Failure to Comply

Further thoughts on the 2011 Verizon Data Breach Investigation study.  This year’s report reports a drop of insider related threats. What is interesting is that 92% of attacks stemmed from external agents, and in 2011 11% were from social engineering attacks. There is a decrease in social engineering related attacks, but external attacks in general have risen by 22%.

Out of the external attacks, 58% of these were committed by criminal gangs which is further proof indicating, as if more were needed, that information is worth a lot of money now.

What I found really interesting, though, is - out of the attacks that were external hacks - 14% were as a result of SQL injection, which resulted in 24% of all the stolen records.

SQL injection!

What is wrong with us?  This is preventable. Also, 49% of attacks were as a result of footprinting and fingerprinting. How difficult is it really to obfuscate your responses, remove your headers, stop error messages?

And then – depressingly - 67% of attacks were when someone was able to guess default usernames and passwords.  These are not new attack vectors and they can be automated.

22% of these attacks were against Web Applications and 71% used remote access services.

All in all these attacks, while increasing, are resulting in a lower number of actual stolen records. This is good news. I think it means that the headline prosecution of perpetrators is taking an effect. I think we are slowly turning the corner but we have a lot more to do, especially when there are so many simple, preventable attacks.

I will leave you with one last statistic from the 2011 report: 89% of victims subject to PCI-DSS had not achieved compliance standards.

 

Technorati Tags: ASM, f5, F5 Networks, https, PCI, Security, ssl, WAF, Web Application Firewall