Botnet activity inside organisations predicts likelihood of future data breach

10.04.2015
Organisations showing evidence of botnets inside their networks are not only more likely to suffer a data breach, the level of botnet activity correlates directly to increased risk, security analytics firm BitSight has suggested after analysing incidents at more than 6,000 companies.

That botnets augur badly for an organisation's chances of suffering a data breach sounds obvious - botnets are often designed to pillage the credentials used in attacks after all - but the fact that greater botnet activity increases risk still further is still an intriguing finding.

BitSight spent the year up to March 2015 looking at the security ratings it had handed out to 6,273 mostly US-based firms of 1,000 employees and larger using a range of worrying security symptoms to calculate grades from A (best) to F (worst)

In total, 199 (3.3 percent) had suffered a disclosed data breach and 96.7 hadn't, which were then both checked to see whether security symptoms (spam, compromised servers, botnets, malware) lined up with a higher risk of being in the former group.

The 1,536 organisations with the lowest grade of botnet activity (grade A) turned out to have suffered breaches on 26 occasions (1.7 percent of the total) while the 4,536 organisations showing higher levels of botnets (grade B) had suffered breaches on 172 occasions (a 3.7 percent incidence).

Although not a massive difference in absolute terms, the figures suggest that firms with higher botnet activity were on the basis of this sample 2.2 times more likely to have suffered a data breach, a statistically significant contrast.

Breaking this down by sector showed that education was the poorest performer, perhaps not a surprise. This sector had the smallest number of grade A networks (the best) and the highest number of grade F networks (the worst).

Utilities was the next worst performer, ahead of data breach hotspot healthcare, retail, in that order. Finance was the best performing sector, differences BitSight has commented on before.

Much of the botnet data was fed into the analysis from sensors deployed by Portuguese security firm AnubisNetworks, acquired by BitSight last October.

One detail from the education figures is that it is not only PCs and servers that are at risk of generating botnet traffic. One of the prime causes of high botnet activity at US universities turned out to be Mac malware such as the Flashback Trojan, something BitSight reported in a previous analysis.

But what in the end an be inferred from this correlation apart from the obvious point that botnets are bad news

Logically, if we follow that botnets stand out above other negative security measurements, detecting botnets offers a new way of predicting the likelihood of a future breach.

"The implications for organisations across industries are that botnet infections cannot be ignored. Companies with poor botnet grades have been breached far more often than those with good grades, and actions should be taken to mitigate these risks," said BitSight's researchers in its report.

This doesn't mean that the botnets themselves are causing the increased risk, although that remains possible. More likely, said BitSight, their presence was indicative of the failure of security controls inside the affected organisation.

BitSight has also reported on the effect data breaches are having on a variety of US sectors, most recently recording a dip in performance on the basis of its own security metrics. Some sectors are also more at risk of breaches than others.

It remains an intriguing possibility (one that BitSight would welcome for commercial reasons) that organisations might one day be assessed for security risk on the basis of independent ratings such as BitSght's.

(www.techworld.com)

John E Dunn

Zur Startseite