Author: Jeff Foresman, Partner, Pondurance

I recently had the pleasure of presenting a 2011 Data Breach Review presentation for the Central Indiana ISSA meeting and it reminded me of a blog post I wrote in 2010 called “The proof is in …We Suck at Information Security”.   I thought it would be a good idea to dust off the old blog post and update it with new data from the Verizon Business 2011 Data Breach report and the Ponemon 2011 Data Breach Cost report.  The interesting thing is nothing has really changed.  A few of the statistics moved a few percentage points up or down but overall the data supports a common theme; most organizations have not implemented a comprehensive information security program which addresses administrative, technical and physical security controls.

96% of breaches were avoidable through simple or intermediate controls*

This means that the breaches are a result of poor patching processes, incorrect configurations, human error or the lack of basic security controls like firewalls and virus software.  Simple security controls and information security “best practices” could have prevented 96% of the breaches that Verizon Business investigated. In my many years of performing security assessments, I have found that companies have no problem spending money on security products but they don’t invest the time and effort in developing information security policies, configuration standards and procedures to insure a secure network environment.

92% of attacks were not considered highly difficult*

This means that it does not take a professional “hacker” with special tools, programming or mad social engineering skills to breach these companies. The attacks used were simple attacks that should have been easily prevented with the proper security controls and administrative procedures. If these companies would have invested in the proper resources and implemented policies, configuration standards, procedures and basic controls, most of these breaches could have been prevented.

86% of breaches were discovered by a third party*

This means that almost no one is effectively monitoring and detecting malicious activities.  From my experience it is usually because of a lack of an effective log-monitoring program. Most of the companies that were breached could have detected the breach or possibly even prevented it if they had just been watching their log files or if they had implemented a log monitoring solution. Companies continue to invest in preventative controls such as firewalls, virus software, NAC and DLP but they don’t want to invest in detective controls such as audit log monitoring solutions.

89% of victims subject to PCI DSS had not achieved compliance*

This proves that the PCI DSS standard is working. I have sometimes been critical of the PCI DSS standard but the implementation of PCI DSS or any other security standard such as HIPAA, GLBA, or SOX will improve information security policies, configuration standards and procedures as well as system and control implementations. Implementing information security “best practices” will address all of the weakness listed above and result in a more secure environment.

63% of the breached companies implemented training and awareness programs after the breach and 54% of the breached companies implemented additional manual procedures and controls**

I believe this statistic supports my theory that the companies included in these surveys did not have comprehensive information security programs implemented at the time of the breach if the corrective action after the breach was administrative changes and additional training.  A proper information security program is about achieving a balance of administrative, technical and physical security controls.

Recommendations

Scary statistics, right? The good news here is all of these breaches could have been prevented. We simply need to implement information security “best practices” and if your company falls under any regulatory compliance areas insure that you implement not only the security controls required but also the policies, configuration standards and procedures. Please understand, building an information security program is not about purchasing the latest security appliance with cool blinking lights.  It is about having the proper resources, policies, configuration standards, procedures and controls to secure your IT environment.

The recommendations I presented during the 2011 Data Breach Review presentation included the following steps to build or improve your information security program:

Administrative Controls

• Improve your Information Security Program
• Update (or create) Policies & Procedures
• Update (or create) Configuration Standards
• Match Configuration Standards to Vulnerabilities
• Develop an Information Security Awareness Program
• Perform Security Awareness Training
• Perform Social Engineering Testing
• Develop a Vulnerability Management Program
• Identify Vulnerabilities
• React to Vulnerabilities
• Patch Vulnerabilities
• Perform Vulnerability Scanning

Detective Controls

• Implement SIEM solution to collect, analyze and alert on suspicious log activity
• Make sure IDS/IPS, AV and DLP logs are monitored
• Perform regularly scheduled Penetration Testing
• Include both Network & Application penetration testing

Preventative Controls

• Closely review firewall rules and implement egress filtering
• Consider implementing DLP or End-Point protection solutions
• Consider implementing Threat / Malware protection solution

To view the entire presentation click here

Sources:

* Verizon Business 2011 Data Breach Report

** Ponemon 2011 Data Breach Cost Report