Data breach study makes security recommendations
Published in CSP Daily News
NEW YORK -- Retailers are failing to take basic steps to secure customer data and can do relatively simple things to reduce their exposure, according to researchers with Verizon Communications Inc., which published its fifth annual "Verizon 2012 Data Breach Investigations Report" yesterday.
( Click here for previous CSP Daily News coverage of the major findings of the report.)
Midsized companies are particularly at risk, said Chris Novak, managing principle of investigative response for the New York City-based Verizon. "Sometimes the ones in the middle have a bigger challenge than most," Novak told CSP Daily News. "Smaller operators with only one or two stores can keep an eye on things more directly, while those with hundreds of stores have IT departments. The folks in the middle category struggle."
At many companies, Novak said, "Basic things are not happening; firewalls are not there. Default credentials like 'admin' or 'password' are still in place and make entry into the system easy for an experienced hacker."
Sometimes retailers just don't know where the data resides. For instance, an employee could have numbers coming to him or her for a routine report. That data may not be secure. "Sometimes people start by doing an inventory of their data--what data do they have and where does it live?" Novak said, noting how retailers are often frustrated by the process. "Some will try to tackle big problems first when they could have tackled hundreds of simpler things."
Pumps and ATMs are of particular concern in that hackers can add fake card-swipe devices that will steal credit-card numbers. Reducing risk can simply be a matter of routinely checking the pumps and ATMs for strange devices.
"The report demonstrates that unfortunately, many organizations are still not getting the message about the steps they can take to prevent data breaches," said Wade Baker, Verizon's director of risk intelligence. "This year, we have segmented our recommendations for enterprises and small businesses in the hope that this will make our suggestions more actionable. Additionally, we believe greater public awareness about cyber threats and user education and training are vitally important in the fight against cybercrime."
Recommendations for Enterprises:
1. Eliminate unnecessary data. Unless there is a compelling reason to store or transmit data, destroy it. Monitor all important data that must be kept.
2. Establish essential security controls. Organizations must ensure that the proper security controls are in place and that they are functioning correctly. Monitor security controls regularly.
3. Place importance on event logs. Monitor and mine event logs for suspicious activity—breaches are usually identified by analyzing event logs.
4. Prioritize security strategy. Enterprises should evaluate their threat landscape and use the findings to create a unique, prioritized security strategy.
Recommendations for Small Organizations:
1. Use a firewall. Install and maintain a firewall on Internet-facing services to protect data. Hackers cannot steal what they cannot reach.
2. Change default credentials. Point-of-sale (POS) and other systems come with pre-set credentials. Change the credentials to prevent unauthorized access.
3. Monitor third parties. Third parties often manage firewalls and POS systems. Organizations should monitor these vendors to ensure they have implemented the above security recommendations, where applicable.
Now in its fifth year of publication, the report spans 855 data breaches across 174 million stolen records--the second-highest data loss that Verizon has seen since it began collecting data in 2004. Verizon was joined by five partners that contributed data to this year's report: the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service and the Police Central e-Crime Unit of the London Metropolitan Police.
Verizon, through its Terremark subsidiary, helps organizations protect their data. The company does this through a suite of security services--including governance, risk and compliance solutions; identity and access management solutions; investigative response; data protection services; threat management services; and vulnerability management services--delivered in the cloud or on premises.
Verizon Communications Inc., New York, delivers broadband and other wireless and wireline communications services to consumer, business, government and wholesale customers. Verizon Wireless operates a wireless network with nearly 108 million total connections nationwide. Verizon also provides converged communications, information and entertainment services over a fiber-optic network, and delivers integrated business solutions to customers in more than 150 countries.