Why You Need It
A recent New York Times article by Nicole Perlroth referenced these words from an investigative report by security researchers at McAfee into a vast online espionage campaign called Operation Shady RAT.
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly) with the great majority of the victims rarely discovering the intrusion or its impact,” Dmitri Alperovitch, then McAfee’s vice president for threat research, wrote in his findings.
“In fact,” said Mr. Alperovitch, now the chief technology officer at Crowdstrike, a security start-up, “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
Lessons from the past
Verizon Business Systems RISK Team found that external agents initiated 98% of all data breaches, 81% of all attacks utilized some form of hacking, and 69% incorporated malware. The 2102 Data Breach Investigation Report went on to say that incidents involving hacking and malware were both up considerably last year, with hacking linked to almost all compromised records. This makes sense, as these threat actions remain the favored tools of external agents, who, as stated previously, were behind most breaches. Many attacks continue to thwart or circumvent authentication by combining stolen or guessed credentials (to gain access) with backdoors (to retain access). Given the drop in internal agents, the misuse category had no choice but to go down as well. Social tactics fell a little, but were responsible for a large amount of data loss.
Cause for even greater concern among information security professionals and business executives is that 79% of the victims were targets of opportunity and that 96% of the attacks were not highly difficult and could have been avoided through simple or intermediate controls. The fact that so many data breaches were executed easily and most likely could have been avoided is primarily due to the lack of financial commitment to information security. This may result not only in a significant financial loss in the event of a data breach but also, for publically traded companies, the potential for charges of negligence.
A recent New York Times article by Nicole Perlroth referenced these words from an investigative report by security researchers at McAfee into a vast online espionage campaign called Operation Shady RAT.
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly) with the great majority of the victims rarely discovering the intrusion or its impact,” Dmitri Alperovitch, then McAfee’s vice president for threat research, wrote in his findings.
“In fact,” said Mr. Alperovitch, now the chief technology officer at Crowdstrike, a security start-up, “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
Lessons from the past
Verizon Business Systems RISK Team found that external agents initiated 98% of all data breaches, 81% of all attacks utilized some form of hacking, and 69% incorporated malware. The 2102 Data Breach Investigation Report went on to say that incidents involving hacking and malware were both up considerably last year, with hacking linked to almost all compromised records. This makes sense, as these threat actions remain the favored tools of external agents, who, as stated previously, were behind most breaches. Many attacks continue to thwart or circumvent authentication by combining stolen or guessed credentials (to gain access) with backdoors (to retain access). Given the drop in internal agents, the misuse category had no choice but to go down as well. Social tactics fell a little, but were responsible for a large amount of data loss.
Cause for even greater concern among information security professionals and business executives is that 79% of the victims were targets of opportunity and that 96% of the attacks were not highly difficult and could have been avoided through simple or intermediate controls. The fact that so many data breaches were executed easily and most likely could have been avoided is primarily due to the lack of financial commitment to information security. This may result not only in a significant financial loss in the event of a data breach but also, for publically traded companies, the potential for charges of negligence.
So…what is the cost of doing nothing?
What are the costs of a data breach? This varies based on the individual components of each company. Most companies are so focused on defending against an attack that keeping track of the different costs associated with the breach is usually of secondary concern. And many organizations simply aren’t motivated, for whatever reason, to collect data on their financial losses after an incident. There are, however, a number of studies that attempt to quantify these costs. The studies consider not only the hard costs of incident response but also the potential, and likely, loss of customers. Legal costs and regulatory fines are also a consideration. A recent study from the Ponemon Institute suggest that the average cost of a data breach for US companies was $8.9 million in 2012.
Most Likely Threats – 2013
Many security experts believe that the primary threats to information security in 2013 will be exploits of cloud-based applications, mobile device attacks, and all out cyber warfare. The RISK Team at Verizon takes a different view, one with which we agree:
The threats that will most likely occur in 2013 will involve authentication attacks and failures, web application exploits and social engineering according to Verizon’s Wade Baker in this AOL Government article. Larger enterprises and governments must also remain on high alert from adversaries motivated by espionage and hactivisim. Hacktivists breaking into a computer system, for a politically or socially motivated purpose, will evolve in frequency and sophistication.
Now that you know why you need an Information Security Management system, how do you go about building one? We’ll be discussing that next week in Part 2.
What are your reactions to some of the statistics we’ve presented here? Please share in the comments.
