Internal Botnet activity predicts future data breach likelihood
Organisations showing evidence of botnets inside their networks are not only more likely to suffer a data breach the level of botnet activity correlates directly to an increased risk, security analytics firm BitSight has argued after analysing incidents at more than 6,000 companies.
That botnets augur badly for an organisation’s chances of suffering a data breach sounds obvious, botnets are often designed to pillage the credentials used in attacks after all, but the fact that greater botnet activity increases risk still further is intriguing all the same.
BitSight spent the year up to March 2015 looking at the security ratings it had handed out to 6,273 mostly US-based firms of 1,000 employees and over based on a range of tell-tale security symptoms it uses to calculate scores.
Of this group, 199 (3.3%) had suffered a disclosed data breach and 96.7 had not, which were then both checked to see if any security symptoms (spam, compromised servers, botnets, malware) lined up with a higher risk of being in the former group.
The 1,536 organisations with the lowest grade botnet activity (grade A) turned out to have suffered breaches on 26 occasions (1.7% of the total) while the 4,536 organisations showing higher levels of botnets (grade B) had suffered breaches on 172 occasions (a 3.7% incidence).
Although not a massive difference in absolute terms, the figures suggest that firms with higher botnet activity were on the basis of this sample 2.2 times more likely to have suffered a data breach, a statistically significant difference.
Breaking this down by sector showed that education was the poorest performer, perhaps not a surprise. BitSight’s grading system goes from A to F and this sector had the smallest number of grade A networks (the best) and the highest number of grade F networks (the worst).
Utilities was the next worst performer, ahead of data breach hotspot healthcare, retail, in that order. Finance was the best performing sector, differences BitSight has commented on before.
Much of the botnet data was fed into the analysis from sensors deployed by Portuguese security firm AnubisNetworks, formally acquired by BitSight last October.
One detail that stands out about the education figures is that it is not only PCs and servers that are at risk. One of the prime causes of high botnet activity at US universities turns out to be Mac malware such as the Flashback Trojan, something BitSight has commented on previously.
But what can be inferred from this correlation apart from the obvious point that botnets are bad news?
Logically, if we follow that botnets stand out above other negative security measurements, detecting botnets offers a new way of predicting the likelihood of a future breach.
“The implications for organisations across industries are that botnet infections cannot be ignored. Companies with poor botnet grades have been breached far more often than those with good grades, and actions should be taken to mitigate these risks,” said BitSight’s researchers in its report.
This doesn’t therefore mean that the botnets themselves are causing the increased risk, although that remains possible. More likely, said BitSight, their presence was indicative of the failure of security controls inside the affected organisation.
BitSight has previously reported on the effect data breaches are having on a variety of US sectors, most recently recording a dip in performance on the basis of its own security metrics. Some sectors are also more at risk of breaches than others.
It remains an intriguing possibility (one that BitSight would welcome for commercial reasons) that organisations might one day be assessed for security risk on the basis of independent ratings such as BitSight’s.
John E Dunn, IDG News Service