Verizon today released a report on Data Breach Investigations for 2012 and 2011. The data is aimed at helping organisations better understand the anatomy of a data breach and how to provide protection for the same. It also examines intellectual property theft, which has become difficult to protect.
“Understanding what happens when a data breach occurs is critical to proactive prevention,” says Wade Baker, managing principal - RISK team at Verizon. “Through our analysis, we are hoping to provide answers to businesses around the globe that want to protect not only their data but their reputation.”
The financial services industry faces some unique challenges. The industry’s status as a high-value target means it attracts significantly more directed and tenacious criminal attention. Breaches in this sector were primarily about the money, whether targeting it directly (by accessing internal accounts and applications) or indirectly (through downstream fraud). Many of the attacks are targeted against ATMs, web applications and employees. Areas for improved security include better protection of ATMs, careful monitoring of log-in credentials, secure application development, and training and awareness among employees.
In the healthcare space, breaches fell into the small to medium business category (1-100 employees) and outpatient care facilities – medical and dental offices. Cyber attacks were mostly the work of financially motivated organised criminal groups, which typically attack smaller, low-risk targets to obtain personal and payment data for fraud schemes. Most attacks involved hacking and malware and often focused on point-of-sale (POS) systems.
The industry also needs to protect medical devices and electronic health records. Major breaches can be prevented with some easy steps, including change in administrative passwords on all POS systems, implementing a firewall, avoiding using POS systems to browse the web and making certain that POS is a PCI DSS (Payment Card Industry Data Security Standard) compliant.
The retail industry continues to be plagued with a multitude of data breaches, many of it committed by groups that gain access through POS systems that conduct daily business. The criminals exploit weak, guessable or default credentials via third-party remote access services. The most vulnerable are franchises and other small and medium-size businesses, which often lack in-house resources and expertise to manage their own security. Consequently, these businesses often rely on ill-equipped third-party vendors, which often fail to provide adequate protection; or the businesses uses an out-of-the-box solution, without adequately investigating whether the solution will meet their security needs.
In many cases, employees are involved in the breaches, either willingly or unwillingly. It is not uncommon for an employee to click on a malicious email attachment or visit a questionable site on a company desktop, infecting the system with malware and enabling an attacker to gain access to other devices within the network.
In the past two years, there have been more breaches in the accommodation and food services industry. The POS systems, once again, have proven to be easy targets for criminals.
Finding and identifying the work of Intellectual Property (IP) theft is highly difficult and specialised. Many of these breaches go undetected until long after the damage has been done, and it often takes quite a while to contain the breach. IP attacks often include collusion between insiders and outsiders. Regular employees accounted for the largest percentage (two-thirds) of insiders. Outsiders often acted directly and maliciously, but also regularly solicited and aided insiders. Most of the thefts are carried out by determined adversaries who target IP as a shortcut to attaining some manner of strategic, financial, technological or related advantage. The attackers generally mix and match their methods until they find a successful combination. Many of these combinations are multiphased and multifaceted. With IP attacks, no single solution can guarantee protection. A common-sense, evidence-based approach is the best defense.
The report is in its fifth year of publication, and this year’s edition, analysed 855 data breaches involving more than 174 million compromised records. Five organisations contributed data to this year’s report - the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service and the Police Central e-Crime Unit of the London Metropolitan Police.
