By Wade Baker

Since releasing the 2008 Data Breach Investigations Report (DBIR) in June, we’ve frequently been asked some form of the following question: “Do the findings presented in the report differ among industries?” It’s a good question, and one we’re working on answering at length in a supplemental report contrasting the four most frequently breached industries (Financial Services, Tech Services, Retail, and Food & Beverage) using the original dataset. We plan to release the report sometime next month, but would like to give you a sneak peak in this post.

You may remember that the 2008 DBIR considered three main sources, or origins, of data breaches: external, internal and partner. The upcoming supplemental report naturally adopts this same trio of sources. Based on Verizon Business caseload from 2004 through 2007, the figure below depicts the percentage of breaches attributed to internal, external and partner sources for each industry group.

(more…)

by Russ Cooper

This month gives us numerous Microsoft Office patches (MS08-042, MS08-043, MS08-044 and MS08-051), including at least one (MS08-042) that addresses a vulnerability which has reportedly been used in another highly targeted attack.

We’ve also been given a patch (MS08-041) to address the Access Snapshot Viewer ActiveX control that is being actively targeted by criminals. Luckily, this control is rarely deployed so the actual number of victims is believed to be quite low.

Meanwhile, our concern is with the Cumulative Internet Explorer Update (MS08-045) and the IPsec Policy issue (MS08-047.) In the IE patch is a vulnerability involving memory allocation. This vulnerability cannot be mitigated by disabling Active Scripting, and also affects IE systems configured to run in the Enhanced Security mode. Details of how to exploit this vulnerability have not yet, however, been publicly disclosed so we can only hope that exploits do not arise before the patch can be installed.

As for the IPsec Policy issue, networks that use IPsec and believe they are encrypting their traffic may not in fact be encrypting. The problem is likely to be very rare at this point, given that a requirement is that the client system gets its IPsec policy information from a Windows Server 2008 system. Never-the-less, verifying that traffic you expect to be encrypted is actually encrypted is a good idea.

We have two patches (MS08-044 and MS08-046) pertaining to image format file parsing again. Even with numerous image vulnerabilities in the past we still do not see any exploits of this type, leading us to believe that the risk of attacks against these new ones is low.

Patches for Outlook Express and Windows Mail (MS08-048) normally don’t concern us very much because they’re rarely used in a corporate environment, but this one does cause some concern due to the fact that it involves MIME HTML (MHTML), which can be invoked via IE.

A vulnerability in COM+ Event System (MS08-049) and a Windows Messenger ActiveX control (MS08-050) round out the month’s offerings. Neither is terribly worrisome.

All in all, a busy month, but not really that much to worry about.

By Mark Zimmerman

We all cringe when we see a member of the executive management heading in our direction clutching a trade magazine with the latest WIBHI (Wouldn’t it be Horrible If) article highlighted. In order to help address this situation, we’ll discuss a topic that is, unfortunately, still only largely written about or discussed more than actually understood and/or implemented within the Information Technology department—Risk Analysis.

I’m talking about Risk Analysis skills at the day-to-day, rubber-meets-the-road implementation level, versus that once a year frantic exercise done a half hour before the auditor arrives. You know, the guy (or gal) who freaks everyone out by setting himself up in the conference room and calling people in to ask them to describe their job functions.

(more…)