Verizon Business Security Services (formerly Cybertrust) recently released 2008 Data Breach Investigation Report. This report is based on 500 forensic cases handled by Verizon from 2004-2007, which then analyzed, compiled, and published as an overview on how the data breach was actually occured.

Some interesting findings from the report are as follows :

  • 87% of the security breaches could have been avoided with basic security measures
  • Two-thirds of the cases involved data that the organization did not know was present on the system
  • 39% of the breaches involves business partners

Verizon Business has released a white paper about the report here.

Now, what is interesting about the report is the fact that, while information security as a discipline has gone a long way, the real world doesn’t seems to move forward. I mean, attack methodologies has evolved a long way from simple buffer overflow on a code to the latest DNS insecurity flaw, from platform to applications, from macro viruses to phishing, but the real deal is still the same, which is basic security measures has not been applied. Most of the attacks still involve known vulnerabilites that has been published and patches has been provided for months, but still, it’s exploited, and breach occured. How does that happen?

Apparently with all the new technologies the industry provided, there hasn’t been a significant change the way people approaches security. People are still chasing the ghost, spending millions and millions of money on information security year by year, and the bad guys still manages to come in from the same doors. So what, are we doing things wrong?

Maybe we’re not doing things wrong, we’re just putting our efforts at a wrong place. Maybe we’re so busy chasing the new buzz every day, worrying about new methods, new vulnerabilities, new security products, that we forget to do the basics, default deny, least privileges, and essential services.

And if we look back, aren’t all those security hype actually just that? Default deny? Least Privileges? Essential Services?