Breach Stats Prompt Need For Vulnerability, Configuration Assessment: Report


While attackers are using malware-laden email and often targeting Web application vulnerabilities, the Verizon report concluded that organizations need to eliminate "sloppy configurations, needless services and exposed vulnerabilities." The firm acknowledged that its data may be under reporting configuration weaknesses. Server misconfiguration, mundane mistakes and glitches leveraged by attackers are rarely investigated or reported, the firm said.

Enterprise IT teams need to get back to the basics of understanding what is on the network and whether it is configured properly, said Ron Gula, CEO of Tenable Network Security. Configuration and vulnerability management goes a long way to solving the most prevalent problems, Gula said.

"A lot of organizations can't tell you if the configuration of their routers and switches are appropriate let alone the status of all the desktops and other devices on the network," Gula said. "The industry needs to move to more of a real-time basis for vulnerability analysis if we're going to make strides in getting it right."

More proactive network monitoring should also be a priority, experts say. The Verizon analysis found that 66 percent of the compromised incidents took months or more to discover, up from 55 percent in 2011 and 41 percent in 2010.

Detecting a breach is not a problem that can be solved with pure technology, said Jim Butterworth, chief information security officer at Sacramento, Calif.-based security firm HBGary.

"I think that a lot of companies are expecting that they can go out and buy an Easy Button and put it in place and it will work," Butterworth said. "We're dealing with determined adversaries, and their intentions are no longer strictly financially motivated."

The Verizon report recommends organizations apply, in large part, the "20 Critical Security Controls," a document that outlines key security initiatives being employed by federal agencies and agreed upon by a consortium of security experts as an effective way to mitigate serious risks.

Employees may also be part of the answer, the Verizon report suggests. Training to help employees recognize phishing emails and better monitoring for malicious websites when employees click on links could be effective, according to the report. Employees can also spot suspicious behavior before it becomes a serious problem.

The Verizon breach analysis shouldn't be a big surprise to any security professionals, said Amit Yoran, senior vice president and general manager of the security management and compliance business unit at RSA. Most networking security appliances fail to gain visibility, especially when attackers are gaining access to networks with valid credentials, Yoran said.

"It's perhaps supports the realization made by many of us in the industry that more traditional approaches to monitoring are not getting the job done; current technologies are not capable of detecting rapidly evolving threats," Yoran said, adding that enterprises depend far too much on intrusion detection systems that heavily rely on signatures to detect threats. "Technology by itself won't solve these problems because it's about appropriate processes and the right technology that empowers people and can scale to rapidly address threats."

PUBLISHED MAY 1, 2013