The latest edition of Trustwave Holding’s annual global security report shows a shattered block on the cover representing a broken firewall. And rightly so – the volume of data breach investigations the company handled last year was up 54 per cent over 2012. Here are the highlights of what the company found and recommendations on how to brace up that wall. Images from<a href=”http://www.shutterstock.com/” target=”_blank”>Shutterstock.com</a>.
Bull’s eye on retail
As expected in the year where Target was the target of a massive POS theft, retail was the top industry around the world compromised (35 per cent of attacks Trustwave investigated). E-commerce sites made up 54 per cent of the victims, with one-third of all attacks POS-related.
It’s not only money
While criminals want credit/debit card numbers, note that 45 per cent of thefts also involved non-payment card data — sensitive and confidential information such as financial credentials, internal communications, personally identifiable information and various types of customer records.
Java, passwords are killers
How do they get it? Eighty-five per cent of exploits relied on problems with third-party plug-ins, including Java, Adobe Flash, Adobe Acrobat and Adobe Reader. A staggering 78 per cent of exploits took advantage of Java vulnerabilities. Weak passwords open the door for the initial intrusion 31 per cent of the time.
Keep your eyes open
It’s vital your staff – IT or line of business – be aware of the possibility of a breach every day and report suspicions immediately. Why? Trustwave found the median number of days it took organizations that self-detected a breach to shut the hole was one day, whereas it took organizations 14 days to contain the breach when it was detected by someone outside the organization. Still the median number of days from initial intrusion to detection was 87 days.
Defence 1: Educate
Up-to-date technology helps, but so do non-tech solutions: Educate employees on best security practices, including strong password creation (seven mixed characters/numbers, or phrases with 8 to 10 words, two-factor authentication) and awareness of social engineering techniques like phishing.
Defence 2: Secure your data
Don’t lull yourself into a false sense of security just because you think your payment card data is protected. Assess your entire set of assets—from endpoint to network to application to database. Any vulnerability in any asset could lead to the exposure of data. Combine ongoing testing and scanning of these assets to identify and fix flaws before an attacker can take advantage of them.
Defence 3: Test
Model the threat and test your systems’ resilience to it with penetration testing. Pitting a security expert against your network hosts, applications and databases applies a real-world attacker’s perspective to your systems. A penetration test transcends merely identifying vulnerabilities by demonstrating how an attacker can take advantage of them and expose data.
Defence 4: Prepare for bad news
Think you’re ready? There’s one more thing to do — plan your response for a breach. Develop, institute and rehearse an incident response plan. Identify what sorts of events or indicators of compromise will trigger your incident response plan. A plan will help make your organization aware of a compromise sooner, limit its repercussions and shorten its duration.