Stepping into the breach

It seems organisations still cannot get the hang of protecting their data
after a report found that nearly nine out of 10 corporate data breaches could
have been prevented.

The 2008 Data Breach Investigations Report by
Verizon
Business, found that in 70% of the cases studied, the target
company only became aware of the security breach after being informed by a third
party. In 65% of the cases, the breach was not discovered for months and in 60%
of the incidents it took weeks or months for the company to take action.

Most data breaches investigated were caused by outsiders. However, breaches
attributed to insiders ­ though fewer in number ­ had much larger impact. The
research found that the median size for an insider breach exceeded that of an
external breach by more than ten times.

Furthermore, half of all internal breaches are carried out by the company’s
own IT staff.

Partners in crime
As a reminder of risks inherent to the extended enterprise, business partners
were behind more than one-third of breaches, a number that rose five-fold
between 2004 and 2007.

Incidents involving partners tend to be substantially larger than those
caused by external sources, such as opportunistic hackers. Verizon says that
“this supports the principle that privileged parties are able to do more damage
to the organisation than outsiders.”

Most breaches resulted from a combination of events rather than a single
action. Some form of error ­ whether poor decision-making, poor software
implementation, non-compliance, or process breakdowns ­ often directly or
indirectly contributed to data being breached. For example, standard security
procedures or configurations that were thought to be in place were often not.

The research found that freely available solutions were not used ­ for
example, 90% of known vulnerabilities exploited by these attacks had patches
available for at least six months prior to the breach.

Verizon lists a number of checks that organisations should make to protect
their systems:
• Align process with policy – In 59% of data breaches, the
organisation had established security policies and procedures in place, but they
were not followed through. For this reason, controls focused on accountability
and ensuring that policies are carried out can be extremely effective in
mitigating the risk of data breach.
• Achieve “essential” – More than 80% of breaches were caused
by relatively simple attacks; 85% were opportunistic. Remember, criminals prefer
to exploit weaknesses rather than strengths. They will look for an easy
opportunity and, finding none, will move on. Many of the victims in this study
worked hard to achieve very high levels of security in numerous areas, but
neglected even minimal control of others ­ precisely the areas through which
they gained access.
• Secure business partner connections – Partners, whether
intentionally or unintentionally, contributed to 39% of data breaches in the
study. A large proportion of these would likely have been avoided through the
implementation of basic partner-facing security measures.
• Increase awareness – Only 12% of data breaches were
discovered by employees of the victim organisation.

By implementing a required awareness programme, an organisation can
effectively educate employees about the risks of data compromise, their role in
preventing it and how to respond when incidents occur. If delivered effectively
and with proper incentives, this training can provide a blanket of basic
knowledge across the organisation on issues pertinent to data protection.
• Monitor event logs – Evidence of events leading up to 82% of
data breaches was available to the organisation prior to an attack, but the inf
ormation was neither noticed nor acted upon. Processes that ensure the timely,
efficient and effective monitoring of and response to network events are
critical to the goal of protecting data.
• Engage in mock incident testing – Organisations should
undergo routine training in the area of incident response. Attendance at this
training should be required as mandatory by policy and cover response
strategies, threat identification, threat classification, process definition,
proper evidence handling and mock scenarios.
• Create a data retention plan – Two-thirds of breaches
involved data that the victim did not know was on the system.

Organisations should identify and quantify the types of data retained during
business activities and then work to categorise this data based on risk and
liability. In doing so, they should determine what data absolutely cannot be
compromised and prioritise accordingly. Organisations should also try to
minimise the retention and replication of data.
• Control data with transaction zones – Once an organisation
has created a strategy for data retention, the next step is to define an
approach to securing that data, such as creating “transaction zones”. These
serve as the foundation for IT security and allow measures such as two-factor
authentication or one-time passwords for contractors.
• Create an incident response plan – When a breach is suspected
to have occurred, an organisation must be ready to respond. An effective
incident response plan helps ensure a breach can be stopped prior to data being
compromised and that evidence is collected in such a manner that enables the
business to pursue prosecution when necessary.

Useful links
For help with IT governance and security issues, go to
www.isaca.org