It's a CISO and a special thing.
Let me examine it to see if it'sa indication of higher risk.
It's much of a human problems as atechnical one, but your people need
to be your first line of defense.
Number eight, your human risk persists,and the DBIR reports about 60% of
(18:14):
your breaches involve a human element.
Error.
Phishing victims mis configs, so they makea mistake, a slight drop from last year.
But don't let it fool you.
If you read the footnotes.
They said there's a lot of fun.
The footnotes.
It's almost as much fun as the MontyPython, the Holy Grail subtitles, number
35 says they've been, they reclassifiedsome of last year's ransomware breaches
from extortion, which is social to humans.
(18:35):
So it really didn't drop,they just changed the, they
moved the goalposts a little.
But humans remain yourgreatest vulnerability.
As well as your greatest asset.
Now, for a CISO, this means you have toinvest in security awareness training
that's engaging and role specific.
The generic one size fitsall isn't gonna work anymore.
Simulate phishing attacks to testemployee readiness, but again,
create an environment of no fear.
(18:57):
Don't have a wall of shame.
Don't go ahead and score eight peoplewho screw up because they're gonna
not trust anything that comes from it.
Security, and then don'toverlook mis configs.
Remember, regular audits of cloudenvironments can catch an error
before they become a breach.
The DBIR reminds us technology is onlyas strong as the people behind it.
Number nine, industry specifictrends demand attention.
(19:19):
Our ninth element is the DBIRfocus on these industry trends.
Manufacturing and healthcareare facing, as we said before,
rising espionage attacks.
Education, financial and retailsectors are dealing with things like
ransomware and credential abuse.
SMBs, regardless of the industry, aredisproportionately hit by ransomware
with about 88% of the reportedbreaches involving this threat.
(19:41):
And that may not be because 88% of smallbusinesses get reported, but it might
be the only thing they bother to report.
As a security exec, tailor yourdefenses to your industry risk profile.
if you're in healthcare,prioritize patient data encryption.
If you're in retail, focus onsecuring your e-commerce platforms.
These industry breakdowns are veryvaluable, using to benchmark your
defenses against your peers andanticipate some of your threats.
(20:06):
Number 10, the DBIR points to a needof multi-layered defense strategy.
With these third party breaches,ransomware, espionage, human
errors on the rise, there's nosingle solution's gonna work.
So this report emphasizes takingproactive measures, do patch management.
Should be doing that, right?
(20:27):
MFA, do that employee training, do that.
Network segmentation, vendor oversight.
This means you gotta align yoursecurity program with your business
objectives by the way you're doing that.
It's a little bit easier to get fundingas the CISO too, because you can point
to a business value instead of you justbeing a cost center, engage your board.
Secure budget for advanced toolslike AI driven threat detection.
(20:48):
I have a culture of securitywhere everybody feels responsible.
And Chris Novak, who's Verizon's VPof Global Cybersecurity Solution, says
that DBIR IR's findings underscorethe importance of a multi-layered
defense strategy I mandate.
And this ferone I'll decided our top 10.
I'll do number 11.
A data leakage to Gen ai.
(21:10):
Yeah, you're wondering where that is.
So it's a new andrapidly emerging concern.
It's on pages 24 and 25 in the report,and it notes a significant uptick
in incidents where it's sensitivedata, like proprietary code, customer
information, internal documents have been.
Inadvertently exposed through employeeinteraction with Gen AI tools.
12% of the data compromise incidentsin this past year that were
(21:33):
reported involve employees inputtingsensitive information into public or
insufficiently secured AI platforms.
Oops.
It's a 200% increase from last year.
it's mostly 'cause people are now figuringout it's, Hey, I can do stuff with this.
And so it's really alarming inindustries like technology and
finance where intellectual propertyand client data are gonna be.
Prime targets.
(21:53):
Now many employees areunaware of the risks.
They'll use AI tools for tasks likedrafting an email analyzing data.
They don't realize that these platformscan store share inputs externally.
and so it talks about things such as, hey,which is bigger, 9.9 or nine point 11,
and then you end up getting some othercorporate information leaked with that.
Or how many RS in strawberry?
I dunno if they fixed that yet.
(22:13):
I'll have to take a look.
But, establish cure clearestpolicy on AI tool usage.
