In recent years, organizations that have experienced breaches have been forced by law (in many cases) to report the occurrence. Therefore, we've seen a spike in incident reports. Collectively we can all learn from those reports to attempt to prevent similar occurrences in our own organizations.
By far one of the most detailed analyses of data breaches comes from the Verizon Business Risk Team. This group provides a fee-based service to large enterprises to conduct forensics and investigative responses to known breaches. Dating back to 2004, the team has compiled information from more than 500 in-depth investigations where the vendor helped customers determine the cause of a breach.
By the nature of this business, the Verizon investigations were significant cases of computer crime. In other words, the report doesn't cover simple instances of lost or stolen laptops. Rather, the team typically is engaged when the victim company is looking for factual evidence from a forensic investigation that could lead to criminal prosecution. At the very least, the victim company is determined to find the root cause of the breach so it can be eliminated as a potential source for future breaches.
Here are some of the interesting points brought out in Verizon's "2008 Data Breach Investigations Report." Remember that the data sample involves more than 500 investigations spanning very small to very large organizations around the world.
Errors, such as poor decisions, misconfigurations and omissions, are a contributing factor in nearly all data breaches. Significant omissions led to a large number of the breaches. Most often, the omission was a standard security procedure or configuration that was believed to have been implemented but was not. In 15 percent of the cases, misconfigurations were a contributing factor. These include erroneous system, device, network and software settings.
In the Verizon investigations, hacking led to more data breaches than any other category of threat, and it is a favored technique of cybercriminals. Eighteen percent of hacks exploited a specific known vulnerability. In more than 71 percent of these cases, a patch for the vulnerability had been available for months -- or even for as long as a year -- before the breach. "This strongly suggests that a patch deployment strategy focusing on coverage and consistency is far more effective at preventing data breaches than 'fire drills' attempting to patch particular systems as soon as patches are released," the Verizon report concludes.
Common attack pathways include remote access and control, Web applications, Internet-facing systems, physical access, and -- lower on the list -- wireless networks. Remote-access and control software, often used by outside vendors to administer systems, was an attack pathway in 40 percent of the investigations. On many occasions, the administrative accounts intended for vendors or outsource partners were compromised by external entities. Verizon found that in many of these cases, the remote-access account was configured with default settings, making it easier for a hacker to use the account to take control.
There's lots more detail in team's report. It's a worthwhile read for all IT security personnel, network and systems administrators, and data security officers. After all, where data breaches are concerned, it's better to learn from someone else's experiences than from your own.
Another source to learn about the root cause of data breaches is a service called The Breach Blog. This blog has anecdotal information about cases reported to the public, usually in a news release. An overwhelming number of the cases listed here are attributed to lost or stolen laptops or portable media devices like USB thumb drives, unauthorized use of data by employees, and such careless acts as inadvertently posting information on the Web or sending sensitive data via peer-to-peer file transfer.
If there's anything to glean from this blog, it's that it's necessary to educate people about data security measures, as well as to impose policies and implement technologies designed to safeguard data. For instance, encrypting the hard disk on laptops could help prevent breaches when the PC is lost or stolen. In case after case on The Breach Blog, the data on a lost laptop or thumb drive is not encrypted, and the device isn't even password-protected.
No organization wants to be in the headlines for a data breach. Understanding how many breaches occur could help you implement countermeasures that will keep your organization out of The Breach Blog.