I'll highlight a couple of points.
90% of known vulnerabilities exploited by these attacks had patches available for at least six months prior to the breach.
I see this all the time. I can't believe how many times I've responded to an incident and I ask "do you apply the updates from Microsoft's update service?" Usually I get looked at like I have two heads. I've been one place that applied patches less than quarterly.
Investigators concluded that nearly all breaches would likely have been prevented if basic security controls had been in place at the time of the attack.
This sounds like a no-brainer, but some places I've responded to have ZERO security.
Some other points the report brought to light:
- Know where your data is. Many times the critical data is stored on the sql server. However, reports may be contained elsewhere, and there's no thought to securing that data.
- Attacks that originate from outside the company make up most of the attacks. However, the greatest damage comes from insider attacks.
- Asia: application exploits for data compromise
- Middle East: mostly defacements
- Eastern Europe/Russia: compromises of POS systems
- Sys Admins: 50% of the time
- Employees (non-sysadmins): 41% of the time
- Everyone else: 9% of the time.
Given enough time, resources and inclination, criminals can breach virtually any single organization they choose.
Of course, they go for the low hanging fruit, or where they can get the most reward.
Here's a stat on timing:
- From the point of entry to compromise - it runs from a few hours to days.
- From compromise to discovery - the average is MONTHS!!! No one is watching the fort.
- From discovery to mitigation - WEEKS!!! What? I mean some things take some time, but I would think there would be pressure to get that timeframe down.
9 out of 10 breaches include:
- A SYSTEM unknown to the organization (or business group.)
- A system storing DATA that the organization did not know existed on that system.
- A system that had unknown network CONNECTIONS or accesibility.
- A system that had unknown accounts or PRIVLEDGES.