Organisations are typically over-investing in some areas, while neglecting other parts that would yield significant gains, said Peter Tippett, vice-president of technology and innovation at Verizon Business.

– TRUE – This is especially true because organizations don’t stop and look at the current threat landscape and evaluate if their existing technologies are best to mitigate the current risk. Usually they just stick with what they currently have.

“Up to 40% of money spent on IT security is wasted,” he told Computer Weekly.

– I would tend to agree with this. That 40% could be spent on effective solutions that truly reduce the organizations risk.

Many organisations are increasingly spending money on insider threats, but in reality only 11% of successfully exploited data breaches in the past five years have been internal parties alone, according to the latest Verizon Business Data Breach Investigations Report.

– I question this statement and here is why. Verizon Business usually bases these reports on their caseload, which means only the companies that have called them to do forensic analysis are the ones in the study. Well not every company that has a breach calls Verizon. In fact, stop and think for a minute. If you have an insider breach, usually you know about it. Usually it is low tech. Usually you don’t need Verizon for that type of case. Also, companies do not like to disclose insider breach cases. If a hacker gets them, most people say “boy those hackers are really smart” but if an insider gets away with a bunch of stuff people say “what kind of company hires a person like that” or “what lousy policies and procedures that company must have to have that incident occur.” An insider breach is the companies fault (at least that is the perception).

Most breaches involve multiple sources, but even then research shows that only 20% overall involved internal parties.

– I don’t agree with this either. This is a fundamental problem with the way people look at breaches. If a hacker exploits a vulnerability on a web server and gets access to internal systems and downloads a database of sensitive information, everyone blames the hacker 100%. Isn’t there some responsibility on the internal IT person that didn’t patch the system? Couldn’t we blame the IT person for misconfiguring the web server to allow the hacker in? When looked at in this way, insider play a much larger role in information security breaches than many might think.

The research shows that being able to patch systems faster will reduce enterprise security risk by about 2%.
I agree with this. Verizon in a separate report several months ago showed how infrequent hackers are using 0-Day exploits. In nearly all cases were hackers using old, established, well known vulnerabilities and exploits. It isn’t about patching faster, it is about patching and patching consistently.
“But by simply eliminating systems with default passwords that are easy to guess will cut risk by at least 25%, 10 times more than patching faster,” said Tippett.

– I agree with this as well. Default passwords and easily guessable credentials are one of the top ways external breaches occur.

“An organisation can reduce its risk by 85% simply by finding out where all its servers are, where all its data is stored and what connections there are to it,” he said.

– I 100% agree with this. Most organizations that go through a system and data discovery can’t believe all the places that sensitive data resides.

Even though bigger companies tend to look for default passwords, they look only at critical systems and tend to ignore those that have nothing to do with the business, but this is another mistake, said Tippett.

– This is a big mistake because “less important systems” are often used by individuals who have access to the mission critical systems and once you compromise one system, you can have access to anything that system has access to.

“Hackers don’t care what is critical and what is not – they just use their tools to find the things that are easiest to get into, and once they are in, they move from there.”

– True, although I think is changing a little bit when hackers are getting better at analyzing the systems they compromise for potential value.

“Discover is the most important thing you can do. It is the first step in every risk-management programme. Yet it is the thing almost everyone ignores.”

– Certainly one of the most important things you can do.

lastly…. Verizon Business needs to learn how to spell OrganiZation!

It is a great read!

85.6 percent of all unwanted emails in circulation during the first half of 2009 contained links to spam sites and/or malicious web sites.

Shopping remained the leading topic of spam (28 percent), followed closely by cosmetics (18.4%), medical (11.9%), and education (9.5%). Education themed spam has almost doubled over the previous 6 month period and some believe that is due to the recession. Often times these education themed emails seek to exploit people looking to gain new skills or obtain fake qualification to help their job prospects.

69 percent of all web pages with any objectionable content also had at least one malicious link.

The issue is growing as well. 78 percent of new web pages discovered in the first half of 2009 with any objectionable content had at least one malicious link.

Look for yourself in the case of Heartland in the attached graph of the Heartland stock ticker over the past year.

Not only did Heartland have approximately a 40% stock drop the day this was announced, the stock continued to drop for some time. Heartland recently announced their Q2 2009 financials which includes the cost and write-offs associated with the data security breach. [Article]

They specifically noted that $.32/share was the write-off amount associated with resolving issues with their data security breach. They said this was associated with the $19.4 million dollars it cost them to settle these issues. This resulted in a quarterly loss of 2.6 million ($.07/share) for Q2.

This also does not include the money they are putting into deploying end-to-end encryption which is their answer.

It should be noted that both Visa and Mastercard have said that Heartland was not PCI compliant at the time the breach occured.

This year’s key findings both support last year’s conclusions and provide new insights. These include:

* Most data breaches investigated were caused by external sources. Seventy-four percent of breaches resulted from external sources, while 32 percent were linked to business partners. Only 20 percent were caused by insiders, a finding that may be contrary to certain widely held beliefs.

* Most breaches resulted from a combination of events rather than a single action. Sixty-four percent of breaches were attributed to hackers who used a combination of methods. In most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data.

* In 69 percent of cases, the breach was discovered by third parties. The ability to detect a data breach when it occurs remains a huge stumbling block for most organizations. Whether the deficiency lies in technology or process, the result is the same. During the last five years, relatively few victims have discovered their own breaches.

* Nearly all records compromised in 2008 were from online assets. Despite widespread concern over desktops, mobile devices, portable media and the like, 99 percent of all breached records were compromised from servers and applications.

* Roughly 20 percent of 2008 cases involved more than one breach. Multiple distinct entities or locations were individually compromised as part of a single case, and remarkably, half of the breaches consisted of interrelated incidents often caused by the same individuals.

* Being PCI-compliant is critically important. A staggering 81 percent of affected organizations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.