FeaturesSecurity Compliance

The IT industry talks more about security than most, if not all, other aspects of IT. Information on high-profile data breaches, such as the recent theft of at least 6.5 million passwords from the LinkedIn network, typically travels far and fast. So, have organizations, especially medium to large ones, established necessary IT security best practices to minimize risks?

"Enterprises generally know about [security] best practices," said Andrew Valentine, managing principal for IRN Forensics at Verizon. "The issue is that enterprises think that they've got the best practices in place but they don't. That's more of an issue than not knowing the typical essential practices, such as having a strong password, up-to-date anti-virus [and regular patching of the operating system]."

Small wonder then that 96% of attacks presented in Verizon 2012 Data Breach Investigations Report (DBIR) did not require advanced skills or extensive resources, and 97% of the attacks were avoidable, without the need for organizations to resort to difficult or expensive countermeasures.

"The majority of the breaches involve compromised credentials and compromises of single-factor authentication," said Claudio Scarabello, global security product manager at Verizon. "It's not to say that the two-factor authentication is not breakable but the criminals would go the easy route."

The impact of hacktivism stands out in the DBIR. "Traditional organized crime groups accounted for 83% of the cases [of breaches] but only stole 35% of the records," said Scarabello. "However, the 2% to 3% of the cases attributed to hacktivists, bad guys with seemingly legitimate political agenda, compromised almost 60% of the data, almost double what the organized crime groups did.

"It'll be interesting to see if that's just anomaly from 2011 or that trend is going to continue. That will open up discussions around the legitimacy of the proposed agenda of these hacktivists. If I am a criminal stealing data for the purpose of making money, I can claim that this is all political, not greed. I am a hacktivist."

The DBIR findings are significant for organizations deploying cloud computing because of two key data-centric concerns around understanding the value of data and knowing where data is stored in the cloud environment.

"Organizations might have very rigorous procedures and security practices in some areas but they don't realize that they're not protecting the assets that are significant," said David Rosengrave, IT solutions practice manager of Verizon Business in Asia Pacific. "So, whether it is a private or hybrid cloud, or whether it is fully outsourced or remote application management, irrespective of the infrastructure or the application, the customer needs to [define or identify the valuable data] in their environment."

In relation to that, the cloud strategy needs to start with the business requirements that motivate the organization to consider the cloud in the first place. "The cloud may not be the only option or end solution for the customer," said Rosengrave. "And we [as the service provider], can discuss not only the business requirements but also the security requirements in the early stages because we've got those consolidated assets of network, security and IT.