/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow Us
New Update
AUSTRALIA: Verizon's recently launched Data Breach Investigation Report 2012 analyzes more than 850 breaches, and includes data from five law enforcement agencies like the U.S. Secret Service; the Dutch High Tech Crime Unit; the Irish Reporting and Information Service; the Australian Federal Police, and the London Metropolitan Police.
Of the security breaches it studies, Verizon’s report found 58 per cent cases of hacktivism, with the motive changing from financial ones (yesteryears) to political ones (current scenario). About 79 per cent of attacks were opportunistic, 96 per cent did not need advance skills, while other trends tell a big shift happening from internal to external causes and around geographical epicenters. There are many more interesting numbers of beans that when counted make one really wake up and smell the coffee. It tells us a lot about how adequately prepared and alert we indeed are. Sometimes, in the world of security threats, it’s better to be the princess who could not sleep for a pea in her bed, rather than be the careless, fair princess who trusted her queen’s apple a bit too naively. Here are some pea pods meanwhile as we chat with Mark Goudie, Managing Principal, Asia-Pacific — Investigative Response,Verizon.
Isn’t that a paradox? Your report cites how top law enforcement agencies are increasingly being on the receiving end of attacks?
The technology and IT systems in international security context are becoming more and more complex. This is an issue of complexity of information systems. To truly make them secure by design is tough. It is usually an after-thought. So security becomes n added layer and is hence easily compromised. People are stretched for time, corners get cut and the fact that oversight happens easily, is also a challenge.
But 97 per cent of these attacks were avoidable as mentioned in the report? Without the need for organizations to resort to difficult or expensive countermeasures?
Yes, most data breaches in some form or shape had an oversight. It could be a configuration error in some case or in other one, a change that was not implemented properly or a change happening for those few hours only. No one checks the full ramification of a change. So in advertent changes in an organization have serious consequences. Proper and regular checks, like at a quarterly or weekly level are important.
The EU disclosure deadline of 24 hours for data breaches is under some debate as we speak. What’s your opinion here?
It takes time, first of all, to discover what happened exactly. When it is about 24 hours, there is not much idea on specifics as to what and where of the data that has been compromised. To put a deadline on it may not elicit accurate results. Rather than looking at time frames, preventing data breaches in the first place is better. It’s like having a fire. How organizations react, is of real importance.
Are the rising privacy concerns across Internet in conflict with the security agenda?
They have always been complimentary and not contradictory. If information is kept secure, compliant to privacy regulations, that’s not an issue. Security usually only clashes with usability.
From one per cent in 2010, to 95 per cent in 2011 of lost records that included personal information; are we facing another massive challenge as the world moves to a personal cloud?
The value of a record is the hard part of a data breach assessment. Calculating numbers is not the real deal. Cloud is having some impact for sure and with so much data being copied around, the bad guys are concentrating on successful intrusion techniques. It is a matter of simple security controls everywhere. Small organizations can follow some simple recommendations: like two-factor authentication, changing passwords on suspicions, looking at patterns and sources for attacks, etc. A lot of data is often compromised through use of stolen credentials, as our study revealed. Malware is also getting customized.
With the recent developments accentuating the question of compliance vs security, what’s your take on the adequacy of PCI Compliance?
Truly PCI-Compliant organizations have suffered a data breach too. Either they are not truly compliant or were so only at a point of time. You have to accept that organizations change all the time. PCI happens only over a period of time so the rest of the year part is an important question