The State of the Breach
by Andy Green
By coincidence, Verizon’s Data Breach Investigations Report (DBIR) for 2012 was released this week along with the results of our Privacy Survey. So it’s a good time for a quick tour of the state of the breach. In reviewing this latest DBIR, much has stayed the same. However, Verizon’s report emphasizes two key points that caught my attention: 80% of breaches could be easily prevented with two-factor authentication; and it still takes months for most breaches to be discovered.
As in past DBIRs, hacking and malware again make it into the top threat categories, and the difficulty level of the hack-craft employed is still very primitive. This is a polite way of saying that vanilla password cracking—guessing or re-using credentials—is by far the most popular way to pass through the security gate. According to Verizon, this particular type of attack accounted for four out of five breaches involving hacked data.
The solution is, in Verizon’s words, “to overthrow single-factor passwords” with a new king, two-factor authentication. Varonis is also hoping that TFA will gain the throne.
There are some encouraging signs, however. In our just-published Privacy Survey, over 47% told us they use multi-factor authentication for their personal email accounts. If this trend can carry over to corporate email and intranet access, then we may finally see a dip in these low-skill, but still very effective, password-based hacks. It’s a stat will check again next year.
Another critical point made by Verizon is that companies must think beyond prevention, and come up with a second line of defense involving rapid discovery and response. Prevention is still important, but no security barrier is hack-proof.
They note that for most breaches the lag between the initial hack and the first action is far too long: 67% of incidents take several months to be discovered. And perhaps even more dispiriting is that companies more often than not—about 70% of the time—find out about breaches through their customers and third parties (law enforcement, government agencies) instead of their own IT departments.
The obvious (and depressing) brick-and-mortar analogy? A jewelry store owner puts a toy lock on the door, fails to install an alarm system, and then waits for a customer to say that the diamond ring she was interested in is not in its case anymore.
I’ll end this post with a link to the SANS Institute’s security controls, which were mentioned in the DBIR and which we also recommend as well. The Account Monitoring Control is a good starting point in any breach mitigation program.
The principle in account tracking and auditing is simple to state, but practically impossible to implement efficiently with standard techniques: monitor who is accessing file data and alert administrators as soon as unusual patterns of behavior are detected, likely indicating a breach-in-progress.
And by the way, I just happen to know of software that efficiently handles this problem.