The annual Verizon Communications Breach Report is always full of information of value to IT security pros, largely because of the wealth of data it draws on from contributing vendors.
Here’s a few more things I pulled from the latest report that couldn’t be squeezed into the story:
There’s a seeming never-ending list of things CSOs have to do to button up their environments to ward off cyber attacks. But after analyzing details of successful breaches the report’s authors figured implementing at least 40 per cent of common security controls (as defined by the U.S.-based Council for Cybersecurity) can be categorized as “quick wins” that would easily increase the odds of a successful defence.
— 24 per cent of attacks could have been prevented had IT departments patched known Web services vulnerabilities;
–five per cent could have been prevented if systems had locked out anyone who failed to login after multiple attempts;
–five per cent would have been prevented had email systems filtered attachments;
–two per cent would of attacks have been prevented had the enterprises done each of the following: installed up to date end point anti-virus, restricted the ability of users to download software, or limited ports and services.
Add these up and they total 40 per cent of defences that could have stalled the attacks studied.
Here’s another fact to ponder: 24 per cent of attacks could have been prevented had login systems to network devices been enabled with two-factor authentication, which the council doesn’t deem a quick win but something that obviously pays big dividends. Others in this category include verifying the need for Internet-facing devices; proxy outbound traffic and thorough Web application testing — each of would have stopped seven per cent of attacks.
Blocking known file transfer sites would have got in the way of five per cent of attacks. Another two per cent each would have been halted had networks been segregated, passwords been made more complex, and had the security processes of a vendor been vetted.
(Speaking of more complex passwords, note the following story based on the recent divulging of documents from the Sony hack by Wikileaks. As the writer points out, an embarassing number of people at Sony used the word “password” as their password.
“Don’t sleep on basic, boring security practices,” concludes the report. “Stop rolling your eyes. If you feel you have met minimum-security standards and continue to validate this level of information, then bully for you! It is, however, still apparent that not all organizations are getting the essentials right.”
In an interview report co-author Bob Rudis said the numbers show that any organization that doesn’t have two factor authentication on networkt devices will suffer. In addition, unpatched vulnerabilities will be exploited.
Another important conclusion from the report, he added, is the need for IT security pros to collate incident data so it can be analyzed with the VERIS event recording and incident sharing framework.
“Find out what you don’t know,” he urges security pros with good metrics and by asking ‘Why?’ a lot when a failure has been discovered.
“If a CISO can’t ask their staff to give them the same data that we basically presented in the report either they don’t have the technology implemented or they’re not looking at it…. and if the answers aren’t good you just created your project list for the year — maybe for the next 18 or 36 months.”