Were there any significant findings in the 2012 Verizon Data Breach Investigations Report that indicate what is...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
or isn't working in Web application security? Other than "Get a Web application firewall," what did you see as the important takeaways from the Verizon report?
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at firstname.lastname@example.org.
Many people saw 2011 as the year of the hacktivist, and hacktivists certainly gave many network administrators sleepless nights. There were several high-profile site defacements such as the attack on the CIA site, and denial-of-service attacks affected sites as large as the PayPal site. The number of advanced persistent threats and their sheer sophistication was another highlight of the Verizon DBIR 2012. For me, the main takeaway of the report is that security pros are still not doing the basics right.
Although many of the headline-grabbing attacks are incredibly sophisticated, cybercriminals looking to make a profit usually choose to target the weakest systems that display an absence of information security basics, such as those that remain unpatched against known vulnerabilities. Attackers know that a tried-and-tested attack code, often available on the Internet, has a high success rate against these insecure systems, and this greatly reduces their development times and costs. These types of attacks vastly outnumber those orchestrated by well-known groups such as Anonymous and LulzSec.
This is why Verizon's report picked up the growing number of attacks against the point-of-sale checkout systems used by restaurants and other small-business franchises, since attackers target these businesses to harvest customers' credit card numbers. A typical attack starts with a scan of IP addresses that look like they may belong to the servers that the restaurants and retailers use to transmit credit card and debit card data. Once a server is confirmed as a target, another attack program begins trying default and common passwords to log onto the server remotely. Many of the companies that install point-of-sale systems for small businesses neglect to set up a unique and strong password. When hackers find a password that works for a particular franchise, they often find it works at many other locations of the same franchise too.
The report also indicated that it isn't much harder for attackers to gain access to the resources of larger organizations. Simply changing the default password to a strong one would defeat this type of simple attack. Sadly, Verizon's report found that 96% of all data-breach hacks were "not highly difficult," with the initial compromise often requiring no special skills or resources. Translation: the average user could have executed the attack!
Until those responsible for data -- whether it's located on an enterprise server or a desktop PC at the back of a shop -- put basic application security practices in place, hackers will continue to steal data with relative ease. They aren't using sophisticated or expensive hacking tools; they are guessing easy or default passwords.
By all means, install data loss prevention tools if the budget is available, but disable default accounts and change default passwords on Internet-connected servers first. Most breaches are opportunistic, so hackers won't spend time on a hardened target if a softer one is available. Security should start by ensuring your organization is not the weakest system on the block.
Dig Deeper on Identity Theft and Data Security Breaches
Related Q&A from Michael Cobb
An old Java vulnerability was discovered to have been ineffectually patched. Expert Michael Cobb explains how this happened and what can be done to ...continue reading
Google's Certificate Transparency tool publicly logs certificates issued by CAs. Expert Michael Cobb explains how the log viewer works to improve ...continue reading
Crowning the most secure web browser is difficult, with research often turning up biased results. Expert Michael Cobb explains how to make a choice ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.