Verizon: Organized crime fuels spike in data breaches

One growing concern is that companies don't recognize that their networks have been breached, Baker said. Almost half the time, it takes a third party – for example, someone reporting suspicious credit card activity – for a breach to be detected.

"The typical scenario is that the victim either forgets to do something, omits something, misconfigures a server or in some way creates a vulnerability," Baker said. "A hacker takes advantage, that gets them in the door, they find the system and compromise it and install malware that triggers the system to store data, and the criminal comes and picks it up later."

Enterprises need to focus on preventing that initial breach, Baker said, in no small part because it's easier for a hacker to disguise malicious activity once it is taking place. "As soon as you change the signature for a piece of malware, the antivirus doesn't work, because it doesn't have a known bad signature," Baker said. "The easiest way to stop that is to keep them out of the network in the first place. Hackers gain entry by easy means and take advantage of an error. The best theft protection strategy is keep them out."

Keeping bad guys at bay

Enterprises that methodically follow all the security best practices stand a good chance of keeping the bad guys at bay, Baker said. Verizon's DIBR study shows that too few companies are careful enough about basic things such as protecting basic authentication credentials by not using default credentials and controlling access to shared credentials, Baker said. Too many companies don't make sure that terminated employees and partners can't still get access to their systems, he said. That kind of unauthorized access accounted for 53% of data breaches.

SQL Injections – a kind of attack where someone being asked for input, such as their name, instead inserts a MySQL statement that runs a query on the host company's database without its knowledge – is a preventable issue but still a prominent one, Baker said. Web applications and remote access are two other points of vulnerability.

Based on Verizon's research, here are some of Baker's tips for service providers and enterprises seeking to reduce data breaches:

• Systematically review user accounts and system credentials. "It's amazing to have to recommend that in 2009, but we do," Baker said. "They need to go through and make sure that they have the right privileges and everyone who's left the company no longer has access -- also that partners or third parties no longer have access if they shouldn't."
• Patch smarter. "Web applications were a common vector of attack, so we see value in finding problems in applications especially -- those that face the Internet because those are visible to criminals, and they are exploring them for weaknesses," Baker said. "We didn't see many vulnerabilities that didn't have a patch, but our message isn't patch faster but patch more consistently and smarter." Rather than scramble when a patch is first released, he said, "gather your feet under you, and make a plan and deploy it in the same manner later. The attack isn't going to come tomorrow; it's probably going to come months from now."
• Examine logs. "Companies collect event logs, but they don't use them or look at them," Baker said. "There are many different potential warning signs of criminal activity. And I would add application logs because they are a valuable source of potential discovery data."   
• Manage third-party access carefully, and terminate it when appropriate.

Many companies still have open network connections to suppliers or businesses they no longer work with, Baker said.

The Payment Card Industry (PCI) standard does seem to be working, Baker said. "We find PCI to be effective in preventing breaches, and the companies that are high in compliance aren't the ones being breached," he said. "It's not the end-all, be-all but a part of an effective strategy."