Friday, June 20, 2008

Verizon Data Breach report

I finally got a chance to read this report, and I'll say, it's excellent. You can find a copy of it here.

I'll highlight a couple of points.

90% of known vulnerabilities exploited by these attacks had patches available for at least six months prior to the breach.

I see this all the time. I can't believe how many times I've responded to an incident and I ask "do you apply the updates from Microsoft's update service?" Usually I get looked at like I have two heads. I've been one place that applied patches less than quarterly.

Investigators concluded that nearly all breaches would likely have been prevented if basic security controls had been in place at the time of the attack.

This sounds like a no-brainer, but some places I've responded to have ZERO security.

Some other points the report brought to light:

  • Know where your data is. Many times the critical data is stored on the sql server. However, reports may be contained elsewhere, and there's no thought to securing that data.
  • Attacks that originate from outside the company make up most of the attacks. However, the greatest damage comes from insider attacks.
As far as the origin of the attacks, the report found:
  • Asia: application exploits for data compromise
  • Middle East: mostly defacements
  • Eastern Europe/Russia: compromises of POS systems
Internal attacks were created by:
  • Sys Admins: 50% of the time
  • Employees (non-sysadmins): 41% of the time
  • Everyone else: 9% of the time.
This is a great point that everyone in charge of security should be aware of and remember:

Given enough time, resources and inclination, criminals can breach virtually any single organization they choose.

Of course, they go for the low hanging fruit, or where they can get the most reward.

Here's a stat on timing:
  • From the point of entry to compromise - it runs from a few hours to days.
  • From compromise to discovery - the average is MONTHS!!! No one is watching the fort.
  • From discovery to mitigation - WEEKS!!! What? I mean some things take some time, but I would think there would be pressure to get that timeframe down.
Finally, there was a section titled Unknown Unknowns. It said that:

9 out of 10 breaches include:
  • A SYSTEM unknown to the organization (or business group.)
  • A system storing DATA that the organization did not know existed on that system.
  • A system that had unknown network CONNECTIONS or accesibility.
  • A system that had unknown accounts or PRIVLEDGES.
A great read. It's on

1 comment:

  1. I always run a System Auditer on Windows servers. One of these, called WinDiagnostic, provides PC agents that continuously monitor both the Windows Registry and all file systems for any unusual or unanticipated changes.

    This is a great way to post-mortem system attacks--especially those that circumvented system code and malware detectors.