Further thoughts on the 2011 Verizon Data Breach Investigation study. This year’s report reports a drop of insider related threats. What is interesting is that 92% of attacks stemmed from external agents, and in 2011 11% were from social engineering attacks. There is a decrease in social engineering related attacks, but external attacks in general have risen by 22%.
Out of the external attacks, 58% of these were committed by criminal gangs which is further proof indicating, as if more were needed, that information is worth a lot of money now.
What I found really interesting, though, is - out of the attacks that were external hacks - 14% were as a result of SQL injection, which resulted in 24% of all the stolen records.
What is wrong with us? This is preventable. Also, 49% of attacks were as a result of footprinting and fingerprinting. How difficult is it really to obfuscate your responses, remove your headers, stop error messages?
And then – depressingly - 67% of attacks were when someone was able to guess default usernames and passwords. These are not new attack vectors and they can be automated.
22% of these attacks were against Web Applications and 71% used remote access services.
All in all these attacks, while increasing, are resulting in a lower number of actual stolen records. This is good news. I think it means that the headline prosecution of perpetrators is taking an effect. I think we are slowly turning the corner but we have a lot more to do, especially when there are so many simple, preventable attacks.
I will leave you with one last statistic from the 2011 report: 89% of victims subject to PCI-DSS had not achieved compliance standards.