In the information security industry, we’re always hearing about cybercriminals becoming more sophisticated, developing increasingly insidious ways to break into corporate networks. And of course, there’s always a new product out there that will solve the latest threat.
While there’s no doubt criminals are developing some pretty sneaky attack techniques – especially against certain organizations like defense contractors -- it turns out that the majority of cyberattacks are far from sophisticated. According to the 2012 Verizon Data Breach Investigations Report, 96 percent of all attacks weren’t tremendously difficult, and 79 percent of victims were targets of opportunity.
So despite all the hand wringing over emerging threats, what happened most often was the old style crime of opportunity: Criminals seized on easily exploitable vulnerabilities to victimize organizations more than specifically targeting a company.
While it was too early in April to say how attackers were able to break into Global Payments’ servers, the March 30 breach involving Utah Department of Health records underscores the Verizon finding. According to an Associated Press report, criminals were able to steal personal data of 780,000 people because a technician installed a weak password on a server. Nothing tricky there; the East European hackers suspected in the attack simply found the low-hanging fruit and now thousands of people have to worry about identity theft. So much for HIPAA improving health care data security.
Why is this kind of lax security happening? Password security is fundamental. Are organizations getting so sidetracked defending themselves against the sophisticated threats that they’re forgetting computer security basics? Are they getting so sucked into the latest and greatest products that they’re overlooking the basics? Or is it a case of organizations simply not making data security a priority?
The Verizon DBIR report explains that small and midsize businesses are most often the targets of opportunity, as criminals exploit vulnerabilities with large-scale automated attacks. Point-of-sale (POS) or remote administration systems that lack firewalls or use default or simple passwords are favorite targets for attackers, according to the report. SMBs often don’t have the resources for major security but a strong password isn’t rocket science.
The Verizon DBIR doesn’t let big companies off the hook, though. “So what about larger organizations? Surely, they’re a lot more difficult to infiltrate, right?” Verizon writes. “Sadly, our data seems to suggest otherwise; it does not appear that cybercriminals have to work much harder to compromise larger organizations than they do for smaller ones.”
Big companies are often falling down in the area of log monitoring and adherence to standards like the PCI DSS, according to the DBIR. Once inside an organization, criminals pull out the more sophisticated stuff.
So large or small, it seems we’ve taken our eye off of computer security basics. As Verizon notes, the most effective and efficient approach to preventing attacks is “almost always to stop assailants before they get in the door. Most opportunistic criminals,” it adds, “will not expend their resources on a hardened target while a softer one of similar perceived value is available.”
It’s easy to get caught up in the latest intrigue on the threat horizon and cutting edge technology. But while it’s important to keep an eye on evolving threats, we can’t lose sight of fundamental best practices.
About the author:
Marcia Savage is editor of Information Security magazine. Send comments on this column to firstname.lastname@example.org.