By Danny Yadron
Computer hackers don't have to be cutting edge to wreak havoc
online. Rather, they rely on their targets to make it easier for
them by not updating buggy software, according to a report by
Verizon Communications Inc. expected to be released on Tuesday.
Verizon analyzed anonymous data on 200 million hacking incidents
last year collected by Risk I/O, a Chicago network-security
company. In 99.9% of those incidents, the hackers exploited a
software bug that had been public for at least a year, Verizon
said.
The bugs could be used to knock a computer or router offline,
scan it to see what data is stored on it or to gain entry. Risk
I/O, and Verizon, didn't name specific victims and the companies
don't know how much damage, if any, resulted from each
incident.
Verizon, working with law enforcement agencies and security
companies, confirmed 2,122 data breaches in 61 countries last year.
That compared to 1,367 breaches in 95 countries during 2013. Part
of the increase, Verizon said, was because it had more contributors
for this year's report.
The study offers some of the first empirical evidence for what
many say a stubborn problem in computer security: Victims leave a
lot of doors open for hackers by not updating their software.
Getting people to hit "update" would seem like an easy fix. But
hackers have inertia on their side.
For consumers, installing an updated operating system for an
iPhone or restarting a laptop after installing patches can be a
nuisance. For companies, which may employ hundreds of software
programs that must talk to one another, updating one may disrupt
others.
"You want to focus on widget making, not staffing up to patch
your entire system," said Bob Rudis, a security data scientist at
Verizon and a former director of information-technology security
operations at Liberty Mutual Insurance. "This does become a
significant undertaking."
At the same time, Mr. Rudis said the study suggests there are
relatively cheap and straightforward steps companies can take to
make it much harder for hackers to break into their systems.
Computer software includes millions of lines of code that tell
machines what to do. There are bound to be loopholes and logic
flaws that can be "hacked." When such bugs are found, companies
like Microsoft Corp. and Apple Inc. will issue a patch that users
can install.
"A number of the companies I talk to today, they're not patching
as it is," said Mark Weatherford, a consultant at the Chertoff
Group and a former government official.
Risk I/O assembled its data from information from other
cybersecurity companies, such as Dell Inc.'s security unit and
VeriSign Inc. It comes from 150 countries though most of the data
is from U.S. targets, the company said.
Write to Danny Yadron at danny.yadron@wsj.com
Access Investor Kit for Apple, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US0378331005
Access Investor Kit for Verizon Communications, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US92343V1044
Subscribe to WSJ: http://online.wsj.com?mod=djnwires