Posts Tagged ‘Data Breach Report’
Thursday, October 16th, 2008
By Wade Baker
“Attacks vary, therefore risk management doesn’t work.” To be fair, that’s not a direct quote from a recent Dark Reading article entitled “Why Risk Management Doesn’t Work”, but it is an accurate expression of its message. Like us (and Alex Hutton of RMI), you may be thinking that something about that message doesn’t seem quite right. Congratulations – you’re a logician.
Non sequitur is a Latin phrase meaning “it does not follow.” It applies to an argument where the conclusion does not logically follow from the premise. Need a good example? Check out the Dark Reading article which discusses our 2008 Data Breach Investigations Supplemental Report. Actually, the article itself isn’t bad; it does a fine job covering some of the findings from our report. My main objection is with the logical conclusion implied in the title which, oddly, doesn’t seem to square with what the article spends most of its time discussing.
(more…)
Tags: Data Breach Report, Information Security, risk, security
Posted in Analysis | No Comments »
Wednesday, October 8th, 2008
Dr. Peter Tippett, VP of Research and Risk Intelligence for Verizon Business Security Solutions, was recently interviewed by Robert Richardson at Information Week about the Data Breach Supplemental Report. Visit the link below to listen.
Listen
Tags: Data Breach, Data Breach Report, forensics, security, Tippett, verizon
Posted in Announcements, Studies & Whitepapers | No Comments »
Thursday, October 2nd, 2008
By Wade Baker
Today, we released a supplement to our 2008 Data Breach Investigations Report (DBIR) that focuses on four major industry groups. As many of you know, the original document compiled four years of data from over 500 cases worked by our Investigative Response team and was intended to be a kind of “state of the union” look at recent security breach and data compromise trends.
(more…)
Tags: Data Breach, Data Breach Report, forensics, Information Security, risk, statistics
Posted in Studies & Whitepapers | 2 Comments »
Wednesday, August 20th, 2008
By Wade Baker
Since releasing the 2008 Data Breach Investigations Report (DBIR) in June, we’ve frequently been asked some form of the following question: “Do the findings presented in the report differ among industries?” It’s a good question, and one we’re working on answering at length in a supplemental report contrasting the four most frequently breached industries (Financial Services, Tech Services, Retail, and Food & Beverage) using the original dataset. We plan to release the report sometime next month, but would like to give you a sneak peak in this post.
You may remember that the 2008 DBIR considered three main sources, or origins, of data breaches: external, internal and partner. The upcoming supplemental report naturally adopts this same trio of sources. Based on Verizon Business caseload from 2004 through 2007, the figure below depicts the percentage of breaches attributed to internal, external and partner sources for each industry group.
(more…)
Tags: Computer Crime, Data Breach, Data Breach Report, forensics, Information Security, Investigations, Personally Identifiable Information
Posted in Analysis, Studies & Whitepapers | No Comments »
Monday, July 7th, 2008
By Wade Baker
Our 2008 Data Breach Investigations Report presents statistics on the percentage of breaches involving outsiders, insiders and partners (73%, 18%, and 39% respectively). Public reaction to these statistics runs the gamut from revulsion to revelry. This is especially true with respect to the relatively low percentage of breaches tied to insiders. Some seem to think we’ve blasphemed the sacred doctrines of our trade handed down from on high long ago. Others are glad to see their oft-ridiculed beliefs finally vindicated by objective data. Many in the middle are cautious about drawing conclusions, and are unsure what to make of the statistics.
Which reaction is appropriate? We won’t weigh in on that question; we’ll stick to providing data rather than dictating the reactions of others. We would, however, like to address the underlying questions fueling such reactions - whether these statistics are bogus, biased or believable.
(more…)
Tags: Data Breach Report, forensics, Information Security, insiders, statistics
Posted in Studies & Whitepapers | 2 Comments »
Tuesday, July 1st, 2008
Symantec’s Hon Lau recently published a blog post titled “Patch Management – Speed is of the Essence.” You may know that we also recently published a blog post titled “Patching Conundrum”, in which we discussed how our studies had convinced us that patching too fast can be a “bad thing™.”
Hon Lau said, “It is this gap between the availability of patches and their application that is creating a window of opportunity for would-be attackers.”
Well, really, it isn’t. The “window of opportunity” begins when the vulnerable version of whatever is actually installed and/or implemented, and lasts until a non-vulnerable version is installed, or until the product stops being used. Nothing terribly significant occurs once a patch is released, unless you fear “Automatic Patch-Based Exploit Generation” (APEG). Hon Lau seems to.
(more…)
Tags: Data Breach Report, Information Security, Patching
Posted in Analysis | 1 Comment »
Monday, June 23rd, 2008
By Peter Tippett and Wade Baker
Studies are useful to help us to learn what works and what does not. Studies of other’s experiences, such as The Verizon Business 2008 Data Breach Investigations Report, are especially instructive. But most of us crave to actually understand why events play out as they do, and to be able to accurately predict what the results of those studies will be. Risk models can be very useful in driving our understanding.
(more…)
Tags: Computer Attacks, countermeasure, Data Breach Report, InfoSec, risk
Posted in Analysis | No Comments »
Friday, June 20th, 2008
Bryan Sartin, Director of Investigative Response for Verizon Business Security Solutions, was recently interviewed by Michael Johnson at PodTech. Visit the links below to listen.
(more…)
Tags: Data Breach, Data Breach Report, forensics, Sartin, security, verizon
Posted in Announcements | No Comments »
Thursday, June 19th, 2008
By Wade Baker
After a long working session on the “Data Breach Investigations Report”, my co-authors and I decided a lunch break was in order. Mealtime conversation meandered through a diverse range of topics and eventually settled on the recent movie “No Country for Old Men.” Dave, a bit more of film connoisseur than Andrew or I, gave it five stars. Although I appreciated the cinematography and acting, I didn’t think it lived up to all the hype it received. I believe Andrew’s sentiments were similar. We did, however, unanimously agree on one thing: if a stranger walks up to you with a tank of compressed air and tries to press a strange metal apparatus to your forehead, it’s best not to just stare blankly and let that happen.
Although they rarely look so freakishly suspicious, findings from the report remind us that a dose of healthy caution when dealing with business partners might not be a bad idea either. (more…)
Tags: Data Breach Report, extended enterprise, outsourcing, Partners
Posted in Analysis | No Comments »
Thursday, June 19th, 2008
One of the more commonly referenced findings from our “2008 Data Breach Investigations Report” is that 87% of breaches could have been avoided if “reasonable security controls” had been in place at the time of the incident. As this statistic filters through the press and blogs, some are suggesting our use of the term “reasonable” has legal implications, or refers to controls that are “extravagantly hard” to implement. Such interpretation is simply not justified, and we’d like to set the record straight.
(more…)
Tags: countermeasure, Data Breach Report, InfoSec, mitigation, reasonable control, risk
Posted in Analysis | 2 Comments »
