Verizon Business Study: Most Security Breaches Easily Avoidable

Most companies already have the tools to protect themselves from the numerous security breaches they suffer. And by implementing reasonable security measure, 87 percent of breaches could have been avoided completely, according to a study released today by Verizon Business.

The “2008 Data Breach Investigations Report” took four years to compile and analyze. Verizon Business conducted forensic investigations on over 500 security cases including three of the five largest reported. The group analyzed over 230 million records and dispelled a couple of myths along the way.

One myth is that most fraud and security breaches are from internal sources. Verizon’s study showed that, in fact, 73 percent of breaches resulted from external sources. Often, they were the result of a combination of events rather than a single hack or intrusion.

However, the outside jobs often did have a relationship to the business that was breached. Thirty-nine percent of breaches were attributed to business partners. What’s worse is that over the four-year study, this figure increased five fold.

These breaches were made easier by significant internal errors that contributed to a breach, of which 59 percent were the result of hacking and intrusions.

“It seems that every case that comes in these days is predominantly yet another company that has fallen victim to the same basic problem. As a result, they put in place the same remediation measures,” said Bryan Sartin, vice president of investigative response at Verizon Business.

Sartin said that when these breaches are made public the focus is on the company and the customers affected and the data that was taken, but you don’t hear enough about what it was the company did wrong or if there was an arrest. “There are aspects of the crime that people really need to know about, so that’s what we are trying to create here. To give people that hidden forensic investigator’s perspective,” he said.

Thirty-nine percent of the hacking incidents were aimed at the application or software layer of the network rather than operating systems. But hackers’ job was made easier because 90 percent of the known vulnerabilities that were exploited had patched available for at least six months prior to being exploited.

Attacks are not expected to slow down. But they are expected to start hitting softer targets around the world. Soft targets include industries such as retail and food and beverage as well as markets such as Asia and Africa. As it turns out, financial markets are not the hardest hit after all. Retail is most often breached. It accounts for more than 50 percent of all reported security breaches, which is a surprisingly small number, Sartin said.

“People don’t necessarily want people knowing they were breached. They are trying to protect their brand,” Sartin said.

Hackers have their specialties, too. In China and Vietnam, it often is applications that are exploited for the data. Defacement is prevalent in the Middle East. While IP addresses from Eastern Europe and Russia are commonly associated with the compromise of point-of-sale systems.

“So many people think because of what they hear and the disclosure obligations in place that data compromise is a U.S. only problem. Sartin said. “It isn’t. In fact, across 2006 and 2007, 40 percent of our cases involved victims outside the U.S.”

Sophisticated criminals aren’t interested in your bank account anymore either; they want data and lots of it. The report suggests that data compromise is the easiest, safest and most lucrative way to steal the information necessary to commit identity fraud. By breaking into restricted computer systems and compromising sensitive information stored within them, criminals are able to access systems that contain information on tens of thousands of victims versus just a handful through non-electronic means.

As it is with, say, an NCAA referee with a gambling problem, high-tech criminals are teaming with organized crime groups to put the squeeze on IT professionals or third-party developers who can be compromised. This could be partly to blame for 39 percent of breaches coming directly and indirectly from business partners.

“The role of the partial insider was non existent in 2006 but suddenly in 2007 it popped out like an epidemic. And my partial insiders, I mean vendors, third parties, support organizations, call centers, and application development companies. They were all people that are entrusted with some level of access to a company’s critical servers and sensitive data,” Sartin said.

Most security breaches are not specifically targeted. It is those who leave the door open that are attacked. Forty-six percent are partly targeted, but only succeed opportunistically. Another 39 percent are fully opportunistic. This means that hackers aren’t spending a lot of time trying to crack secure systems; they are exploiting those who have not taken, as the report suggests, reasonable security measures.

Verizon Business recommends that business follow through on the policies and procedures they already have in place but have not executed. In 59 percent of data breaches, organizations had security policies and procedures established but not implemented.

The company also suggested companies keep a better eye on their data as 68 percent of all breaches involved data that a company did not even know was on their system. Other recommendations include increasing network segmentation to keep data isolated, creating an incident response for both suspected and actual breaches, and increase awareness throughout the enterprise. After all, only 14 percent of breaches were identified internally. Seventy-five percent are identified by third parties.

One of the simplest steps to take to mitigate security breaches is to monitor logs not only when a breach is suspected, but all the time. The report found that evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise of the network.

Sometimes people have to be forced into taking the necessary steps. In the payment card industry, for example, they mandated compliance validation to certain security measures that included substantive fines and penalties for non-compliance. The program was roller out in September and two weeks later all the demand for incident response services were coming from overseas. “That started to show us that as soon as those compliance deadlines hit and companies started making real progress toward compliance, fraudsters knew it and headed elsewhere,” Sartin said.