Doing basic security still pays, says report

The annual Verizon Communications Breach Report is always full of information of value to IT security pros, largely because of the wealth of data it draws on from contributing vendors.

Here’s a few more things I pulled from the latest report that couldn’t be squeezed into the story:

There’s a seeming never-ending list of things CSOs have to do to button up their environments to ward off cyber attacks. But after analyzing details of successful breaches the report’s authors figured implementing at least 40 per cent of common security controls (as defined by the U.S.-based Council for Cybersecurity) can be categorized as “quick wins” that would easily increase the odds of a successful defence.

For example

— 24 per cent of attacks could have been prevented had IT departments patched known Web services vulnerabilities;

–five per cent could have been prevented if systems had locked out anyone who failed to login after multiple attempts;

–five per cent would have been prevented had email systems filtered attachments;

–two per cent would of attacks have been prevented had the enterprises done each of the following: installed up to date end point anti-virus, restricted the ability of users to download software, or limited ports and services.

Add these up and they total 40 per cent of defences that could have stalled the attacks studied.

Here’s another fact to ponder: 24 per cent of attacks could have been prevented had login systems to network devices been enabled with two-factor authentication, which the council doesn’t deem a quick win but something that obviously pays big dividends. Others in this category include verifying the need for Internet-facing devices; proxy outbound traffic and thorough Web application testing — each of would have stopped seven per cent of attacks.

Blocking known file transfer sites would have got in the way of five per cent of attacks. Another two per cent each would have been halted had networks been segregated, passwords been made more complex,  and had the security processes of a vendor been vetted.

(Speaking of more complex passwords, note the following story based on the recent divulging of documents from the Sony hack by Wikileaks. As the writer points out, an embarassing number of people at Sony used the word “password” as their password.

“Don’t sleep on basic, boring security practices,” concludes the report. “Stop rolling your eyes. If you feel you have met minimum-security standards and continue to validate this level of information, then bully for you! It is, however, still apparent that not all organizations are getting the essentials right.”

In an interview report co-author Bob Rudis said the numbers show that any organization that doesn’t have two factor authentication on networkt devices will suffer. In addition, unpatched vulnerabilities will be exploited.

Another important conclusion from the report, he added, is the need for IT security pros to collate incident data so it can be analyzed with the VERIS event recording and incident sharing framework. 

“Find out what you don’t know,” he urges security pros with good metrics and by asking ‘Why?’ a lot when a failure has been discovered.

“If a CISO can’t ask their staff to give them the same data that we basically presented in the report either they don’t have the technology implemented or they’re not looking at it…. and if the answers aren’t good you just created your project list for the year — maybe for the next 18 or 36 months.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now