When companies outsource their IT services, they should ask questions about the provider’s practices, says McNeill. At the very least, they should make sure that the company has its personnel use different access passwords for different clients so that if one is compromised, they are not all automatically exposed.
The second most common way that sites are breached is through what is called Structured Query Language (SQL) injection. This begins at the Web site. As the report explains, Web pages today are set up to take user information, which is then transferred to and from back-end databases housing everything from cardholder data to a user’s purchase history. The Web page communicates with the database via SQL queries. "Poor coding practices have allowed the SQL injection attack vector to remain on the threat landscape for more than 15 years. Any application that fails to properly handle user-supplied input is at risk," notes the report. SQL injection is preventable when programmers do their jobs, but in 26 percent of the examined breaches, hackers were able to exploit SQL vulnerabilities.
Once in, hackers can often work their way easily through a company's system to the valuable data they seek. That's not as hard as it should be, because "Internally-facing remote administration utilities are frequently set up even less securely than externally-facing versions," says the report. "Many have abysmally weak username:password combinations—and sometimes require no credentials at all."
Hackers may install malware that will allow them to harvest data. They have become "much more adept at hiding their malware in plain sight, known as malware subterfuge—the use of legitimate process names or injection of malware into legitimate Windows binaries. This means that an attacker’s malware could live on a target system undetected for as long as four years, and all data processed during that timeframe may be compromised," the report states.