Slashdot Mirror
Data Breach Study Spanning 500 Break-Ins Released
Dr. Jim Anderson writes "The good folks over at Verizon Business have released a report that summarizes what they've found after looking through 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported. What did they find? How about (1) Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place, (2) Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability and (3) attacks from Asia, particularly in China and Vietnam, often involve application exploits leading to data compromise, while defacements frequently originate from the Middle East."
Yeah, it's really not clearly worded, is it?
I assume they mean "software/hardware vulnerability", and that the other 75% are people doing stupid things - "human vulnerabilities" or even "policy vulnerabilities". It's interesting in itself though that 75% of the attacks are due to, presumably, direct human error and nothing to do with the data being on computer.
So when you're bank next releases your details, don't accept an explanation. Most probably, someone who works there did something incredibly stupid and deliberate, rather than they got hacked or outwitted.
Here is a link to the actual report (PDF): http://www.verizonbusiness.com/resources/security/databreachreport.pdf
I quickly scanned the report and it appears to be quite detailed. Definitely required reading for any CxO!
No, that means that there were patches available but they were never applied, or the attacker might have used social engineering or some other means to trick the person into installing malware.
The eternal struggle of good vs. evil begins within one's self.
Here's an example to make some sense of it:
Say there were 200 cases, 100 each over two years. During year 1, there were 13 cases due to business partners. During year two, there were 65 cases due to business partners.
The percentage went up five-fold between year 1 and year 2, but the total percentage over the study is 39%.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Set permissions on usbstor.sys
save the glue.
Actually what they are getting at is some one left the door open (an attack of a vulnerability wasn't needed). like putting the data on a share that they didn't realize was public.
Somehow doesn't always work. I can't explain it, but I do KNOW that it can be circumvented :
Some time back I was a consultant at a (largish) bank. They too had 'locked out' USB devices that way. And hold & behold, it worked on any randomly available USB-stick, no external drives were mounted.
Some days later I was 'confused' and tried to copy something using my (very) old 64Mb stick. Worked like a charm. Realizing that this was 'impossible', we tried with other USB sticks, but mine was the only one that worked.
The stick was a gift at some conference and has the word "Microsoft" stamped on it.
Ever since I call it 'my precious' =)
Anyway, once you have physical access to a machine, there's very little to stop you getting any data you want imho...
=> simply hook up an Ethernet cable between your portable computer and given machine, a bit of fiddling with tcp-ip settings on the laptop, starting an ftp server or something and off you go...
ps: gluing both usb & the internet connector might work =)
If there is one thing to be learned on slashdot, it has to be sarcasm.
Though it wasn't our intention, it seems the reference to the % of attacks exploiting vulnerabilities has caused some confusion. It's true that 'vulnerability' can have a very broad definition (synonym for 'weakness') but we are referring specifically here to specific named/numbered (has a CVE or MS #) software vulnerabilities. The bulk of attacks across our caseload did not exploit such vulnerabilities - they exploited misconfigurations, omissions, poor security, etc. Hope that helps clear things up a bit.