Wednesday, July 28, 2010

The annual data breach report issued by the Verizon Business RISK team

Here it is again, the annual data breach report issued by the Verizon Business RISK team, which is consistently so chock full of hype-slaying useful data and conclusions that it is often hard to know what not to write about, from the report.

Once again, some of the best stuff is buried deep in this year’s report and is likely to be missed in the mainstream coverage. But let’s get the headline-grabbing findings out the way first:


  • Verizon’s report on 2009 breaches for the first time includes data from the U.S. Secret Service. Yet, the report tracks a sharp decline in the total number of compromised records (143 million compromised records vs. 285 million in 2008).

  • 85 percent of records last year were compromised by organised criminal groups (this is virtually unchanged from the previous report).

  • 94 percent of compromised records were the result of breaches at companies in the financial services industry.

  • 45 percent of breaches were from external sources only, while 27 percent were solely perpetrated from the inside by trusted employees.

Among the most counter-intuitive finding in the report?
There wasn’t a single confirmed intrusion that exploited a patchable vulnerability. Rather, 85 percent of the breaches involved common configuration errors or weaknesses that led to things like SQL database injection attacks, and did not require the exploitation of a flaw that could be fixed with a software patch.

In most cases, the breaches were caused by the type of weaknesses that could be picked up by a free Web vulnerability scanner:

“Organisations exert a great deal of effort around the testing and deployment of
patches — and well they should. Vulnerability management is a critical aspect of
any security program.

However, based on evidence collected over the last six years, we have to wonder if we’re going about it in the most efficient and effective manner.

Many organisations treat patching as if it were all they had to do to be secure. We’ve observed multiple companies that were hell-bent on getting patch X deployed by week’s end but hadn’t even glanced at their log files in months.”

To read the full article click on the link: Krebs on Security

To read the full Verizon 2010 Report clcik here: Verizon Report
Posted by
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)