The use of shared infrastructure between different organisations has been a major cause of data breaches within Australia in the past year, according to Verizon Business.
Discussing the findings of its Data Breach Investigations Report for 2009, carried out in conjunction with the United States Secret Service (USSS), Verizon Business Investigative Response APAC managing principal, Mark Goudie, said there had been a trend shift from data breaches caused by undetectable customised malware to ones related to shared infrastructure.
“There has been a significant number of cases that occurred due to shared infrastructures,” Goudie said. “This is not a virtualised infrastructure, but shared infrastructure where servers are shared between different organisations.
The respondents also indicated there had been a number of attacks that came in through unrelated company websites which were then able to affect customers’ web infrastructure through shared file systems.
“Australian businesses should avoid using shared infrastructures when storing, processing or transmitting sensitive data,” Goudie said by way of advice to organisation seeking to protect themselves from data breaches.
The report also indicated that data was most often lost through a series of simple mistakes and not through zero day vulnerabilities or ‘advanced persistent threats’, a term used to refer to a long-term pattern of targeted hacking attacks.
“If the security basics are performed everywhere consistently, the chances of being the next victim of a data breach are slim,” Goudie said.
As an example, Goudie claimed some 86 per cent of organisations suffering a data breach had evidence of that breach in their own log files. However, only three per cent of these victims found this evidence of their own accord.
“Organisations need to properly review their log files or outsource this function to a specialist to alert them to the threats,” he said. “By doing this properly, it would either minimise the impact of the data breach event or may even prevent the data breach from happening in the first place.
If outbound connections from enterprises were filtered, Goudie argued, many recorded data breaches would not be possible.
“Filtering outbound connections make the hackers life a lot more difficult and in our experience if it is more difficult to extract data the hacker tend to move on to a softer target,” he said.
Goudie added that the report, plus the tripling of Verizon’s Australian data breach case load from 2008 to 2009, could be read as an argument for the introduction of mandatory data breach disclosure laws – something fellow security vendor Symantec has been involved in with the Federal Government.
“Mandatory data breach disclosure laws would increase the visibility of Australian consumers who are affected by data breach incidences,” he said. “Very few Australian data breaches in our case load are publicly disclosed.”
In May 2009, the Payment Card Industry (PCI) Security Standards Council warned a lack of financial penalties and a mandate to publicly admit data breaches may be clouding the real state of credit card payment and customer information security in Australia.