Enterprising Developments

‘Only' 4 Million Records Breached in 2010—That's Good News, By the Way

Joe McKendrick
Insurance Experts' Forum, April 25, 2011

Online attacks are on the wane, but that's because cybercrooks are opting for smarter, more targeted approaches to getting at corporate data.

Verizon and the U.S. Secret Service released their annual study on data security, observing that while there were a lot of data breaches over the past year, hackers got away with less data. The number of compromised records involved in data breaches investigated by the pair dropped from 144 million in 2009 to “only” 4 million in 2010, representing the lowest volume of data loss since the report's launch in 2008. Yet this year's report covers approximately 760 data breaches, the largest caseload to date. 

It appears that cybercrooks are better targeting their efforts. According to the Verizon report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals.

“They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations,” the report says. “For example, only 3% of breaches were considered unavoidable without extremely difficult or expensive corrective action.”

This conclusion matches those of IBM's latest “X-Force 2010 Trend and Risk Report,” which suggests that spam and phishing attacks are leveling off. Also, mobile devices have not been compromised in any big way, yet. The bad news is that IT security threats are getting increasingly sophisticated and targeted.

Based on intelligence gathered through research of public vulnerability disclosures, and the monitoring and analysis of more than 150,000 security events per second during every day of 2010, the observations from the IBM X-Force Research team finds that more than 8,000 new IT security vulnerabilities were documented—a 27% rise from 2009. Public exploit releases were also up 21% from 2009 to 2010. This data points to an expanding threat landscape in which sophisticated attacks are being launched against increasingly complex computing environments.

There were significantly fewer mass phishing attacks relative to previous years, but there has been a rise in more targeted attack techniques. “Spear phishing,” a more targeted attack technique, grew in importance in 2010, as meticulously crafted e-mails with malicious attachments or links became one of the hallmarks of sophisticated attacks launched against enterprise networks. 2010 saw some of the most high-profile, targeted attacks that the industry has ever witnessed. 

Verizon and the US Secret Service make the following recommendations for enterprises to keep data secure:

• Focus on essential controls. Many enterprises make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others. Businesses are much better protected if they implement essential controls across the entire organization without exception.

• Eliminate unnecessary data. If you do not need it, do not keep it. For data that must be kept, identify, monitor and securely store it.

• Secure remote access services. Restrict these services to specific IP addresses and networks, minimizing public access to them. Also, ensure that your enterprise is limiting access to sensitive information within the network. 

• Audit user accounts and monitor users with privileged identity. The best approach is to trust users, but monitor them through pre-employment screening, limiting user privileges and using separation of duties. Managers should provide direction, as well as supervise employees to ensure they are following security policies and procedures.

• Monitor and mine event logs. Focus on the obvious issues that logs pick up, not the minutiae. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.

Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.

Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at joe@mckendrickresearch.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

Living with the Internet of Things (and crowd funding)

The Internet of Things has it’s teething problems.

6 Technology Priorities for Individual Life Carriers

While many aging, generally mainframe-based systems, remain capable of supporting basic policy processing and accounting functions, the costs associated with enhancing them are becoming increasingly problematic.

With Google Favoring Mobile, Will The Industry Take it Seriously?

Google’s search engine will now will favor mobile friendly content over traditional website content; within the insurance industry, the greatest initial impact is likely to be felt by insurance distributors.

Why Some Technologists Get Cold Feet on Mobile

There are those who believe that favoring one channel or mode over another will lead to even more silos and dysfunction than we already have in many organizations.

Insurance IT Spending and Budgeting Benchmarks

New research from Novarica highlights areas of concern and offers insights on insurers spending and budgeting decisions.

Enterprise Mobilemania Continues Unabated

More than half of companies are spending more on developing mobile applications -- but are they more efficient?