Hacking and malware continue to be the top two common ways breaches occur, according to Verizon in its latest report titled 2013 Data Breach Investigations Report (DBIR).
The report is in its sixth year of publication. Its findings are based on 47,000 security incidents, 621 confirmed data breaches and 44 million data records compromised as shared by Verizon and 18 organisations globally across industries.
Key findings from 2013 DBIR
In 2012, hacking was found to be a factor in 52 percent of the data breaches and four out of five breaches involving hacking were authentication-based attack, where a hacker guessed, cracked or reused valid credentials to gain access to the company.
Malware, on the other hand, contributed to 40 percent of the breaches, of which 47 percent of them were distributed through email attachments.
Breaches incorporating social tactics such as phishing also saw a four-fold increase from 2011.
Even though these tactics may be considered as low difficulty as not much sophisticated skills are needed, most businesses have fallen prey to them. The DBIR reported that 78 percent of initial intrusions in 2012 consisted of these low difficulty attacks.
Ajaykumar Biyani, solutions consultant, Global Strategic Services for South East Asia at Verizon, reasoned that companies which fall victim to these low difficulty attacks usually do not have in place a vulnerability management system that is actively looking at their entire infrastructure and systems. So, it is easy for them to overlook basic things such as an expired SSL certificate, leaving behind an easy target for attackers.
He also said that companies are usually reactive when it comes to security. Companies will look at their own system only when a third party informs them of a breach or news of similar breaches are reported. "Most companies do have the detection information in their security logs [at hand] but they don't act on it [till a third party alerts them to do so]."
Patrick Lum, senior consultant of RISK team at Verizon, agreed with Biyani. He said that companies should place equal emphasis on internal and external security. "Since companies know that threats come from the Internet, they try very hard to protect Internet-facing devices. But simply focusing on external threats is not enough. They need monitoring capabilities internally as well as externally."
Lum also remarked that companies should not be fully reliant on antivirus to alert them to threats. "Malware may not get detected by antivirus solutions [so] while antivirus is essential, companies should not regard it as their last line of defence, but instead their first. They key thing [for companies when it comes to security] is to really understand their network and the abnormal behaviour in the network [so that they can take appropriate actions]."
Sign up for Computerworld eNewsletters.