by Constantine von Hoffman

State-of-the-Art Hack Attacks Are Not the Problem

Apr 10, 20122 mins
CybercrimeData and Information SecurityData Breach

Most data breaches are not sophisticated and could be avoided by using security protocols that are already in place, according to new research from Verizon.

You don’t have to be very smart to be a black hat hacker. That’s the conclusion of a new report out from Verizon which found that the bad guys used relatively simple methods for 97 percent of data breaches last year.

For the most part cybercriminals seem to behave like their real world counterparts. They are looking for easy prey and not targeting a particular company. Nearly 80 percent of victims became victims because they were found to possess an often easily exploitable weakness. As the 2012 Breach Investigation Report states: “Whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as highly difficult.” (Note to Verizon: You’ve got to come up with a better name for this report.)

The report is based on the investigations into more than 850 data breaches and was compiled with the help of the U.S. Secret Service and law enforcement agencies in the United Kingdom, The Netherlands, Ireland and Australia.

While companies spent heavily on expensive security systems designed to counter “evil genius” type plans, the bad guys took the easy way in. It’s not that those state-of-the-art attacks didn’t get used but, according to the report, those were mostly used after the hackers found the front door was unlocked. This was true regardless of the size of the company being attacked.

“So, what about larger organizations? Surely they’re a lot more difficult to infiltrate, right? Sadly, our data seems to suggest otherwise; it does not appear that cybercriminals have to work much harder to compromise larger organizations than they do for smaller ones.”

This information should – but likely won’t – have a drastic impact on security budgeting priorities. Money would be better spent on training and re-training people on the basics, like changing your password regularly, than on protection from the latest hot hack vector.