Are Corporate America’s Networks Prepared to Fend-off Targeted Security attacks?

Latest CSI, FBI Survey, Legislation and Breach Security Suggest Heightened Security Awareness & Security Practices

CARLSBAD, Calif., – August 22, 2005 – Breach Security Inc., the provider of next-generation web application security to protect privileged information, today underscored the results of several recent high profile surveys, research and legislative action that encourages security professionals taking stock and suggested action, while noting doing little can have dire consequences for consumers and corporations.

Impact of security breaches, their source, and legislation

Today, with holiday purchases right around the corner, 41 percent fewer purchases are being made online as compared to last year. (Source: Conference Board survey, June 2005.) Information security breaches are reported at the rate of one in every three days in the U.S. with over half of the publicized incidents pointing to external hackers, according to Privacy Rights Clearinghouse’s identification of compromised date publicized since February 2005.

Just recently the Computer Security Institute (CSI), with the participation of the San Francisco Federal Bureau of Investigation’s Computer Intrusion Squad, released its 10th annual survey. The Survey questioned 700 security practitioners from large corporations, government agencies, medical institutions and universities. Its results indicate organizations need to raise their level of security awareness because threats from computer crime and other information security breaches are real, with more sophisticated attacks on the rise as well as financial loss for the consumer and the enterprise. The survey notes theft of proprietary information significantly increasing in more than double the average loss per respondent reported from last year.

Today, 20 states require organizations to notify individuals if sensitive information such as Social Security, driver’s license and financial account numbers is reported to unauthorized people and other states have introduced such legislation. (Source: Baker & McKenzie www.bakernet.com.) The increase in security reports and congressional hearings on computer security follows the watershed ChoicePoint event in February where cyber criminals obtained 145,000 customer accounts.

“With the public paying closer attention to identity theft, it becomes a societal issue of extreme importance,” said Marc Shinbrood, CEO of Breach Security.” “When companies typically contact us, it’s following a targeted attack against their private data—when they’re working to determine where and how the breach occurred, how to fix it, and are addressing legislation requirements/issues about notifying internal and external customers. This, what we call the ‘ExitControl™ Strategy’ takes on a heightened level of importance.”

How security professionals can be more proactive

“Web applications have become essential parts of companies’ business strategies,” said Andrew Jaquith, Senior Analyst at the Yankee Group. “At the same time, targeted, malicious attacks against these applications are increasingly sophisticated. First generation web application security solutions kept communications confidential using SSL. But encryption isn’t enough; in today’s climate, companies need solutions that protect the integrity and availability of web transactions as well.”

Web application security provider, Breach Security, suggests Tips and Best Practices to help organizations ‘fend-off’ these targeted attacks—even if they believe existing security measures are ’working’.

Security Tips, Best Practices

  1. Understand that Web applications have become the weakest link in the security infrastructure of the organization. These applications are exposed to the world and provide cyber criminals with an unprecedented opportunity to extract critical privileged information from corporate databases.
  2. Test applications for security defects during the development and QA cycles to identify and remediate areas of risk before the application is deployed.
  3. Realize that even securely developed applications are at risk due to servers that are misconfigured and known vulnerabilities in middleware components, such as PHP scripts and ColdFusion objects.
  4. Recognize the limits of network intrusion detection and prevention systems to defend against application-layer attacks on Web applications. Most cannot be customized for the unique vulnerabilities of each Web application. Further, many such systems do not support real-time decryption of SSL-encrypted Web application traffic and are blind to many application-layer attacks.
  5. Implement a Web application protection solution with a positive security model and forensics capabilities. A combination of secure coding and a defensive prevention solution provides the most comprehensive protection against Web application attacks. Forensics capabilities are necessary to limit the scope of reporting requirements to the specific customers whose privacy data was affected rather than all customers who may have been affected. This step is an absolute necessity if an organization has been unsuccessful at implementing secure coding procedures or is using outsourced code in their application.
  6. Prepare an Emergency Response Plan. One hundred percent protection against Web-based attacks doesn’t exist. An Emergency Response Plan will provide the details for the steps to be taken should a breach occur. This will include details on what to do to identify and repair the application, what to do with the application while it is being fixed and how to notify customers whose privacy data was accessed.

About Breach Security, Inc.

Breach Security, Inc. is a leading provider of next-generation web application security that protects corporate-critical information. Breach effectively protects web applications of commercial enterprises and government agencies alike against Internet hacking attacks and provides an effective solution for expanding security challenges such as identity theft, information leakage, and insecurely coded applications. Breach’s solutions are ideal for any organization’s regulatory compliance requirements for security.  Breach was founded in 2004 and is headquartered in Carlsbad, Calif. For more information visit: www.breach.com.

# # #


Breach Security, BreachGate WebDefend and BreachMarks are trademarks of Breach Security, Inc.  All other companies’ names and product names are trademarks of their respective organizations

Media Contacts:

Breach Security, Inc. U.S.

Dan Chmielewski, Principal
Madison Alexander PR, Inc.
dchm@madisonalexanderpr.com
(949) 231-2965