Frankly Speaking: Business partners are a prime attack vector
Computerworld - If you're an IT security pro, you already know what this column is about. If you're not, you should download Verizon's "2008 Data Breach Investigations Report" right now. There's lots of horrifying data in there, but this is the one that shook me: Almost half of data thefts now come by way of our business partners.
That's right: Increasingly, attackers aren't trying to get through our security perimeters. Instead, they get inside the systems of suppliers, customers and contractors we trust, and from there, we're sitting ducks.
In 2003, only 8% of the attacks Verizon documented came that way. In 2007, 44% did.
And that percentage is likely to continue to rise.
Understand that this study from Verizon's security services group is based on metrics from more than 500 cases the company was hired to investigate. That's the study's strength and its weakness. It's naturally skewed to cover incidents that were worth calling in a security outfit about.
Then again, those are the ones that keep us up at night.
As you'd expect, the first few pages are a thinly veiled soft sell for Verizon's security services. Don't give up; the numbers start on page 8.
Some of what Verizon itemizes is common sense. But some of it demolishes our expectations. It turns out that only 18% of these attacks were launched by insiders (so much for the old "80% of security breaches come from the inside" myth). In 78% of the cases, fully patched systems wouldn't have stopped the breaches. And 55% of the attacks required no great technical chops -- just script-kiddie capability.
And despite all the investments we've made in security monitoring, 70% of the breaches were discovered only after outsiders tracked the source of identity theft and other problems back to people like us.
What does the report recommend? Put simply: Monitor your systems, review the logs, and put processes in place to deal swiftly with security problems when they're reported.
There's more to it than that, of course. Read the report. Don't just hand it off to your security people. If you're a CIO or an IT manager or a sysadmin, you need to know what it says.
Then you need to change the way you think about security. Especially as it relates to partners.
That 44%-and-growing number is the one that should scare you. These are organizations we have to trust enough to let them connect to our systems. But we can't choose them; business users and executives do that. We don't run their systems. We may not be able to vet their security or force them to improve it.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Smarter Commerce is redefining value chain visibility
- Smarter Commerce is redefining the value chain in the age of the customer. It starts with putting the customer at the center of...
- Identity Governance: The Business Imperatives
- This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make...
- The Executive Buyer's Guide to Project Portfolio Management
- The Innotas Executive Buyer's Guide provides you with a concise overview of Project Portfolio Management (PPM) and delivers important buying criteria to help... All Management and Careers White Papers
- Live Webcast
Integrated IT Operations Management in the Cloud - Join award-winning technology editor Stan Gibson and Andrew White, CMO at Numara Software, to learn how asset management and service management are converging...
- Integrated IT Operations Management in the Cloud
- Join award-winning technology editor Stan Gibson and Andrew White, CMO at Numara Software, to learn how asset management and service management are converging...
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn... All Management and Careers Webcasts