Specify which platforms are approvedand require data and anonymization.
Lemme say that again.
Anonymization that sounded better.
Before input.
Try that fast Five times.
What do I mean by that?
It means that if I'm gonna go ahead, I'mgonna set a letter to, client X and I'm
(22:36):
gonna talk about system y. I wanna goahead and substitute something in there.
It's gonna say Bill instead of Joe.
It's gonna say, Big instead ofsmall, whatever the idea is, that
you tokenize it, let it do its thing.
If somebody grabbed the tokenizedword and it's full of code words,
they're not gonna really figureout what you're talking about.
They'll figure out, what you'retalking about, but not for whom.
(22:57):
And I'm pretty sure that there'ssome tools out there when I was
over there at RSAC that I justdidn't catch, as I mentioned, last
week, I had to come back early.
by the way, my little dog is hereon the floor with her laying on her
back and she's healing up nicely.
So if anybody's worried about the fate ofmy little Pomeranian, she's doing okay.
but also, Think about dataloss prevention, DLP solutions.
(23:20):
You wanna block sensitive data fromgoing out to an unvetted AI systems.
Now it turns out that if you don'tpay for your ai, you're not paying
for the product, you're the product.
if you look at, for example, MicrosoftCopilot, they have a deal in there
that actually pay them some money.
They will agree that theywill not train on your data.
It stays local to you.
And of course, if you'vegot enough processing power.
Download a LAMA or do something likethat and do your own AI models locally.
(23:44):
But also, again, it comes downto training programs, helping
people know they use that.
It's, there's a great allure inthat it says, Hey, I can just
throw my work at Gen AI and all myhomework's done and I can sit around
and play with my dog all afternoon.
it's really also for you as a leader anda manager, something you gotta look for.
Now, I had a gentlemanwork for me going on.
Couple years ago now I rememberthe day he discovered GenAI.
(24:07):
All of a sudden his responses wentfrom yes or no, or I'm on it to
whereas it is critical to share thisinformation with your subordinates.
It's important to understand the overall.
And it's no, he doesn't write like that.
Where in the world this stuff come from.
And once I figured itout, it's stop it now.
Eventually it's gonna get goodenough that you're not gonna
(24:27):
be able to tell the difference.
But for right now, I think I can.
There we go.
If you're watching on video, here'smy little doggy, she's back up
here to say hello, which is fine'cause we're pretty much at the end.
So be careful that your AI doesn'tbecome a Pandora's box and have problems.
So this DBIR report isn't just a report.
It's a mirror.
(24:48):
It reflects us back as what we're doing,our challenges and our opportunities.
Cyber crimes evolving, nation stateattacks are involving, but so do our
events as they need to evolve as well.
So as security executives, you'rethe architects of resilience.
Use these elements to guide yourstrategy, tackle your third party risk.
Fortify against ransomware.
Patch your v quicklyprotect your credentials.
(25:11):
Go ahead and come up withdefenses against espionage.
If you're running an apac,have better defenses out there.
Combat your business email compromise.
Train your people,tailor to your industry.
Build layer defenses and, limitwhat your people can put on
AI without knowing what it is.
For you.
This is a daunting threat landscape, butif you have data-driven insights like
the DBIR, you're not fighting blind.
(25:32):
So thank you very much for listening tothis week's episode of CISO Tradecraft.
If you found it valuable,share with your peers.
Go ahead and subscribe.
We're on, LinkedIn.
Also, if you're not followingus on LinkedIn, we have a
lot more than just podcast.
We also have a substack newsletter, whichis a summary of this, so you don't have
to listen to me talk the whole time.
You can read it on a plane or whatever.
(25:52):
Also, if you wanna downloadthe full DBIR report, you go
to verizon.com slant business.
Slant resources.
And of course as they say, they'lldirect you after you give 'em
their capture information to aPDF page where you can do that.
But meanwhile, I think it's well worthyour time to take some time reading
it and, you gotta look good insights.
And again, have fun with thefootnotes and if they still have a
(26:13):
puzzle there, somebody let me know.
'cause I don't know ifthey still do that anymore.
Anyway, this is your host, G Mark Hardy.
I appreciate your time.
thank you.
Until next time, stay safe out there.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.