Verizon Data Breach Investigations Report

["Al" <macwheel99 () wowway com>]

Verizon Data Breach Investigations Report identified, how they typically
unfold, and ranked by frequency, the top 15 types of security attacks,
comparing risk factors among finance, food, retail, and tech industries.:
http://www.verizonbusiness.com/resources/whitepapers/wp_supplemental-report-
specifics-for-the-financial-services-food-beverage-retail-and-tech-services-
industries_en_xg.pdf

1. Keylogging and spyware: Malware specifically designed to covertly
collect, monitor and log the actions of a system user.

2. Backdoor or command/control: Tools that provide remote access to or
control of infected systems, or both, and are designed to run covertly.

3. SQL injection: An attack technique used to exploit how Web pages
communicate with back-end databases.

4. Abuse of system access/privileges: Deliberate and malicious abuse of
resources, access or privileges granted to an individual by an organization.

5. Unauthorized access via default credentials: Instances in which an
attacker gains access to a system or device protected by standard preset
(widely known) user names and passwords.

6. Violation of acceptable use and other policies: Accidental or purposeful
disregard of acceptable use policies.

7. Unauthorized access via weak or misconfigured access control lists
(ACLs): When ACLs are weak or misconfigured, attackers can access resources
and perform actions not intended by the victim.

8. Packet sniffer: Monitors and captures data traversing a network.

9. Unauthorized access via stolen credentials: Instances in which an
attacker gains access to a protected system or device using valid but stolen
credentials.

10. Pretexting or social engineering: A social engineering technique in
which the attacker invents a scenario to persuade, manipulate, or trick the
target into performing an action or divulging information.

11. Authentication bypass: Circumvention of normal authentication mechanisms
to gain unauthorized access to a system

12. Physical theft of asset: Physically stealing an asset.

13. Brute-force attack: An automated process of iterating through possible
username/password combinations until one is successful.

14. RAM scraper: A fairly new form of malware designed to capture data from
volatile memory (RAM) within a system.

15. Phishing (and endless "ishing" variations): A social engineering
technique in which an attacker uses fraudulent electronic communications
(usually e-mail) to lure the recipient into divulging information.

Overall, the 24 page pdf report details nearly 150 ways to detect and combat
security threats.

I found out about this, thanks to:
http://www.net-security.org/secworld.php?id=8597 

-Al Mac-

- Allowing one's computer to be unprotected, while connected to the
internet, can be compared to owning a handgun and putting it out on your
doorstep every night, in case a passing robber might be in need of one.
Unfortunately millions of people are doing exactly that, while thousands of
them do so through networks of companies and government agencies that they
manage.

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php