Verizon 2010 Data Breach Investigations Report

I have just looked through the Verizon 2010 Data Breach Investigations Report http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf

It was published 6 months ago but there are 2 interesting points in it for me

The first point comes from "Table 7 Types of compromised assets by percent of breaches and percent of records" on page 39. It shows that while the database server accounts for 25% of compromised assets it accounts for a huge 92% of compromised records. This shows that once the attacker gets to your database they have access to the crown jewels.

The second point comes from "Figure 42. Cost of recommended preventive measures by percent of breaches" which shows the cost of implementing the preventive measures once the breach was discovered. The cost to prevent 64% of the breaches was considered "simple and cheap" . This counters the argument that it would cost too much to implement full data protection policies. "Figure 43. Categorization of recommended mitigation measures by percent of breaches" goes on to shows that 66% of breaches could have been prevented by "Configuration change to existing assets" and "alter existing practice".

Attackers will generally go for the lowest hanging fruit and from this Verizon report it looks like there is still plenty of it around.