News

Report: Basic Security Lapses Spark Most Data Breaches

Verizon Business reviewed more than four years of data breach cases and found that most wouldn't have happened had basic security measures been in place.

By Bill Brenner, Senior Editor

June 13, 2008

Security experts often emphasize the growing sophistication of malware attacks as the reason so many organizations have suffered a data breach. But a new data breach report from Verizon Business suggests nine out of 10 breaches wouldn't have happened had basic security policies and technologies been in place.

The report is based on a review of data breach cases Verizon Business and Cybertrust (acquired by Verizon last year) investigated over a four-year period. The company reviewed more than 500 forensics investigations involving 230 million records and hundreds of corporate breaches, including three of the five largest ones ever reported. Among the findings:

Most data breaches were caused by external sources.
Thirty-nine percent of breaches were attributed to business partners, a number that rose five-fold during the course of the period studied.

Most breaches resulted from a combination of events rather than a single action.
Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.

Of the breaches caused by hacking, 39 percent were aimed at the application or software layer.
Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.

Nine of 10 breaches involved unknown systems, data, network connections and/or account user privileges.
At the same time, 75 percent of breaches were discovered by a third party rather than the victim and went undetected for a long time.

Bryan Sartin, vice president of the investigative response team at Verizon Business, said the biggest takeaway, in his opinion, is that companies have to be much more careful about the access they give to third parties such as contractors and business partners.

"I see this as one of the biggest problems," Sartin said in a telephone interview. "Companies are doing more business with third parties and giving them direct access to the network without keeping an eye on what these people are up to."

Evert Ramon Krikken, a security and risk management strategies analyst with Midvale, Utah-based Burton Group, said he's not surprised by the third-party factor. Noting that a large percentage of those studied for Verizon's report were retailers and those in the food and beverage sector, he said, "These businesses are very dependent on third parties for credit card processing."

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Solving Online Credit Fraud Using Device Reputation

Efficient - Flexible - Compliant

Digital Identity Protection and Data Security Get Personal

Simplify your data center with Juniper Networks. View the webcast

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Enabling Compliance with Converged Mainframe Security and Storage

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Understanding Data Location is Imperative for Data Loss Prevention

5 Steps to Secure Outsourced Application Development

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

Welcome to the age of Service-Oriented Security (SOS)

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Secure your virtual and physical environments with the same software

Any company can promise identity protection. Only Debix can prove it

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously