Studying Data Breaches as a whole

IBM has an infographic and a report:

http://www-935.ibm.com/services/us/en/security/infographic/cybersecurityindex.html

http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/

(we make a point to show you the whole link, so you know exactly where you are going)

The human factor

The image above is a snippet from the infographic  IBM has gathered this information from the Ponemon Institute research report (you can download these reports if you register with IBM).

How Breaches occur to me was important (rather than the financial effects, since one large breach can skew the average $ amount)

How Breaches occur:

Mis-configured system or application  — 42%

Vulnerable code                                       —-  6 %

End-user error                                          —  31%

Targeted attack exploited                      —-   6%

Undetermined                                           —  13%

 

The human factor accounts for 73% of all breaches.  I am setting aside the “vulnerable code” to more sophisticated attacks. and “targeted attack exploited”

 

 

Last year (as well as for many years there have been many inherent vulnerabilities in some of the software architectures) there was a decent summary at a Dark reading blog post:

http://www.darkreading.com/vulnerabilities—threats/4-mega-vulnerabilities-hiding-in-plain-sight-/a/d-id/1318610?

the following vulnerabilities were built into systems for years

  • Shellshock: existent for 25 years
  • Winshock: existent for 19 year
  • Kerberos Checksum Vulnerability: existent for 14 years
  • Heartbleed: existent for “only” two years

There are many people trying to uncover vulnerabilities, which is  why the industry “found” Shellshock, even though it was built into the Bash shellcode for 25 years no one mentioned it as an attack vector until last year, and then everyone had to fix it.

 

Although we may find more “targeted attacks” or “vulnerable code” exploits we need to focus on user education and try to remove the 73% of data breach reasons.

 

Contact Us to help you with user education and compliance documentation.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.