http://www.csoonline.com/article/699021/breaches-like-history-repeat-themselves By George V. Hulme CSO January 30, 2012 Two recent studies show that if organizations simply focused on IT security basics, they'd make great strides in reducing their risk of embarrassing, avoidable and often costly data breaches. Security firm Imperva examined attack trends across 40 applications and monitored millions of attacks that targeted web applications for the six-month period spanning June through November of last year. The firm found that attackers like to target five relatively common application vulnerabilities: remote file inclusion, SQL injection, local file inclusion, cross site scripting and directory traversal attacks. The majority of these attack vectors have been significant problems for years. Rafal Los, chief security evangelist, HP Software Worldwide, says the industry's inability to rid itself of lingering and well-understood software vulnerabilities isn't a problem due to lack of technology. "It's now a behavioral problem. Development organizations have more resources than ever to create a rational, security-infused software development lifecycle (SDLC) which doesn't 'bolt-on' security at the very last stages," says Los. "Until security becomes a fundamental business objective, the behaviors that today lead to things like SQL injection will continue. We need to "hack" the business relationship - from there I firmly believe things will finally start to get better." However, many (perhaps most) breaches aren't necessarily due to attacks against software applications -- as trivial as they are for most cyber-criminals. A survey of 500 IT professionals (who primarily report directly or indirectly to the CIO or the CISO) found that 60 percent of respondents report that customer data that was lost or stolen was not even encrypted. Also, the most common types of data breaches include email at 70 percent, credit card or bank payment information, 45 percent, and social security numbers at 33 percent. Also, not surprising, when organizations were actually able to determine the cause of a breach -- the most common culprit was the negligent insider at 34 percent, while 19 percent say it was the outsourcing of data to a third party and 16 percent saying a malicious insider was the main cause. [...] _____________________________________________________ Did a friend send you this article? Make it your New Year's Resolution to subscribe to InfoSec News! http://www.infosecnews.org/mailman/listinfo/isnReceived on Mon Jan 30 2012 - 22:05:52 PST
This archive was generated by hypermail 2.2.0 : Mon Jan 30 2012 - 22:08:53 PST