Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Breach Study Spanning 500 Break-Ins Released

Posted by samzenpus on from the did-you-update-the-windows dept.

Dr. Jim Anderson writes "The good folks over at Verizon Business have released a report that summarizes what they've found after looking through 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported. What did they find? How about (1) Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place, (2) Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability and (3) attacks from Asia, particularly in China and Vietnam, often involve application exploits leading to data compromise, while defacements frequently originate from the Middle East."

23 of 71 comments (clear)

  1. Aarrgghhh!!! by DoofusOfDeath · · Score: 4, Funny

    (2) Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability and

    How the hell are we supposed to defend ourselves against the 75% of attacks that are immune to the laws of logic???

    1. Re:Aarrgghhh!!! by ledow · · Score: 4, Informative

      Yeah, it's really not clearly worded, is it?

      I assume they mean "software/hardware vulnerability", and that the other 75% are people doing stupid things - "human vulnerabilities" or even "policy vulnerabilities". It's interesting in itself though that 75% of the attacks are due to, presumably, direct human error and nothing to do with the data being on computer.

      So when you're bank next releases your details, don't accept an explanation. Most probably, someone who works there did something incredibly stupid and deliberate, rather than they got hacked or outwitted.

    2. Re:Aarrgghhh!!! by Anonymous Coward · · Score: 2, Funny

      No, no! What they are trying to say is that 75% took advantage of both a known and unknown vulnerability! You have to remember, the 'or' in this sentence was probably not written by a programmer.

    3. Re:Aarrgghhh!!! by Anonymous Coward · · Score: 2, Informative

      Actually what they are getting at is some one left the door open (an attack of a vulnerability wasn't needed). like putting the data on a share that they didn't realize was public.

    4. Re:Aarrgghhh!!! by Tanktalus · · Score: 4, Insightful

      Apparently, someone is trying to make Rumsfeld out to be an idiot. Though that he may be, IMO this quote is actually fairly insightful, if somewhat poorly worded. I've had a similar saying (is it a saying if I'm the only one saying it?): "There are three types of people in the world. Those who don't know what they're doing and know they don't; those who know what they're doing and know they do; and those who don't know what they're doing but think they do. It's the last group that screws everything up for the other two groups." The thing to realise is that everyone falls into all three categories for different aspects of our lives, and the challenge is to tell the difference for each situation to try to avoid being in the last group.

      In Rumsfeld's quote, "known knowns" are the areas where we are in the middle group: knowing what we're doing, and knowing that. "Known unknowns" are the areas where we don't know what we're doing and know we don't. And "unknown unknowns" are the last group: things we think we know, but don't. (Ok, that's not quite precisely what he's talking about, but it's analogous.) And that last group is the most dangerous one.

  2. Business Partners?? by Finallyjoined!!! · · Score: 4, Funny

    Thirty-nine percent of breaches were attributed to business partners, a number that rose five-fold during the course of the period studied.

    Some Partners!!

    Watch your backs guys.

    PS. How can 39% rise 5 fold?

    --
    If I had an Ass, I'd call it Fanny Bottom, then I could slap my Ass; Fanny Bottom, on the Arse.
    1. Re:Business Partners?? by Red+Flayer · · Score: 2, Informative

      PS. How can 39% rise 5 fold?
      It didn't.

      Here's an example to make some sense of it:

      Say there were 200 cases, 100 each over two years. During year 1, there were 13 cases due to business partners. During year two, there were 65 cases due to business partners.

      The percentage went up five-fold between year 1 and year 2, but the total percentage over the study is 39%.
      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  3. Re:Fewer than 25 percent... by morgan_greywolf · · Score: 5, Interesting

    ... took advantage of a known or unknown vulnerability? What the hell did the other 75% do??
    Try RTFS.

    Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place,
    The rest didn't need to take advantage of vulnerabilities because good security was simply not in place.
    --
    My blog
  4. Actual report by martyb · · Score: 5, Informative

    Here is a link to the actual report (PDF): http://www.verizonbusiness.com/resources/security/databreachreport.pdf

    I quickly scanned the report and it appears to be quite detailed. Definitely required reading for any CxO!

    1. Re:Actual report by morgan_greywolf · · Score: 5, Insightful

      Definitely required reading for any CxO!
      CxOs don't read things like this. Instead, they usually read advertisements that say BS things like "buy our product and you'll never have any security problems again!"

      That's why 9/10 attacks involved totally preventable breaches -- if reasonable security had been in place.

      --
      My blog
    2. Re:Actual report by BVis · · Score: 3, Insightful

      Not to mention the fact that CxOs are frequently the biggest offenders when it comes to poor security practices. I've seen more than one CEO of a Fortune 500 company use the name of the company as their domain/email password, and refuse to change it on a regular basis like the rest of the users at the company. Trying to enforce a security policy with someone who can have you escorted off the premises on a moment's notice is pretty much impossible.

