Wednesday, April 15, 2009

Breach Report 2009 Day …

… all other security blogging is expressly forbidden :-)

Get it here – and READ!!  This is not your mother’s CSI/FBI survey; this is actually objective data on security (=rare and valuable)!

Fun quotes:

  • “83% of attacks were not highly difficult”
  • “In 2008, investigators concluded that 87 percent of breaches could have been avoided through the implementation of simple or intermediate controls”
  • “As with last year’s report, the majority of breaches are discovered by a third party”
  • “The majority of breaches still occur because basic controls were not in place or because those that were present were not consistently implemented across the organization. If  obvious weaknesses are left exposed, chances are the attacker will exploit them.”
  • “A very large proportion of attackers gain access to enterprise networks via default, shared, or stolen credentials.“
  • “This market saturation has driven the price down to a point where magnetic-stripe information is close to worthless.”
  • “2008 continued a downward trend in attacks that exploit patchable vulnerabilities versus those that exploit configuration weaknesses or functionality.”
  • “2008 saw only a single instance in which a wireless network was exploited across our entire caseload” [I easily believe that: remote > wireless for an attacker]
  • “As a percentage of caseload, payment card breaches remain near the 80 percent mark and far outnumber other data types. They consume 98 percent of all records compromised in the year.”
  • “Breaches still go undiscovered and uncontained for weeks or months in 75 percent of cases.”
  • “the large majority of organizations within our caseload are subject to the requirements set forth within PCI DSS […] Over three-quarters of organizations suffering payment card breaches within our caseload were found not compliant with PCI DSS or had never been audited.”
  • “When reviewing the percentages for each requirement above, several very interesting statistics pop out. Requirements 3, 6, and 10—which many organizations complain are the most onerous—are indeed the least compliant across our caseload. When one considers the prevalence of unnecessary and/or unknown data stores, frequency of SQL injection attacks, and lengthy compromise-to-discovery periods discussed extensively in this (and our last) report, this finding is hardly surprising.”
  • “In other words, the typical organization [UNDER PCI DSS requirements!!] had met less than a third of the requirements in PCI DSS. Some fared much better, some much worse, but
    the point made by the data before us is this: these breaches, in general, did not occur in organizations that were highly compliant with PCI DSS.”
  • “We find that many organizations achieve very high levels of security in numerous areas but neglect others. Criminals will almost always prefer the easier route.”
  • “All too often, evidence of events leading to breaches was available to the victim [in the form of logs] but this information was neither noticed nor acted upon.”

Fun pictures:



Fun commentary:

No time for more today :-)  Maybe tomorrow … but this report definitely “exudes pure awesomeness!” Also, from my point of view, there has never been such objective proof of usefulness of everything that PCI DSS stands for!

Dr Anton Chuvakin