In an earlier post, I mentioned that the tech industry is trending toward a wider variety of access devices (PCs, laptops, pads, smartphones, etc) and a rise in cloud-based services and data storage. You probably heard someone talking about those trends twice before breakfast today, so I’ll consider that point made and move on.
I recently came across an article talking about the decentralization of workers – people doing jobs that were once thought of as in-person-only but that are now done remotely. One example cited was a golf pro who would have clients send video of their swing and would offer feedback, without ever meeting face-to-face. So now we can work from wherever we are (BTW, if you need me tomorrow, I’ll be by the pool near cabana 3), but what does that mean for the security of our data?
Well, if you've read anything about or from Juniper in the past week, then you’ve probably seen this one:
“In a survey of 583 U.S. businesses, released this week by Juniper Networks Inc., fully 90% of respondents said their company fell victim to a cyber attack in the past year, costing each an average of US$500,000 to overcome.”
(that quote was taken from the Financial Post article attributed above, but if you don’t like that one I could probably find ten different online sources that are sharing that survey… it was disturbing to say the least!)
That gives us confirmation that we can work insecurely anywhere – now I definitely need a drink. But how serious are these guys? What level of genius do we need to throw at them to protect ourselves?
For the answer to that question, we’ll turn to our good friends at Verizon. Every year they publish some summary results of their data breach investigations; for 2011 they teamed up with the US Secret Service and the Dutch High-Tech Crime Unit… I think that’s enough mental horsepower going into one report that we should pay attention, no?
The report is a pretty good read and has some interesting statistics – 83% of their breach investigations ended up being “targets of opportunity” for the hackers who attacked them, and 92% of attacks were “not highly difficult” (targets of opportunity + not highly difficult = mostly drive-by hacking rather than focused efforts to take down particular companies). Most of the breaches were in smaller organizations (10-100 employees), and 83% were attacks by purely external entities (no internal/partner component).
The highlight for me is actually a comment posted by the author following the online article (not contained within the report) where he says 'The classic example of an “essential control” that is often neglected is changing default credentials. We’ve been citing this for several years now and everyone receives that like “duh – of course we do that.” However, the fact of the matter remains that it was the #1 method of intrusion in 2008, top 5 in 2009, and #1 in 2010. Taking these “no brainers” and making sure implemented (sic) with “no exceptions” can be monotonous and boring work, but we’ve come to believe it pays off.'
Yep, it’s still the same old story – patch your systems and change your passwords regularly. Continue to update your security systems, use defense-in-depth, periodically refresh your security architecture and all that good stuff, but DON’T FORGET THE BASICS. It’s not sexy and it’s not exciting, but it still works.
Discussing a wide range of topics impacting enterprises and
data center security.