Verizon's Business Risk Team recently published an interesting report summarizing information gathered from 500 data breach investigations over a four-year period (2003-2007). It involves data collected from incidents that resulted in more than 230 million records being lost or stolen.
There's a lot of truly useful information in the report for security risk managers. Some of the summarized information is well known, while other information might prove surprising to some readers.
The part I find most helpful are the conclusions and recommendations a reader can draw from the report to provide better protection for their environment. Here are some of the summarized conclusions and points regarding data breaches from the report (comments in brackets are mine):
- 73 percent of data breaches were caused by external parties [fighting the idea that your biggest threat is from insiders]
- 39 percent of cases implicated business partners [Who can you trust? What is your security policy regarding B-to-B, and does it adequately protect you?]
- 30 percent involved multiple parties
- [Only] 15 percent were due to physical [attacks]
- Most breaches resulted from a combination of events rather than a single action
- Some form of error often directly or indirectly contributed to the compromise [this means it was preventable]
- 90 percent of known vulnerabilities exploited by these attacks had patches available for at least six months prior to the breach [this is a tremendous finding]
- 66 percent involved data the victim did not know was on the system
- 75 percent of breaches were not discovered by the victim
- 83 percent of attacks were not highly difficult
- 85 percent of breaches were the result of opportunistic attacks
- 87 percent were considered avoidable through reasonable controls
This information may or may not be startling to you. My only caveat is that these stats cover only data breach incidents to which Verizon responded, and does not accurately reflect all malicious computer activities.
My biggest takeaway was how easily the breaches could have been avoided and how a lack of policy or control over the long run was responsible.
You don't forget (or cognitively decide not) to apply a patch after six months. That's a policy decision. Management knows about it. The techs know about it. Everyone in charge of keeping assets secure knows about it. The hacker didn't break in -- he was let in.
The report's summary ends with three recommendations:
- Ensure essential controls are met
- Find, track, and assess data
- Monitor event logs
What is interesting is that these three recommendations are the core requirements of any security risk management program -- no surprises for the solution to data breaches. Deciding on controls and setting up a control system is not easy. But more and more companies have one or are being forced to do it because of regulatory and compliance objectives.
I'm guessing that if you asked the majority of the companies involved whether they had an adequate control system in place, most would say yes and blame a specific lapse, employee, or "one-time error" for the break-in. This data proves that simply can't be the case.
More than likely, this is instead a case of management saying something to meet a checkmark evaluation measurement and not following through operationally. I can't see it any other way, at least from these data points.
Finding, tracking, and assessing data is even more difficult. I don't yet know the organization, outside of secretive government agencies, that truly knows where most of its data is. Heck, even the British government is finding out that multiple trusted people are so careless with their top-secret data that it is left accidentally on trains for the public to find.
But most data leakage isn't as public as this. It occurs daily on employee USB keys, with data taken home or backup tapes being, and from the inadvertent installation of unauthorized software (among the many reasons). Sadder, only a minority of organizations even care about locating, classifying, and control information, though it should be part of every security protection plan.
This plan confirms what I've always said: You don't need fancy, bleeding edge, anti-malware defenses, appliances, and gee-whiz software to protect your environment. All that stuff is guaranteed to fail. You'll be much better protected by following the "boring" basics more consistently.
Posted by Roger Grimes on June 20, 2008 03:00 AM
