Data security should not be seen as a "one-size fits all" requirement, says Verizon Business, because different industry sectors have differerent requirements.
A supplemental Verizon study, based on its recently released 2008 Verizon Business Data Breach Investigations Report, saw Verizon Business security experts use the original data to provide a glimpse into the differences and similarities in attacks across four key industries: financial services, high-tech, retail, and food and beverage.
"The supplemental report provides further insight into the nature of breaches, underscoring that good security does not lend itself to a cookie-cutter approach," said Peter Tippett, vice-president of research and intelligence at Verizon Business Security Solutions.
"Understanding what happens when a data breach occurs is critical to proactive prevention. Through our more targeted analysis, we are hoping to provide answers to businesses around the globe that want to protect not only their data but their reputation."
Key findings across industries:
- Financial services face a greater risk from insiders, whereas partners represent the chief source of risk for other industries analyed.
- A blend of attack types is used against financial services, with deceit and misuse the most common attacks.
- On average, attacks take longer and tend to be more sophisticated. Discovery often takes weeks, although financial services organisations generally learn of breaches more quickly than other types of organisations.
- Relative to other industries, financial organisations demonstrated a higher level of asset awareness. Breaches associated with unknown or lost systems, data, connections and privileges occurred far less frequently.
- The picture in high-tech services is complex. More than any other industry, errors were a contributing factor and attacks were fairly sophisticated. Though presumably tech-savvy, high-tech organisations had a difficult time keeping track of information assets and system configurations.
- Malicious insiders are a big issue. Insider misuse, which refers to using granted resources or privileges, or both, for any unauthorised purpose, is much higher in high-tech. Such behaviour is inherently difficult to control in a culture where workers often have high levels of access to many systems.
- Hacking is significant. Tech firms tend to do a better job on basic system and application configurations, forcing attackers to rely on vulnerabilities to compromise systems. A consistent and comprehensive approach to patch deployment is often lacking.
- Attacking web applications represents the most common method of intrusion. Additionally, the percentage of breaches involving intellectual property is higher in the high-tech community.
- Retail represented the largest portion of the overall cases analysed.
- Many attacks exploit remote access connections, but web applications are also frequently targeted. Attacks on wireless networks are growing and are significantly higher than in any other industry.
- Simple attacks are prevalent, but a considerable number of more difficult attacks were employed against retail establishments.
- Retail is highly reliant on third-parties to discover breaches. Typically, discovery happens more quickly than in food and beverage but lags behind both the finance and high-tech industries.
- Overall, attacks against this industry are largely opportunistic, seeking quick payloads of data that can easily be used for fraudulent purposes.
Food and beverage
- Most breaches originate from external sources but leverage a partner's trusted remote access connection as the point of entry into online repositories of payment card data.
- These attacks rely on poor security configurations rather than application or software vulnerabilities, are quickly executed and are highly repeatable.
- Many attacks exploited point-of-sale systems that criminals use to stage additional attacks and spread malware (corrupt software) throughout food and beverage chain establishments.
- It takes food and beverage organisations a considerable amount of time to learn of a breach. When they do, the discovery is almost always made by a third party.
- Tippett said, "This report clearly shows it is not about clever or complex security protection measures. It really boils down to doing the basics from planning to implementation to monitoring of the data."