[ISN] Breaches, like history, repeat themselves

From: InfoSec News <alerts_at_private>
Date: Tue, 31 Jan 2012 00:05:52 -0600 (CST)

By George V. Hulme
January 30, 2012

Two recent studies show that if organizations simply focused on IT 
security basics, they'd make great strides in reducing their risk of 
embarrassing, avoidable and often costly data breaches.

Security firm Imperva examined attack trends across 40 applications and 
monitored millions of attacks that targeted web applications for the 
six-month period spanning June through November of last year. The firm 
found that attackers like to target five relatively common application 
vulnerabilities: remote file inclusion, SQL injection, local file 
inclusion, cross site scripting and directory traversal attacks. The 
majority of these attack vectors have been significant problems for 

Rafal Los, chief security evangelist, HP Software Worldwide, says the 
industry's inability to rid itself of lingering and well-understood 
software vulnerabilities isn't a problem due to lack of technology. 
"It's now a behavioral problem. Development organizations have more 
resources than ever to create a rational, security-infused software 
development lifecycle (SDLC) which doesn't 'bolt-on' security at the 
very last stages," says Los. "Until security becomes a fundamental 
business objective, the behaviors that today lead to things like SQL 
injection will continue. We need to "hack" the business relationship - 
from there I firmly believe things will finally start to get better."

However, many (perhaps most) breaches aren't necessarily due to attacks 
against software applications -- as trivial as they are for most 
cyber-criminals. A survey of 500 IT professionals (who primarily report 
directly or indirectly to the CIO or the CISO) found that 60 percent of 
respondents report that customer data that was lost or stolen was not 
even encrypted. Also, the most common types of data breaches include 
email at 70 percent, credit card or bank payment information, 45 
percent, and social security numbers at 33 percent. Also, not 
surprising, when organizations were actually able to determine the cause 
of a breach -- the most common culprit was the negligent insider at 34 
percent, while 19 percent say it was the outsourcing of data to a third 
party and 16 percent saying a malicious insider was the main cause.


Did a friend send you this article? Make it your
New Year's Resolution to subscribe to InfoSec News!
Received on Mon Jan 30 2012 - 22:05:52 PST

This archive was generated by hypermail 2.2.0 : Mon Jan 30 2012 - 22:08:53 PST