VerizonThe 2011 Verizon Data Breach Investigations Report is out. Yeah, yeah, yeah – yet another report telling us what a bad state of security we’re in and that we need to fix all sorts of things in IT. Okay, I’m not going to complain too much because it does help generate business and keep us all employed. But there’s one thing in particular that stands out in this year’s report that I want to bring up. It’s something that I’ve been ranting, evangelizing and sometimes yelling at the top of my lungs about for years. It’s the fact that the bad guys are targeting low-hanging fruit. In other words, the hackers and malicious insiders are exploiting the obvious security flaws that harried network admins and security managers are overlooking.

According to the report:
Unfortunately, breaching organizations still doesn’t typically require highly sophisticated attacks, most victims are a target of opportunity rather than choice, the majority of data is stolen from servers, victims usually don’t know about their breach until a third party notifies them, and almost all breaches are avoidable (at least in hindsight) without difficult or expensive corrective action.”

The thing is so many people get so deep into the technical minutiae that they end up overlooking the all too obvious flaws. And why wouldn’t the bad guys go after these basics…? They’re everywhere! Not a single security assessment goes by where I don’t find glaring weaknesses in/around the basics of information and application security. I suppose this is one of the reasons why independent information security assessments and audits are so popular. People like myself – including many users of Acunetix Web Vulnerability Scanner – can come in with a fresh perspective and go about finding security vulnerabilities in an unbiased manner. It’s a way around the problem of not being able to see the forest through the trees.

This still doesn’t really explain why so many of us can’t get our arms around the essentials. Is it lack of management support? Not having developers on your side? General apathy?  There’s an array of factors and almost every situation is different. What I do know is that you have to focus your efforts on stopping the bleeding first. It’s the concept of basic triage that first responders around the world use to focus on their highest payoff tasks. Go for the low-hanging fruit – the quick-fix items – that are going to provide a lot of payoff for your security efforts and investment. Once you get your arms around the basics then you go about drilling down and tightening things up in more niche areas.

On a side note, there are people out there who believe that Web vulnerability scanners such as Acunetix Web Vulnerability Scanner aren’t “good enough” because all they focus on is the low-hanging fruit. Maybe this is true to an extent if all you do is rely on the results of an automated scan and nothing else. However, by and large, these tools are getting much, much better at finding more complex application security issues. One thing’s for sure, if you don’t use an automated Web vulnerability scanner you’re going to overlook a ton of stuff. There’s just not enough time or expertise available to find every single thing that counts in a manual fashion. Sure, I’ll continue to rant about people relying on automated scanners and not doing their due diligence with manual analysis, but since so many obvious issues are still being overlooked we have to use automated scanners to find where we’re bleeding.

In the end you have to do what’s best for your business given your unique situation.

Consider doing this: for the next six months, forget about what the security analysts are saying, ignore what the security researchers are ‘sploitin and don’t buy into the scare tactics that many of the vendors are selling. Instead focus on the information security basics – the obvious flaws that need to be fixed now. Use your vulnerability scanners, tighten up the security essentials and see what happens. Just do it for six months, maybe until the end of the year. If you do this – and stick with it – I guarantee you that you’ll make HUGE strides in your information security program and greatly decrease the chances that your business will end up as a statistic in the 2012 Verizon Data Breach report.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.