In 2005, a Preventsys (now McAfee) and Qualys survey found that 52% of companies rely on a ‘Moat & Castle’ approach to Network Security but also admitted, at the time, that once the perimeter is penetrated, they are at risk.  I haven’t been able to find a more recent statistic but I’m still betting that once a network is breached, it’s at risk.  Networks are evolving, expanding and exploding with more data than ever before which means they also need to be smarter about who and what they allow on.  They have become Application Delivery Networks and soon, truly Identity Aware.  At the same time, many Enterprise networks are making  interconnections with other Corporate networks enabling Federation or trust between the two to create an extended network.

The good news/bad news about this is that according to Verizon  Business' "2009 Data Breach Investigations Report (pdf)" 32% of the data breaches implicated a business partner.  The good news is that breaches linked to business partners fell for the first time in years (-7%) but it was still 3rd on the list (behind External Sources and  Multiple Parties).  They conclude that the decline wasn’t due to any additional security focus (in fact, the majority was due to lax security practices at the connection level from the third-party) in that particular area but a change in what criminals were going after.  In 2008, the Food/Beverage industry had a high percentage (70%) of breaches attributed to partners and in 2009, the bad-guys decided to go after higher payouts – like financial institutions.  Only (with a grain of salt) 1,509,000 records were compromised by partners compared to 266,788,000 by external sources based on the report.  Usually it was the third-party systems that were compromised and the attacker used the trusted connection to make inroads to the target.  Since it’s coming from a ‘trusted’ authorized connection, these are difficult to detect and stop.

Exchanging information is critical to this extended ecosystem and some level of trust is inherent.  But you can’t necessarily expect that your security policies will be consistently enforced on a separate network.  It’s important to look at these deployments, consider your visibility/accountability for those partner connections and create policies that enable, benefit and secure both ends.

ps

• #14 out of 26 Short Topics about Security
• previous stories: 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Source : The 2009 Data Breach Investigations Report by Verizon Business