Computerworld,
by Jaikumar Vijayan, March 22, 2012
Computerworld
- Despite rising concern that cyberattacks are becoming increasingly
sophisticated, hackers used relatively simple methods 97% of data breaches in
2011, according to a report compiled by Verizon.
The annual
Verizon report on data breaches, released Thursday, also found that in a vast
majority of attacks (80%), hackers hit victims of opportunity rather than
companies they sought out.
The
findings suggest that while companies are spending increasing sums of money on
sophisticated new security controls, they are also continuing to overlook
fundamental security precautions.
The
conclusions in the Verizon report are based on the investigations into more
than 850 data breaches. The report was compiled with the help of the U.S.
Secret Service and law enforcement agencies in the United Kingdom, The
Netherlands, Ireland and Australia, Verizon said.
Verizon
said it found that attacks by so-called "hactivist" groups such as
Anonymous for the first time compromised more breached records -- more than 100
million -- than the number of attacks by hackers specifically looking to steal
financial or personal data.
Data breach
victims and security vendors generally tend to describe attacks as highly
sophisticated and involving a great deal of expertise on the part of hackers.
The Verizon
report though shows a far more mundane reality.
Most of the
breaches didn't require hackers to possess special skills or resources, or to
do much customization work. In fact, Verizon said that 96% of the attacks
"were not highly difficult" for the hackers.
"Additionally,
97% were avoidable, without the need for organizations to resort to difficult
or expensive countermeasures," the report said.
Very often,
the companies breached had no firewalls, had ports open to the Internet or used
default or easily guessable passwords, said Marc Spitler a Verizon security
analyst.
The study
found that cybercriminals did not have to work any harder to break into a large
organization than into a small one.
Attackers
in 2011 generally didn't need new sophisticated tools to break into most
organizations, Spitler said.
"We
have seen nothing new. Some of the old standbys are continuing to work very
well for the people going after information," he said. "Not enough
has been done to raise the bar and to force them to spend" significant
sums on new tools and exploits.
The most
sophistication found by the researchers was in the methods used by attackers to
steal data after breaking in to systems, he said.
Attackers
typically have installed malware on a victim company's network to escalate
privileges, set up backdoors, enable remote control and sniff out sensitive
data. Many take steps to remain hidden on the network for a long time and then
wipe their tracks when they are done.
Such tasks
require moderate to advanced skills and extensive resources on the part of the
attackers, according to Spitler. "That is one area where we have raised
the bar," he said.
Most of the
targeted attacks last year were directed large companies in the finance and
insurance industries, according to Verizon.
Hackers,
often part of organized groups, used large-scale automated methods to find
vulnerable businesses to exploit.
In such
cases, more than 85% of victim companies employed less than 1,000 employees and
were mostly in the retail, hospitality and food services industries.
The
findings once again highlight the need for companies to pay attention to
security basics, Spitler said.
"It is
about going back to basic security principles. A lot of the same
recommendations we have used in past years, we have recommended this
year," he said.
Jaikumar
Vijayan covers data security and privacy issues, financial services security
and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or
subscribe to Jaikumar's RSS feed . His e-mail address is
jvijayan@computerworld.com.
No comments:
Post a Comment