Report: Basic Security Lapses Spark Most Data Breaches

Verizon Business reviewed more than four years of data breach cases and found that most wouldn't have happened had basic security measures been in place.

Security experts often emphasize the growing sophistication of malware attacks as the reason so many organizations have suffered a data breach. But a new data breach report from Verizon Business suggests nine out of 10 breaches wouldn't have happened had basic security policies and technologies been in place.

The report is based on a review of data breach cases Verizon Business and Cybertrust (acquired by Verizon last year) investigated over a four-year period. The company reviewed more than 500 forensics investigations involving 230 million records and hundreds of corporate breaches, including three of the five largest ones ever reported. Among the findings:

Most data breaches were caused by external sources.

Thirty-nine percent of breaches were attributed to business partners, a number that rose five-fold during the course of the period studied.

Most breaches resulted from a combination of events rather than a single action.

Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.

Of the breaches caused by hacking, 39 percent were aimed at the application or software layer. were much more commonplace than operating system platform exploits, which made up 23 percent. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.

Attacks to the application, software and services layer

Nine of 10 breaches involved unknown systems, data, network connections and/or account user privileges.

At the same time, 75 percent of breaches were discovered by a third party rather than the victim and went undetected for a long time.

Bryan Sartin, vice president of the investigative response team at Verizon Business, said the biggest takeaway, in his opinion, is that companies have to be much more careful about the access they give to third parties such as contractors and business partners.

"I see this as one of the biggest problems," Sartin said in a telephone interview. "Companies are doing more business with third parties and giving them direct access to the network without keeping an eye on what these people are up to."

Evert Ramon Krikken, a security and risk management strategies analyst with Midvale, Utah-based Burton Group, said he's not surprised by the third-party factor. Noting that a large percentage of those studied for Verizon's report were retailers and those in the food and beverage sector, he said, "These businesses are very dependent on third parties for credit card processing."

It also makes sense that this sector hasn't been affected as much by malicious insiders, since most employees aren't sitting in front of a computer all day. The insider threat is more of a factor for companies dealing with research and pharmaceuticals, he noted.

"If you use third parties and you share confidential data with them, make sure you do your due diligence," Krikken said. "When you are selecting a vendor, you should ensure they have a set of security policies in place that match your own policies. Make clear what you see as the minimum set of controls." On top of that, he said, retailers must constantly re-evaluate the vendor over the lifetime of the relationship to ensure they still comply and that they change along with the threat landscape and any new regulations that come about.

Another important takeaway from the report is that companies need to do better at taking care of the little security details, said Mike Rothman, president and principal analyst of Security Incite, an industry analyst firm in Atlanta. That includes having up-to-date antivirus, firewalls and basic access control policies.

"Millions of things will kill you, and the most effective combination is the really simple malware and the open doors that allow it into the network," he said. "Good security involves very simple block and tackle. That includes patching when things should be patched."

Rothman also recommended companies create an incident response plan and conduct regular drills. Incidents happen, he said, and at some point most companies will have to deal with it.

"Most companies don't have an adequate plan, and when something goes down you have a train wreck," he said.

Copyright © 2008 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline