Data breaches exploit configuration errors, not software vulnerabilities

Verizon study didn't detect a single data breach in 2009 that exploited a patchable vulnerability, which calls patching practices into question

Hackers appear to be increasingly counting on configuration problems and programming errors rather than software vulnerabilities in order to steal information from computer systems, according to a new study from Verizon.

Verizon issues an annual report on data breaches, but this year had access to statistics related to investigations done by the U.S. Secret Service, which the company said broadened the scope of its analysis. For 2009, that covered 141 cases involving 143 million records.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

Verizon said it found that a surprising and "even shocking" trend is continuing: There are fewer attacks that focus on a software vulnerabilities than attacks that focus on configuration weaknesses or sloppy coding of an application.

In 2009, there was not a "single confirmed intrusion that exploited a patchable vulnerability," the report said. The finding has caused Verizon to question whether patching regimes -- while important -- need to be done more efficiently given the trend in how attacks are occurring.

"We've observed companies that were hell-bent on getting patch x deployed by week's end but hadn't even glanced at their log files in months," the report said. "This kind of balance isn't healthy. Therefore, we continue to maintain that patching strategies should focus on coverage and consistency rather than raw speed."

In other findings, some 97 percent of the malicious software found to have stolen data in 2009 was customized in some way. For example, the malware was tweaked to evade detection by security software or new features were added, such as encryption for stolen information. That doesn't bode well for companies, Verizon said.

"As a defender, it's hard not to get a little discouraged when examining data about malware," the report said. "The attackers seem to be improving in all areas: getting it on the system, making it do what they want, remaining undetected, continually adapting and evolving, and scoring big for all the above."

Organized criminal gangs proved to be a major force in data breaches, pooling their resources and expertise together in credit-card data scams and others. While it can be difficult to find out exactly the source of attacks since hackers often hide their tracks, working via remote computers that they've taken over, investigators and law enforcement agencies still have a rough idea of where the hackers are operating from by using other information.

"Most organized criminal groups hail from East Europe, while unidentified and unaffiliated persons are often from East Asia," the report said.

Send news tips and comments to jeremy_kirk@idg.com.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies