aitp-verizon data breach 2009
DESCRIPTION
Verizon Business 2009 Data Breach Study Finds Significant Rise in Targeted Attacks, Organized Crime InvolvementNearly nine out of 10 breaches were considered avoidable if security basics had been followed. Most of the breaches investigated did not require difficult or expensive preventive controls. The 2009 report concluded that mistakes and oversight failures hindered security efforts more than a lack of resources at the time of the breach. During the presentation we will discuss key findings and simple actions, when done diligently and continually, can reap big benefits. Based on the combined findings of nearly 600 breaches involving more than a half-billion compromised records from 2004 to 2008.TRANSCRIPT
A study conducted by Verizon Business
Brief by Hosam W. El Dakhakhni, CISSP, CISM, CISA, CIA, CGEIT
2009 DATA BREACH INVESTIGATIONS REPORT2009 DATA BREACH INVESTIGATIONS REPORT
This brief will cover thefollowing:
• My Conclusions• Quick Facts• Key Highlights• Findings, Conclusions,
and Countermeasures• TVM-Doing More For
Less• Summary of
Recommendations• Q & A
This brief will cover thefollowing:
• My Conclusions• Quick Facts• Key Highlights• Findings, Conclusions,
and Countermeasures• TVM-Doing More For
Less• Summary of
Recommendations• Q & A
QUICK FACTSQUICK FACTS
All results are based on firsthand evidence collectedduring 90 data breach investigations occurring in 2008conducted by Verizon Business.
Only confirmed breaches are included. (not “data-at-risk”)
Most of the statistics presented refer to the percentageof cases, the percentage of records breached, or simplythe number of cases.
The authors make no claim that the findings of thisreport are representative of all data breaches in allorganizations at all times.
All results are based on firsthand evidence collectedduring 90 data breach investigations occurring in 2008conducted by Verizon Business.
Only confirmed breaches are included. (not “data-at-risk”)
Most of the statistics presented refer to the percentageof cases, the percentage of records breached, or simplythe number of cases.
The authors make no claim that the findings of thisreport are representative of all data breaches in allorganizations at all times.
Roughly 20 percent of cases involved more than onebreach
Nearly half of the caseload had distinct patterns andcommonalities
A little over 1/3 of the cases were made public (so far)
Roughly 20 percent of cases involved more than onebreach
Nearly half of the caseload had distinct patterns andcommonalities
A little over 1/3 of the cases were made public (so far)
KEY HIGHLIGHTSKEY HIGHLIGHTS
FINDINGS, CONCLUSIONS, ANDFINDINGS, CONCLUSIONS, ANDCOUNTERMEASURESCOUNTERMEASURES
Align process with policyAchieve “Essential” then worry about “Excellent”Secure Business Partner ConnectionsCreate a Data Retention PlanControl data with transaction zonesMonitor event logsCreate an Incident Response PlanIncrease awarenessEngage in mock incident testingChanging default credentials is keyAvoid shared credentialsUser Account ReviewApplication Testing and Code ReviewSmarter Patch Management StrategiesHuman Resources Termination ProceduresEnable Application Logs and Monitor
Align process with policyAchieve “Essential” then worry about “Excellent”Secure Business Partner ConnectionsCreate a Data Retention PlanControl data with transaction zonesMonitor event logsCreate an Incident Response PlanIncrease awarenessEngage in mock incident testingChanging default credentials is keyAvoid shared credentialsUser Account ReviewApplication Testing and Code ReviewSmarter Patch Management StrategiesHuman Resources Termination ProceduresEnable Application Logs and Monitor
Hosam W. El Dakhakhni, CISSP, CISM, CISA, CIA, CGEITPrincipal - R!SC
Visit us at www.it-risc.comContact us at [email protected]