Simply paying attention to who is accessing their networks could help enterprises prevent the majority of attacks, a new study shows. The study, which looked at data from Department of Justice prosecutions from the last seven years, found that most of the attacks involved in those cases could have been stopped had the companies deployed systems to check the identity of the machines connecting to their networks.
Pleasanton, Calif.-based research firm Trusted Strategies sifted through DOJ records of cybercrimes between March 1999 and February 2006. The firm found that 84% of network attacks against companies probably wouldn't have happened had companies implemented device identification and authentication methods in addition to requiring user names and passwords.
"We found that most devices connecting to the network were unsanctioned by the company," said Trusted Strategies' Bill Bosen, who spent a year and a half studying Justice Department records. "If the companies had checked the individuals' devices as well as their identity before letting them connect, most of these crimes wouldn't have happened."
Most attacks in the last seven years involved stolen IDs and passwords, and companies suffered anywhere from $1.5 to $10 million in damage as a result, Bosen said.
The study also found that:
Bosen said that in 88% of the cases, digital miscreants logged onto one or more privileged user accounts and accessed IDs and passwords by using network-sniffing tools and password cracking programs.
"They also succeeded in their attacks by getting insiders to share their IDs and passwords with co-workers who later left the organization, and used that knowledge to gain access," Bosen said.
Trusted Strategies conducted the study on behalf of Phoenix Technologies Ltd., a Milpitas, Calif.-based vendor of device-defining software. Dirck Schou, senior director of security solutions for the company, said one case involved a disgruntled employee who left the company but still had access. Using a computer that was not sanctioned by the company, he was able to go into the network and delete reams of data.
"The employee used stolen IDs and passwords to damage intellectual property and company processes," he said. "It cost the company $10 million in damages."
Schou said the lesson is that identity and access management is about more than authenticating individual users. Their machines must be verified as well.
"The workforce is increasingly mobile, doing work from home and elsewhere," he said. "Because of this, IT managers need to leave openings in the network. But they also have to implement a policy that says they know every endpoint connecting to the network and that those endpoints have the proper antivirus and firewalls."