Tue Jun 17 18:36:52 UTC 2008

Verizon security breach report

--

An interesting report from Verizon's Business Risk Team, covering 4 years of forensic research on actual security breaches

“a post-mortem examination of over 500 security breach and data compromise engagements between 2004 and 2007”

“78% of the breaches we handled would have still occurred if systems had been 100% patched the instance a patch was available.”

• External criminals pose the greatest threat (73%), but achieve the least impact (30,000 compromised records) ?
• Insiders pose the least threat (18%), and achieve the greatest impact (375,000 compromised records) ?
• Partners are middle in both (39% and 187,500) ?

“An example of omission would be policies being established and thought to be in place, but in fact were not. 49% of all cases involved some form of omission. 66% of all cases involved data the victim did not know existed, or, did not know was being stored where it was.”

• Three quarters of all breaches are not discovered by the victim
• Attacks are typically not terribly difficult or do not require advanced skills
• 85% of attacks are opportunistic rather than targeted
• 87% could have been prevented by reasonable measures any company should have been capable of implementing or performing

http://www.verizonbusiness.com/resources/security/databreachreport.pdf