Verizon: Watch out for gaps in security practices
By Khoo Boo Leong 30-Jul-2012
"Enterprises generally know about [security] best practices," said Andrew Valentine, managing principal for IRN Forensics at Verizon. "The issue is that enterprises think that they've got the best practices in place but they don't. That's more of an issue than not knowing the typical essential practices, such as having a strong password, up-to-date anti-virus [and regular patching of the operating system]."
"Enterprises generally know about [security] best practices. The issue is that enterprises think that they've got the best practices in place but they don't. That's more of an issue than not knowing the typical essential practices, such as having a strong password, up-to-date anti-virus [and regular patching of the operating system]."
- Andrew Valentine,
"The majority of the breaches involve compromised credentials and compromises of single-factor authentication," said Claudio Scarabello, global security product manager at Verizon. "It's not to say that the two-factor authentication is not breakable but the criminals would go the easy route."
The impact of hacktivism stands out in the DBIR. "Traditional organized crime groups accounted for 83% of the cases [of breaches] but only stole 35% of the records," said Scarabello. "However, the 2% to 3% of the cases attributed to hacktivists, bad guys with seemingly legitimate political agenda, compromised almost 60% of the data, almost double what the organized crime groups did.
"It'll be interesting to see if that's just anomaly from 2011 or that trend is going to continue. That will open up discussions around the legitimacy of the proposed agenda of these hacktivists. If I am a criminal stealing data for the purpose of making money, I can claim that this is all political, not greed. I am a hacktivist."
Worth and whereabouts of data
"Organizations might have very rigorous procedures and security practices in some areas but they don't realize that they're not protecting the assets that are significant," said David Rosengrave, IT solutions practice manager of Verizon Business in Asia Pacific. "So, whether it is a private or hybrid cloud, or whether it is fully outsourced or remote application management, irrespective of the infrastructure or the application, the customer needs to [define or identify the valuable data] in their environment."
In relation to that, the cloud strategy needs to start with the business requirements that motivate the organization to consider the cloud in the first place. "The cloud may not be the only option or end solution for the customer," said Rosengrave. "And we [as the service provider], can discuss not only the business requirements but also the security requirements in the early stages because we've got those consolidated assets of network, security and IT.