One of the most valuable aspects of the Verizon report is the helpful reminder they provide of security best practices:
“With respect to breaches caused by recently terminated employees, the following two scenarios were observed:
- Employee was terminated and his/her account was not disabled in a timely manner.
- Employee was notified of termination but was allowed to “finish the day” unmonitored and with normal access/privileges.”
Third Party Threats
The report also emphasizes the threat from third parties that may have administrative access to a victim’s IT assets. This could be a vendor that provides maintenance services or a third party with a data connection that was compromised. The Satyam World Bank fiasco revealed last year is not mentioned but it was easily one of the most egregious examples of a third party stealing data. The World Bank had outsourced most of its IT operations to the Indian outsourcer whose workers installed spy software on internal computers.
The predominant method of attack that the Verizon team observed used default passwords or shared credentials. This timely reminder that identity and access management are key to protecting the enterprise warrants an immediate review of access controls. Once the attacker gains access in most cases they installed malware that captured more credentials via key stroke logging and opened up a back door to allow the attacker to return to the compromised machine and transfer stolen information.
Verizon’s report on 2008 data breaches and their causes marks a turning point in the world threatscape. It effectively documents the predominance of targeted attacks against data stores that will lead to financial gain on the part of the attackers. The first hand knowledge gained by Verizon researchers now paints a picture of well funded, organized attempts to pick targets, usually financial services or retail operations, and execute attacks over a period of months that are ultimately successful.
Most security standards were designed specifically to counter targeted attacks yet organizations have invested the most in fighting worms, viruses, spyware, and spam. Last year it became evident there is a large community of attackers who will seek out and compromise the defenses of any organization that has not shifted gears to accommodate the besieged environment now evident.
Every IT security professional and every IT leader should read Verizon’s report and begin to re-think their defensive strategies. Failure to do so may mean becoming a victim of a targeted attack and thereby becoming a subject of next year’s report.
Richard Stiennon is a security industry analyst. He writes the security blog for ThreatChaos.com and has re-launched IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. Most recently Richard was chief marketing officer for Fortinet, the leading UTM vendor. Prior to Fortinet he was VP of Threat Research at Webroot Software.