Frankly Speaking: Business partners are a prime attack vector

Computerworld - If you're an IT security pro, you already know what this column is about. If you're not, you should download Verizon's "2008 Data Breach Investigations Report" right now. There's lots of horrifying data in there, but this is the one that shook me: Almost half of data thefts now come by way of our business partners.

That's right: Increasingly, attackers aren't trying to get through our security perimeters. Instead, they get inside the systems of suppliers, customers and contractors we trust, and from there, we're sitting ducks.

In 2003, only 8% of the attacks Verizon documented came that way. In 2007, 44% did.

And that percentage is likely to continue to rise.

Understand that this study from Verizon's security services group is based on metrics from more than 500 cases the company was hired to investigate. That's the study's strength and its weakness. It's naturally skewed to cover incidents that were worth calling in a security outfit about.

Then again, those are the ones that keep us up at night.

As you'd expect, the first few pages are a thinly veiled soft sell for Verizon's security services. Don't give up; the numbers start on page 8.

Some of what Verizon itemizes is common sense. But some of it demolishes our expectations. It turns out that only 18% of these attacks were launched by insiders (so much for the old "80% of security breaches come from the inside" myth). In 78% of the cases, fully patched systems wouldn't have stopped the breaches. And 55% of the attacks required no great technical chops -- just script-kiddie capability.

And despite all the investments we've made in security monitoring, 70% of the breaches were discovered only after outsiders tracked the source of identity theft and other problems back to people like us.

What does the report recommend? Put simply: Monitor your systems, review the logs, and put processes in place to deal swiftly with security problems when they're reported.

There's more to it than that, of course. Read the report. Don't just hand it off to your security people. If you're a CIO or an IT manager or a sysadmin, you need to know what it says.

Then you need to change the way you think about security. Especially as it relates to partners.

That 44%-and-growing number is the one that should scare you. These are organizations we have to trust enough to let them connect to our systems. But we can't choose them; business users and executives do that. We don't run their systems. We may not be able to vet their security or force them to improve it.