Breaches, like history, repeat themselves

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.csoonline.com/article/699021/breaches-like-history-repeat-themselves

By George V. Hulme
CSO
January 30, 2012

Two recent studies show that if organizations simply focused on IT 
security basics, they'd make great strides in reducing their risk of 
embarrassing, avoidable and often costly data breaches.

Security firm Imperva examined attack trends across 40 applications and 
monitored millions of attacks that targeted web applications for the 
six-month period spanning June through November of last year. The firm 
found that attackers like to target five relatively common application 
vulnerabilities: remote file inclusion, SQL injection, local file 
inclusion, cross site scripting and directory traversal attacks. The 
majority of these attack vectors have been significant problems for years.

Rafal Los, chief security evangelist, HP Software Worldwide, says the 
industry's inability to rid itself of lingering and well-understood 
software vulnerabilities isn't a problem due to lack of technology. "It's 
now a behavioral problem. Development organizations have more resources 
than ever to create a rational, security-infused software development 
lifecycle (SDLC) which doesn't 'bolt-on' security at the very last 
stages," says Los. "Until security becomes a fundamental business 
objective, the behaviors that today lead to things like SQL injection will 
continue. We need to "hack" the business relationship - from there I 
firmly believe things will finally start to get better."

However, many (perhaps most) breaches aren't necessarily due to attacks 
against software applications -- as trivial as they are for most 
cyber-criminals. A survey of 500 IT professionals (who primarily report 
directly or indirectly to the CIO or the CISO) found that 60 percent of 
respondents report that customer data that was lost or stolen was not even 
encrypted. Also, the most common types of data breaches include email at 
70 percent, credit card or bank payment information, 45 percent, and 
social security numbers at 33 percent. Also, not surprising, when 
organizations were actually able to determine the cause of a breach -- the 
most common culprit was the negligent insider at 34 percent, while 19 
percent say it was the outsourcing of data to a third party and 16 percent 
saying a malicious insider was the main cause.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/