Verizon breach study identifies industry specific threats

By Robert Westervelt, News Editor 01 Oct 2008 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Insider attacks are the biggest source of trouble for financial services firms while high-tech firms have a trouble keeping track of security configurations leaving gaping holes for hackers, according to a report released today by Verizon Business.

Financial services firms do a great job of watching and tracking traffic from and to the enterprise, but it's their own employees that represent the biggest threat. Bryan Sartin, director of the Investigative Response team, Verizon Business

Verizon issued a supplemental analysis of its 2008 Verizon Business Data Breach Investigation Report released in June. The study analyzed the Investigative Response team's handling of more than 500 data breaches between 2004 and 2007. The supplemental analysis breaks down the threats faced in four industries: Financial services, high-tech services, retail and food and beverage.

The analysis shows that in all four of the industries, Web facing application vulnerabilities and remote access control issues often led to a data breach. Payment card data was the biggest draw of attackers.

Verizon said insiders represent the greatest threat to financial services firms. More than 42% of Verizon's investigative response unit's cases involved employee deceit and 32% of the case load represented the misuse of information.

"Financial services firms do a great job of watching and tracking traffic from and to the enterprise, but it's their own employees that represent the biggest threat," said Bryan Sartin, director of the Investigative Response team at Verizon Business.

Sartin said 68% of the cases in the financial services industry were opportunistic, while only 32% were a directly targeted attack.

"It often involves the abuse of privileges," he said. "No one is looking so there's an opportunity factor."

Sartin said the analysis found that attacks on financial services firms take longer and are more sophisticated, often involving more than one person. Discovery can take weeks, although financial services organizations generally learn of breaches more quickly than other types of organizations, Sartin said.

The use of the more advanced technologies at high-tech firms often lead to system configuration issues and vulnerable systems. High-tech organizations also have trouble keeping track of data sources making them further vulnerable to a data breach, according to Verizon.

SearchSecurity radio:

Hacking and malware represented a larger threat to high-tech firms with 45% of data breach cases involving hacking and 32% of the cases involving some form of malware.

The retail industry represented the greatest portion of the overall cases analyzed. In many cases, retailers left remote access connections open, even if they were no longer used. Overall, attacks against this industry are largely opportunistic, seeking quick payloads of data that can easily be used for fraudulent purposes, Verizon said.

Sixty-eight percent of attacks on retailers involved hacking with the attackers taking advantage of an open VPN connection or weak wireless security. Sartin said that in many cases vulnerable point-of-sale systems were to blame.

"Increasingly breaches are repetitive and we can see a pattern in the types of systems being exploited," Sartin said. "When we get calls with a potential problem we know to look at the POS system right away."

Point-of-sale systems were also a major problem for the food and beverage industry. Restaurants and hotels were being consistently attacked based on the type of POS system they were running, Sartin said. In many cases criminals used an exploited POS system to stage additional attacks.

About 95% of all data stolen from the food and beverage industry was from Internet facing systems. The attacks are external and rely on poor security configurations and software vulnerabilities. Once hackers find a pathway into a system, Sartin said they look for other restaurant chains, hotels or beverage companies with similar systems.

"It's easy to go after the vendors that support the POS systems," Sartin said.

The full Verizon data breach report is available for free from Verizon Business.

Tags: Identity Theft and Data Security Breaches,  Security Industry Market Trends, Predictions and Forecasts,  Database Security Management,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security Industry Market Trends, Predictions and Forecasts Hackers to sharpen malware, malicious software in 2010 Part 1: Marcus Ranum on the state of information security Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security Part 3: Marcus Ranum on the state of information security Part 5: Marcus Ranum on the state of information security Layoffs prompt insider threat fears, cybersecurity survey finds Healthcare security spending remains sluggish, report shows How to use Internet security threat reports M86 buys Web security gateway vendor Finjan Security Industry Market Trends, Predictions and Forecasts Research Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary