Preventing data breaches is a challenge for IT – but detecting security incidents after they occur can be even harder, according to a recent study.
The majority of breaches aren’t detected until months or even years after they occur, according to a recent report from Verizon.
The study was based on information from 90 data breaches the Verizon RISK team was hired to investigate in 2011. Of the breaches included in the report, nearly 60% weren’t discovered until more than a month after they had initially occurred, with a few even taking more than a year to be detected.
Another disconcerting finding: 77% of breaches weren’t discovered until the company was notified by customers, a law enforcement agency or another external party.
Failing to detect data breaches in a timely manner puts the organizations at risk of big losses, as attackers can often continue using open security holes to keep stealing information with ease. In one extreme example, vendor Nortel was the victim of a network breach that lasted nearly 10 years.
To prevent those ongoing breaches, IT should focus energy on not only finding ways to prevent data breaches, but also to detect them when they do happen. Verizon recommends organizations go through a checklist of the most common types of attacks and determine how IT would be able to identify those activities on their company’s network. These were the 10 most common tactics used in the breaches Verizon investigated:
- Exploitation of default or guessable log-in credentials (used in 29% of studied breaches)
- Malware that opens a backdoor for hackers (26%)
- Use of stolen credentials (24%)
- Exploitation of backdoor or command and control channels (23%)
- Use of keyloggers or spyware to capture user activity (18%)
- Sending data to an external site (17%)
- Exploiting system or network utilities (14%)
- SQL injection (13%)
- Capturing data residing on a system (such as a cache or disk) (9%)
- Installing malware (9%)