In my three most recent columns (see Part 1; Part 2; and Part 3), I've been looking at the Verizon Business RISK Team's valuable analysis of four years of data on security breaches among their clients, entitled "2008 Data Breach Investigations Report." Today, in the fourth and final article in this series, I will look at the findings on attack vectors, called "Common Attack Pathways" in the report.

The paper provides the following summary data:

• Remote Access and Control: 42%
• Web Application: 34%
• Internet-Facing System: 24%
• Physical Access: 21%
• Wireless Network: 9%

The authors comment:

“In over 40% of the breaches investigated during this study, an attacker gained unauthorized access to the victim via one of the many types of remote access and control software. On many occasions, an account which was intended for use by vendors in order to remotely administer systems was compromised by an external entity. These vendor accounts were then used to illegitimately access enterprise information assets. This scenario is particularly problematic due to the fact that, from the victim's perspective, the attacker appears to be an authorized third party. In many of these cases, the remote access account is configured with default settings, making the attacker's job all too easy.”

These findings support the long-established warnings about canonical accounts (i.e., accounts that have the same name and characteristics on all comparable systems). Such accounts are even worse risks when system administrators fail to change the canonical passwords that are often included as part of the installation of specific application or utility software.

One of the interesting counter-intuitive results is the low involvement of wireless networks as an attack vector:

“Despite the large amount of media attention given to the supposed weakness of wireless networks, this vector was exploited considerably less than others… When wireless infrastructure was the means of entry, it was due to poor configuration and weak encryption rather than a successful attack against an adequately secured WLAN.”

The Verizon report is well organized and well written; the language is simple and engaging and never stuffy. The authors make no claims that go beyond the value of their data set and they use reasonable statistical measures to describe their data. I hope that their excellent work will influence others to improve security studies.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.