Pratum Blog

According to the 2015 Verizon Data Breach Investigation Report (DBIR) 70% of all attacks had a secondary victim. The primary victim may have been the initial target but not the intended target.

Hackers often attack an organization simply for their computing power and internet access. They want to create botnets utilizing hundreds of thousands of computers, all responding to their command and control system. The hackers then use these botnets to attack their intended victim. They overwhelm victims with denial of service attacks and brute force attacks against passwords or websites.

It’s not always easy to tell if the secondary victim was the intended target or just unlucky. It is safe to say though that the lack of information security at one organization can have profound effects on another organization. You may believe your company is too small and insignificant that no hacker would be interested in its intellectual property or the cash in its bank account. And that might be correct. However, that doesn’t mean that you are not a target.

Small to medium sized organizations are often used as a conduit to hack others. Even these attacks have an impact on your company’s IT systems. There will be damage and cleanup costs. There may be downtime. You may have bad publicity. While the case law is still pretty vague on upstream liability, you could even be sued for allowing your network to be used in an attack on others.

The reality is that every organization is a target. Big and small, rich and poor, public and private. Everyone has something of value to a hacker. You must implement information security measures that address this threat.

For information on Internal Security Zones read this blog article.

70-90% of malware samples are unique to an organization.In our continuing series on highlights from the 2015 Verizon Data Breach Investigation Report (DBIR) we’re going to discuss a malware statistic. 70%-90% of all malware used in a data breach was unique to an organization. According to the DBIR, this does not mean it was targeted to the organization, simply that it was unique.

Anti-malware tools rely on both identical signatures and heuristic scanning to identify malware files. Heuristic scanning is complicated. It attempts to identify patterns that are similar to, but not exactly the same as, known malware files or behaviors. The problem is, there can be good files caught in those scans as well.

You will hear some information security professionals say anti-malware software is no longer effective, but don’t believe it for a second. The amount of malware detected and stopped on a daily basis is still significant. Just think of all the data breaches we would hear about if those attacks were successful.

This simply shows that defense in depth is critical to ensure information security. Relying on anti-malware software for your entire information security program is foolish. You need to do egress filtering on your firewall, implement intrusion detection or prevention systems (IDS/IPS) in you network core and have a good backup strategy. Let’s look at it from this perspective: No matter how healthy you are and how many flu shots you get, you may still get the flu bug once in a while. Likewise, even well-managed and protected networks will get a “flu” bug from time to time.

The 2015 Verizon Data Breach Investigation Report (DBIR) has been published. If you are at all interested in information security and the current state of data breaches, you should give it a quick read. Over the next few postings, we’ll point out some of the highlights from the report.

2015 Data Breach Investigations Report - VerizonFirst up, system patching. The DBIR report shows that 99% of all exploits used to compromise systems were greater than 1 year old and had patches available. Sorry folks, there is simply no excuse for allowing systems to go more than a year without patching them against critical vulnerabilities. I’m not advocating for the “patch it within 48 hours” camp here but how about 48 days. Given the report, even 48 weeks would work.

Let’s face it, cyber attacks are not going away. Think of it like this. Patching is to information security what vaccinations are to public health. By being vaccinated, not only do you reduce the chance you’ll contract a specific disease, you ensure you’re not a carrier and will not pass it along to others. When we patch our systems, we ensure they will not be compromised by a particular threat and used to compromise others in the process.

We need to implement strong patch management policies and procedures. The best of intentions are just that, intentions. If we truly care about information security, a defined and repeatable process must be used to identify vulnerabilities and implement the appropriate patch. Only then can we say we are serious about information security and working to eliminate data breaches.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.