Data security should not be seen as a "one-size fits all"
requirement, says Verizon Business, because different industry
sectors have differerent requirements.
A supplemental Verizon study, based on its recently released
2008 Verizon Business Data Breach Investigations Report, saw
Verizon Business security experts use the original data to provide
a glimpse into the differences and similarities in attacks across
four key industries: financial services, high-tech, retail, and
food and beverage.
"The supplemental report provides further insight into the
nature of breaches, underscoring that good security does not lend
itself to a cookie-cutter approach," said Peter Tippett,
vice-president of research and intelligence at Verizon Business
Security Solutions.
"Understanding what happens when a data breach occurs is
critical to proactive prevention. Through our more targeted
analysis, we are hoping to provide answers to businesses around the
globe that want to protect not only their data but their
reputation."
Key findings across industries:
Financial services
- Financial services face a greater risk from insiders, whereas
partners represent the chief source of risk for other industries
analyed.
- A blend of attack types is used against financial services,
with deceit and misuse the most common attacks.
- On average, attacks take longer and tend to be more
sophisticated. Discovery often takes weeks, although financial
services organisations generally learn of breaches more quickly
than other types of organisations.
- Relative to other industries, financial organisations
demonstrated a higher level of asset awareness. Breaches associated
with unknown or lost systems, data, connections and privileges
occurred far less frequently.
High-tech services
- The picture in high-tech services is complex. More than any
other industry, errors were a contributing factor and attacks were
fairly sophisticated. Though presumably tech-savvy, high-tech
organisations had a difficult time keeping track of information
assets and system configurations.
- Malicious insiders are a big issue. Insider misuse, which
refers to using granted resources or privileges, or both, for any
unauthorised purpose, is much higher in high-tech. Such behaviour
is inherently difficult to control in a culture where workers often
have high levels of access to many systems.
- Hacking is significant. Tech firms tend to do a better job on
basic system and application configurations, forcing attackers to
rely on vulnerabilities to compromise systems. A consistent and
comprehensive approach to patch deployment is often lacking.
- Attacking web applications represents the most common method of
intrusion. Additionally, the percentage of breaches involving
intellectual property is higher in the high-tech
community.
Retail
- Retail represented the largest portion of the overall cases
analysed.
- Many attacks exploit remote access connections, but web
applications are also frequently targeted. Attacks on wireless
networks are growing and are significantly higher than in any other
industry.
- Simple attacks are prevalent, but a considerable number of more
difficult attacks were employed against retail establishments.
- Retail is highly reliant on third-parties to discover breaches.
Typically, discovery happens more quickly than in food and beverage
but lags behind both the finance and high-tech industries.
- Overall, attacks against this industry are largely
opportunistic, seeking quick payloads of data that can easily be
used for fraudulent purposes.
Food and beverage
- Most breaches originate from external sources but leverage a
partner's trusted remote access connection as the point of entry
into online repositories of payment card data.
- These attacks rely on poor security configurations rather than
application or software vulnerabilities, are quickly executed and
are highly repeatable.
- Many attacks exploited point-of-sale systems that criminals use
to stage additional attacks and spread malware (corrupt software)
throughout food and beverage chain establishments.
- It takes food and beverage organisations a considerable amount
of time to learn of a breach. When they do, the discovery is almost
always made by a third party.
- Tippett said, "This report clearly shows it is not about clever
or complex security protection measures. It really boils down to
doing the basics from planning to implementation to monitoring of
the data."