Security firm Imperva examined attack trends across 40 applications and monitored millions of attacks that targeted web applications for the six-month period spanning June through November of last year. The firm found that attackers like to target five relatively common application vulnerabilities: remote file inclusion, SQL injection, local file inclusion, cross site scripting and directory traversal attacks. The majority of these attack vectors have been significant problems for years.
Rafal Los, chief security evangelist, HP Software Worldwide, says the industry's inability to rid itself of lingering and well-understood software vulnerabilities isn't a problem due to lack of technology. "It's now a behavioral problem. Development organizations have more resources than ever to create a rational, security-infused software development lifecycle (SDLC) which doesn't 'bolt-on' security at the very last stages," says Los. "Until security becomes a fundamental business objective, the behaviors that today lead to things like SQL injection will continue. We need to "hack" the business relationship - from there I firmly believe things will finally start to get better."
However, many (perhaps most) breaches aren't necessarily due to attacks against software applications -- as trivial as they are for most cyber-criminals. A survey of 500 IT professionals (who primarily report directly or indirectly to the CIO or the CISO) found that 60 percent of respondents report that customer data that was lost or stolen was not even encrypted. Also, the most common types of data breaches include email at 70 percent, credit card or bank payment information, 45 percent, and social security numbers at 33 percent. Also, not surprising, when organizations were actually able to determine the cause of a breach -- the most common culprit was the negligent insider at 34 percent, while 19 percent say it was the outsourcing of data to a third party and 16 percent saying a malicious insider was the main cause.
Perhaps most sobering, only about half of IT professionals believed their organizations made their best effort to protect information they hold about their customers. And when it came to mitigating the damage associated with a breach, protecting customers didn't make the highest spot on the incident response list -- lawyering up did. In total, 56 percent of respondents retained outside legal counsel, while carefully assessing the harm to victims as a result of the breach came in at 50 percent.
As for understanding the impact of the breach, the Experian study did provide some good news: 66 percent of respondents said that the experience gained from investigating the cause of the breach will help the organization in determining the causes of potential future breaches. Also, following the data breach, 61 percent of respondents said their organizations increased the security budget and 28 percent hired additional IT security staff.
Eric Cowperthwaite, chief security officer for Providence Health and Services agreed that a breach can create an opportunity for an organization to take a risk management gut check and move forward constructively. "Many times, if organizational leadership chooses to learn from the experience, a security breach can be a turning point for the security team," says Cowperthwaite. "It can be the time that forces an enterprise to make the right investments in people, process, and the technology they need."
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.
Read more about network security in CSOonline's Network Security section.