      The only way it works is to get the CEO/Chairman/Lord High Muckety-Muck to sign off on a policy that applies to EVERYONE, and then firing an executive for breach of policy as a demonstration of how serious the company takes security. (This assumes that a CxO breaches policy at some point, which is pretty much inevitable.) The attitude of "security policy is for little people" reminds me of Leona Helmsley's 'taxes are for little people' attitude.

      --
      Never underestimate the power of stupid people in large groups.
  5. Data transaction zones by Pysslingen · · Score: 5, Interesting

    But often I wonder how many companies connect everybody in the company to the internet when there is no real need? One place I worked maintained three separate networks; one for internet, one for work, one for very confidential work. The work network had access to e-mail (internet-based e-mail through a firewall through which only the mail-server could talk) while the confidential network had only internal e-mail. This may have been overkill, but breaches were more or less impossible. Running NT4 also made sure USB sticks weren't an issue, though I believe they managed to upgrade to XP a few years ago, but testing was extensive.

    1. Re:Data transaction zones by watookal · · Score: 2, Funny

      "Running NT4 also made sure USB sticks weren't an issue, though I believe they managed to upgrade to XP a few years ago, but testing was extensive."

      The security dudes at my previous place of employment managed to devise a more portable solution to the USB stick problem: they simply glued shut the USB ports on all computers. No kidding.

    2. Re:Data transaction zones by deroby · · Score: 2, Informative

      Somehow doesn't always work. I can't explain it, but I do KNOW that it can be circumvented :

      Some time back I was a consultant at a (largish) bank. They too had 'locked out' USB devices that way. And hold & behold, it worked on any randomly available USB-stick, no external drives were mounted.

      Some days later I was 'confused' and tried to copy something using my (very) old 64Mb stick. Worked like a charm. Realizing that this was 'impossible', we tried with other USB sticks, but mine was the only one that worked.
      The stick was a gift at some conference and has the word "Microsoft" stamped on it.
      Ever since I call it 'my precious' =)

      Anyway, once you have physical access to a machine, there's very little to stop you getting any data you want imho...
      => simply hook up an Ethernet cable between your portable computer and given machine, a bit of fiddling with tcp-ip settings on the laptop, starting an ftp server or something and off you go...

      ps: gluing both usb & the internet connector might work =)

      --
      If there is one thing to be learned on slashdot, it has to be sarcasm.
  6. Re:um... by bencoder · · Score: 2, Insightful

    Stupid users and administrators would still be considered a vulnerability, which is the problem with the wording. If a system has no vulnerabilities it is impossible to break into.

  7. Those aren't vulnerabilities... by gardyloo · · Score: 4, Funny

    ... those are features.

  8. Re:um... by Datamonstar · · Score: 2, Informative

    No, that means that there were patches available but they were never applied, or the attacker might have used social engineering or some other means to trick the person into installing malware.

    --
    The eternal struggle of good vs. evil begins within one's self.
  9. Re:um... by fredklein · · Score: 2, Insightful

    the attacker might have used social engineering ...which is a vulnerability. Lack of proper security measures and security training.

  10. Re:um... by BVis · · Score: 3, Insightful

    In addition to the training, you need to make breaches of security a terminable offense, for everything from a deliberate theft of information, to writing down a password on a sticky note and putting it on your monitor. Without teeth, you cannot enforce a security policy, and a policy that isn't enforced isn't a policy.

    --
    Never underestimate the power of stupid people in large groups.
  11. Re:Fewer than 25 percent... by nocaster · · Score: 5, Funny

    ... took advantage of a known or unknown vulnerability? What the hell did the other 75% do?? username: admin
    password: password
  12. Schroedinger's Vulnerability by Hoi+Polloi · · Score: 3, Funny

    Clearly what they are referring to are quantum vulnerabilities. The exact nature of the vulnerability doesn't become clear until someone observes it.

    --
    It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
  13. Re:Fewer than 25 percent... by QuantumRiff · · Score: 3, Funny

    TAKE down your damn post. I'm reporting you to the FBI for cracking my password!

    --

    What are we going to do tonight Brain?
  14. Some clarification on 'vulnerabilities' by whbaker · · Score: 2, Informative

    Though it wasn't our intention, it seems the reference to the % of attacks exploiting vulnerabilities has caused some confusion. It's true that 'vulnerability' can have a very broad definition (synonym for 'weakness') but we are referring specifically here to specific named/numbered (has a CVE or MS #) software vulnerabilities. The bulk of attacks across our caseload did not exploit such vulnerabilities - they exploited misconfigurations, omissions, poor security, etc. Hope that helps clear things up a bit.