Data breach laws won't help: Verizon

Summary:Contradicting industry calls, a top information forensic specialist has said mandatory data breach legislation will not reduce the number of breaches.

A top information forensic specialist has said that mandatory data breach legislation will not reduce the number of data breaches, despite industry calls for such laws to be introduced.

Broken door

(Broken doors image by Eran Sandler, CC2.0)

Industry figures have been asking for such legislation since the government looked into the issue as part of a national overhaul of privacy laws.

Data breach disclosure laws would aim to force companies to disclose when a breach occurs. The hope is that the disclosure would allow customers to be able to make a choice based on their companies' behaviour. Companies ideally would be shamed to lift their game.

But Verizon forensics investigations response chief Mark Goudie said that when the laws were introduced into the United States, they did little more than trigger a short run of headlines.

He feared that legislation would have a similar effect here.

He said that lifting slack security standards would avert some 85 per cent of data breaches.

If Verizon is to be believed, the lion's share of data breaches are conducted using decade-old attacks and are allowed to continue because of failures in basic security.

SQL injections were one of the most common ways to steal data and log-in credentials, along with custom malware which avoids antivirus detection.

But simple log reviews would help avoid data breaches in 85 per cent of cases, Goudie said.

"We don't need to use FTK or EnCase or anything — everything was in logs."

"It must suck to be at the other end of that."

He said attackers may sniff the network for vulnerabilities or valuable data for up to a year, which can usually be detected by reviewing logs.

Goudie spoke at the Australian Information Security Association conference in Sydney yesterday.

Topics: Security

About

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.