Report Finds Almost All Attacks Could Have Been Prevented
Verizon found that 97 percent of breaches it studied could have been avoided by "simple and intermediate controls," according to a security report released today.
The report also found that 58 percent of these breaches were done by online "hacktivists" -- those who attacked in social protest, retaliation, activism or simply to pull a prank on unsuspecting users. Verizon's report indicated that it's harder to prepare for the next attack in cases where the hacks weren't done for monetary gain.
"Doubly concerning for many organizations and executives was that target selection by these groups didn't follow the logical lines of who has money and/or valuable information," said the report. "Enemies are even scarier when you can't predict their behavior."
Much of the 97 breaches -- especially those that came from hactivists -- could have just been avoided if users kept in mind that if you are online, you are always susceptible to attacks, said Rapid 7's security researcher Marcus Carey.
"Bottom line: if you are vulnerable you can expect to be exploited," said Carey. "The good news though is that this also means organizations can significantly reduce their risk through proper vulnerability management, educating users, and implementing network-based access controls lists."
As for the types of attacks used, Verizon found that incidents that utilized a hacking tool or skill constituted 81 percent of attacks, with 69 percent of those attacks employing the help of malware to pull off the breach.
Verizon said the types of attacks used has changed little over the past few years because hackers continue to get the same results with known attack vectors.
"We have seen nothing new," said Verizon analyst Marc Spitler. "Some of the old standbys are continuing to work very well for the people going after information."
While Verizon found that the majority of incidents studied were caused by hacktivists, it noted that the more traditional attacks from criminal organizations were focused on smaller corporate targets in 2011. The report found that attacks on businesses in the accommodation and food service industries made up 54 percent of the 855 breaches studied. It found that 85 percent of those businesses employed less than 1,000 personnel.
"Smaller businesses are the ideal target for such raids, and money-driven, risk-averse cybercriminals understand this very well," the report explained. "Thus, the number of victims in this category continues to swell."
Attacks against small corporations consist mostly of using malware and finding vulnerabilities in Web sites. By contrast, when larger companies are attacked, the hacks tend to be done using phishing and social engineering.
It's important to note that Verizon only studied breaches that were reported to local and federal law enforcement agencies. The report acknowledged that a majority of attacks, especially against large corporations, are never disclosed.