Data breach laws won't help: Verizon

Contradicting industry calls, a top information forensic specialist has said mandatory data breach legislation will not reduce the number of breaches.

A top information forensic specialist has said that mandatory data breach legislation will not reduce the number of data breaches, despite industry calls for such laws to be introduced.

Broken door

(Broken doors image by Eran Sandler, CC2.0)

Industry figures have been asking for such legislation since the government looked into the issue as part of a national overhaul of privacy laws.

Data breach disclosure laws would aim to force companies to disclose when a breach occurs. The hope is that the disclosure would allow customers to be able to make a choice based on their companies' behaviour. Companies ideally would be shamed to lift their game.

But Verizon forensics investigations response chief Mark Goudie said that when the laws were introduced into the United States, they did little more than trigger a short run of headlines.

He feared that legislation would have a similar effect here.

He said that lifting slack security standards would avert some 85 per cent of data breaches.

If Verizon is to be believed, the lion's share of data breaches are conducted using decade-old attacks and are allowed to continue because of failures in basic security.

SQL injections were one of the most common ways to steal data and log-in credentials, along with custom malware which avoids antivirus detection.

But simple log reviews would help avoid data breaches in 85 per cent of cases, Goudie said.

"We don't need to use FTK or EnCase or anything — everything was in logs."

"It must suck to be at the other end of that."

He said attackers may sniff the network for vulnerabilities or valuable data for up to a year, which can usually be detected by reviewing logs.

Goudie spoke at the Australian Information Security Association conference in Sydney yesterday.