Data Breach Study Spanning 500 Break-Ins Released

Dr. Jim Anderson writes "The good folks over at Verizon Business have released a report that summarizes what they've found after looking through 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported. What did they find? How about (1) Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place, (2) Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability and (3) attacks from Asia, particularly in China and Vietnam, often involve application exploits leading to data compromise, while defacements frequently originate from the Middle East."

Re:Fewer than 25 percent...

[morgan_greywolf]

... took advantage of a known or unknown vulnerability? What the hell did the other 75% do??

Try RTFS.

Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place,

The rest didn't need to take advantage of vulnerabilities because good security was simply not in place.

Data transaction zones

[Pysslingen]

But often I wonder how many companies connect everybody in the company to the internet when there is no real need? One place I worked maintained three separate networks; one for internet, one for work, one for very confidential work. The work network had access to e-mail (internet-based e-mail through a firewall through which only the mail-server could talk) while the confidential network had only internal e-mail. This may have been overkill, but breaches were more or less impossible. Running NT4 also made sure USB sticks weren't an issue, though I believe they managed to upgrade to XP a few years ago, but testing was extensive.