Most Data Theft Due To Basic Security Flaws

June 2008

Many data thieves may not be so sophisticated after all, according to a recent study.

At a time when the theft of personal information is a growing problem for companies and consumers, the study by a consulting unit of Verizon analyzed more than 500 data breaches since 2004 and found 87% could have been prevented with commonplace security practices.

The conclusion cuts across the notion that hackers are rapidly becoming more adept in overcoming firewalls and cracking encryption to access personal data. Instead, study contributor Bryan Sartin said, more than half the cases analyzed were of low difficulty. Often criminals would simply probe the hardware or software of scores of companies, searching for known flaws they hoped to exploit.

"It's the low end that's exploding," Sartin said. More attention to basic security principles, such as making sure servers are configured correctly, would go a long way to diminishing the threat, he said.

Verizon says its study is the largest to date, reviewing security problems that accounted for 230 million compromised records. Another dramatic finding was that a growing number of breaches - 39 percent - were related to business partners in some way. Sartin said this was likely due to the rise in practices such as outsourcing call centers, giving outsiders access to company information.

Richard Smith, principal of Boston Software Forensics, which reviews code, said he was also struck by a finding in the study that in 63 percent of the cases, months went by before compromises were discovered. In 70 percent of the cases, a third party brought the breach to light. "There's a whole opportunity here for people to do more monitoring of their systems," he said.

Sartin wouldn't discuss whether the TJX case was among those in the study. But he said the study analyzed three of the five largest data breaches to date, and that Verizon is aware of several cases in which hundreds of millions of records were compromised, which would be even bigger than the losses at TJX. At least one of these occurred in the United States, and the targets tended to be either financial institutions or government agencies, he said.

While the study encompasses more than a quarter of publicly reported data breaches, it also includes many large breaches in which the victim organizations never reported the incidents publicly. Though laws in most states require companies to notify law enforcement of breaches, companies are growing more creative at finding ways to define problems so that they're not required to provide detail.

Source...

 

With Dionach you get:

• An efficient, friendly and flexible service
• To talk directly to the experts
• Straightforward assessment reports that get to the point
• Complete confidentiality and utmost discretion