Most 2011 cyberattacks were avoidable, Verizon says
Despite all the hype about sophisticated attack methods, 97% could have been stopped using fundamental precautions
Computerworld - Despite rising concern that cyberattacks are becoming increasingly sophisticated, hackers used relatively simple methods 97% of data breaches in 2011, according to a report compiled by Verizon.
The annual Verizon report on data breaches, released Thursday, also found that in a vast majority of attacks (80%), hackers hit victims of opportunity rather than companies they sought out.
The findings suggest that while companies are spending increasing sums of money on sophisticated new security controls, they are also continuing to overlook fundamental security precautions.
The conclusions in the Verizon report are based on the investigations into more than 850 data breaches. The report was compiled with the help of the U.S. Secret Service and law enforcement agencies in the United Kingdom, The Netherlands, Ireland and Australia, Verizon said.
Verizon said it found that attacks by so-called "hactivist" groups such as Anonymous for the first time compromised more breached records -- more than 100 million -- than the number of attacks by hackers specifically looking to steal financial or personal data.
Data breach victims and security vendors generally tend to describe attacks as highly sophisticated and involving a great deal of expertise on the part of hackers.
The Verizon report though shows a far more mundane reality.
Most of the breaches didn't require hackers to possess special skills or resources, or to do much customization work. In fact, Verizon said that 96% of the attacks "were not highly difficult" for the hackers.
"Additionally, 97% were avoidable, without the need for organizations to resort to difficult or expensive countermeasures," the report said.
Very often, the companies breached had no firewalls, had ports open to the Internet or used default or easily guessable passwords, said Marc Spitler a Verizon security analyst.
The study found that cybercriminals did not have to work any harder to break into a large organization than into a small one.
Attackers in 2011 generally didn't need new sophisticated tools to break into most organizations, Spitler said.
"We have seen nothing new. Some of the old standbys are continuing to work very well for the people going after information," he said. "Not enough has been done to raise the bar and to force them to spend" significant sums on new tools and exploits.
The most sophistication found by the researchers was in the methods used by attackers to steal data after breaking in to systems, he said.
Attackers typically have installed malware on a victim company's network to escalate privileges, set up backdoors, enable remote control and sniff out sensitive data. Many take steps to remain hidden on the network for a long time and then wipe their tracks when they are done.
Such tasks require moderate to advanced skills and extensive resources on the part of the attackers, according to Spitler. "That is one area where we have raised the bar," he said.
Most of the targeted attacks last year were directed large companies in the finance and insurance industries, according to Verizon.
Hackers, often part of organized groups, used large-scale automated methods to find vulnerable businesses to exploit.
In such cases, more than 85% of victim companies employed less than 1,000 employees and were mostly in the retail, hospitality and food services industries.
The findings once again highlight the need for companies to pay attention to security basics, Spitler said.
"It is about going back to basic security principles. A lot of the same recommendations we have used in past years, we have recommended this year," he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts