This week was awash with new studies that generated a great deal of buzz about what’s right, and what’s not so right, about current security practices. For those of you who haven’t seen the reports yet (or don’t have the desire to read through 90-page documents), here’s a quick breakdown.
Releasing its annual Data Breach Investigation Report, Verizon found that most of the data breaches they encountered (74% to be exact—up 1% from last year) were caused by external sources. They also found that almost all of the breached records in 2008 were electronic, meaning that most of these records were compromised from servers and applications (ISC).
Publishing its Global Internet Security Threat Report for 2008, Symantec found that “[w]ebsites are at the top of the list of media used for the distribution of malware ; the implementation of those malware is automated on websites using similar platforms, code or vulnerabilities, such as XSS ; very often those vulnerabilities are classified with a medium risk and are not subject to rapid updates.” (Which just happens to sounds an awful lot like our “Why Intranets Aren’t As Safe As Everyone Thinks They Are” post.) Symantec also found that Malware and phishing have upped the number of online threats by 165% (DigitalCrime).
And lastly, the Computing Technology Industry Association (CompTIA) discovered what we had already concluded: People are the biggest security vulnerability of all time. According to DarkReading’s recap, the study found that “[w]hile most U.S. respondents still consider viruses and malware the top threat, more than half (53 percent) attributed their breaches to “human error,” while only 47 percent attributed them to technical malfunction.”
There’s no denying that these studies quote a lot of nice stats, and it’s always good to have some documented reminders of why strong security is important, but all of these studies lead back to one very simple thing: Getting back to security basics.
While getting back to security basics won’t fix all of the problems found in these studies, it would fix the majority of them. Because honestly, a lot of the suggestions made in these studies are very basic things that create the foundation of good security practices.
For example: In the Verizon study, they tell people to change their default passwords, review user accounts, patch and keep them up to date, and monitor logs. In the CompTIA study they say that there is too much reliance on typical security tools like firewalls.
The thing about these studies is that they’re not showing us anything new: In essence, it’s just the same stats year after year, only with slightly different numerals and percentages. Most of these surveys just lead us back to the basics we’ve known for many years, like “run anti-malware and keep it up to date” or “label your data and segment it,” like we happened to talk about in our last post.
So instead of getting more fancy technology that doesn’t seem to work, let’s focus on getting ourselves—and our co-workers—to make smart security choices through developing good security habits. Because while firewalls and other security tools might catch some of the problems, they’re no replacement for the best tool of all: Ourselves.
If you’re looking to get back to the heart of security basics, SANS has the perfect event for you in the form of their Application Security Workshop — What Works? workshop on April 29th. The workshop will cover the best ways to counter common attacks through general know-how, products, services, and configurations. If you’re interested, visit the SANS section of our Help Us Help You page to sign up for this workshop.