Misconfiguration can also take the form of a setting on an endpoint that resulted in a patch or remediation not being applied. For instance, it could be as simple as having automatic updates turned off, preventing a new patch from being deployed.
Again, the Verizon Data Breach Report and other data breach studies show that sensible low- and mid-level controls and proper configuration of existing security technology are adequate to stop the overwhelming majority of attacks.
Human error is responsible for many more data breaches than older technology. That is not to say that technology doesn't become obsolete. Of course, it does and that is sometimes the case. For instance, trying to maintain Windows XP systems after Microsoft has discontinued support could leave you vulnerable to attack. But that situation is far rarer than a simple misconfiguration.
Before blaming the technology, take a good look in the mirror and make sure that your perimeter devices, network, servers and endpoints are all configured correctly.
Oh, how the web app security vendors would love us to believe this one. However, this is another myth about data breaches. While many attack attempts come in via port 80, this does not mean that existing technologies in network security could not be used to block them.
A firewall, for example, can be used to stop attacks even with port 80 or other common ports left open. Blocking via IP, whitelisting IPs, and other firewall configuration management tactics can block many application layer 7 attacks despite popular myths to the contrary.
Yes, application-specific defenses like NGFW, WAF and other layer 7 defenses are effective against these attacks (assuming they are properly configured), but if you don't have the budget to afford these luxuries there is no need to throw in the towel-there is still a lot you can do. Tightening your network controls and doing all you can to avoid misconfigurations is a viable and surprisingly effective strategy.
Myth: If I keep my systems patched, I can prevent all breaches
If only this were true, what a simpler world this would be. The "I can patch everything, can't I?" approach fails on several fronts. First of all, just staying on top of all of the patches that are released for the software you run in your organization can be a daunting task.
In most organizations, you don't just apply a patch when it comes out. There is a quality assurance process where the patch is tested to make sure it does not break something else. By the time a new patch is tested and made ready to implement system-wide, there is already a new patch that must be tested and rolled out as well. While this may be a great form of job security, it is also like living on a hamster wheel. No matter how fast you run, it seems that with the sheer amount of patches you never catch up.
Sign up for CIO Asia eNewsletters.