Qualys Blog

www.qualys.com
wkandek

Verizon Breach Report – New and Old Takeaways

Verizon released yesterday its 2012 Data Breach Investigations Report (DBIR), full of interesting data. For the first time, Verizon distinguished between small and large organizations in the data and we see a clear difference in the maturity of their security implementations. That distinction alone offers quite a number of hints on where to focus our attention as security professionals.

The main lessons for security professionals from this report: 1) the overall results represent a continuation on the trends from the reports of previous years; and 2) many of the problems documented are within the security industry’s ability to address – for both smaller and larger organizations. That’s really good news.

Here’s a recap of what I consider to be the most important findings for security professionals:

  • 97 percent of breaches (96 percent for both preceding years) could have been avoided with simple controls.
  • The types of beneficial controls cover the same areas for both small and larger organizations, but vary in their details.
  • Small organizations' biggest issues are default passwords on their remote access applications (think RDP, VNC, pcAnywhere).
  • Large organizations seem to have overcome the default password problem on their remote access applications but are faced with stolen login credentials and brute forcing.
  • Both small and large organizations are victims of malware that criminals install to maintain access to the breached network and to send the stolen data to their servers. In small organizations, the malware is installed largely by hand, whereas large organizations face more advanced infection mechanisms: close to 50 percent were infected through e-mail attachments, drive-by-downloads and web-borne malware.

Fortunately, we have the technical solutions available today for both small and large organizations to resolve all of these issues. The challenge to the solution often lies in the lack of knowledge, rather than complexity or cost. As a security community, it’s up to all of us to make successful implementations more visible and effectively promote the architects and operators who are doing it right. For an example see the work done at the US Department of State in recent years.

You can find the full DBIR report here.

Leave a Reply