Verizon’s Business RISK Team has released their report on 2008’s data breaches.
The most telling fact or figure from the report is right there on the cover.
285 Million.
Yes, you read that correctly.
TWO HUNDRED AND EIGHTY FIVE MILLION BREACHED RECORDS.
Compared to the aggregate total number of records lost from 2004-2007 of ‘only’ 230 million.
The report is absolutely full of awesome information as well as incredibly well written commentary on the how’s and why’s of breaches.
Interesting factoids:
- only 7% of breaches were discovered by active infosec
- fully 69% of breaches were discovered by THIRD PARTIES!
- only 30% of breached organizations had IDS operational in a useful way (turned on and beeping is not good)
- investigations revealed extensive use of anti-forensics (over 30%)
- in the case of PCI-DSS regulated entities, 19% that had passed their previous assessment suffered breaches.
- post incident review of the PCI-DSS “Dirty Dozen” requirements revealed that the highest compliance level reached was ONLY 68%
- the suggested response for breached organization is over 50% “Simple and Cheap” changes to increase functional security
In a fairly long chat session tonight with one of the report’s authors, Dave and I came to the conclusion that our usual rant is the damn truth.
Everything that is being sold by the “security industry” isn’t aiding the problem. In fact, it’s usually creating a false sense of security on the part of the organization which purchases blinky lights and shiny things.
The slick sales-droid who calls us up and offers you a $regulatory Compliancy solution (PCI-DSS, NERC, etc.) is selling you what they have to sell rather than what you need to solve your problem.
We’re spending BILLIONS of dollars and the bad guys aren’t just catching up, they’re gaining… by a SIGNIFICANT margin.
It’s time for a return to doing good security work rather than just buying your way to ‘compliancy’ through a combination of some blinky lights and a ‘flexible’ QSA.
Read pages 46-49 of the report and do what it says. Seriously. It’s the advice that I would give if you were paying me to be your CISO.
[tags]verizon, verizon business risk team, 2009 breach report[/tags]