A report this week released by Verizon analysed a decade of data on security breaches to find out what tactics hackers are using to attack computer systems. Comprising 100,000 separate incidents, including 63,000 in 2013, the security firm identified nine basic patterns that covered 92% of the attacks.
In this two part series we guide you through the Verizon Data Breach Investigations Report, telling you what the threat is, whether your industry is likely to be affected, and what you can do to protect yourself.
1) Point-of-sale intrusions
Industries affected: Accommodation, food and retail
Point-of-sale (POS) refers to the set-up for retail transactions, for instance when card payment details are transmitted when paying for dinner in a restaurant. Unlike card skimming, covered below, these do not involve physical tampering, but are conducted remotely.
Typical targets of POS attacks include hotels and grocery stores, with small and medium businesses particularly at risk. An attacker will seek to compromise the POS device, installing malware that collects magnetic strip data. According to Verizon, organised crime in Eastern Europe is frequently responsible.
What to do: Verizon advise companies to restrict remote access to their systems, and have a clear idea of when it will take place. Devices handling POS should not be used for email, gaming or social media, and passwords should be strong. Anti-virus software should also be installed on all systems handling sales.
Content from our partners
2) Web application attacks
Industries affected: Information, utilities, manufacturing and retail
Attacks through web applications can take many forms, making them difficult to defend against. As reported on CBR, two of three web app attacks are done in the name of ideology or amusement, with financial gain accounting for most of the remainder.
Using web apps for financial gain often takes the form of phishing, malware installation and brute force (password guessing), according to Verizon. A rarer tactic is that of SQL injection, in which commands are given to the database in order to obtain the desired data. As with Point-of-Sales attacks, those which could be attributed were linked to Eastern Europe.
Ideological attacks tended to focus on content management systems (CMSs) such as WordPress or Drupal, often targeting plug-ins rather than core code. Through this method websites were often defaced without more serious damage taking place.
What to do: Companies are encouraged by Verizon to find methods of authentication other than single passwords. Given the vulnerability of CMSs it may be prudent to move to static frameworks, which pre-generates content rather than responding to each query.
Develop a manual patching process if an automated one is unavailable. Proactively seeking vulnerabilities, creating lockout policies to deter brute force attacks (in which hackers try to guess passwords) and monitoring outbound connections is also advised by Verizon.
3) Insider misuse
Industries affected: Public, real estate, admin, transport, manufacturing and mining
This category covers any abuse of an organisation’s resources by a trusted user, typically for personal or financial gain. Within 2013 Verizon saw a move towards accessing trade secrets and internal data, but they do not believe misuse as a whole has increased. A memorable example of this would be the activity of Edward Snowden.
Organisations must place a certain amount of trust in employees in order to enable them to do their jobs, but doing so opens their systems to misuse. Verizon say this can be as basic as writing down credit card information on a piece of paper or as complex as installing malware such as keyloggers. It can be done remotely, via a local network or physically.
What to do: Maintaining basic controls over who has access to data is an obvious place to start, including disabling accounts of former employees. Companies should be wary of data being taken out of the organisation (exfiltration), and take regular anonymised access audits to deter potential abusers.
4) Physical theft/loss
Industries affected: Public, healthcare and mining
The oldest type of data breach on this list, Verizon included it because of its prevalence. Nearly half of the incidents recorded happened within the victim’s work area, with a quarter in a personal vehicle and 10% in a personal residence. Assets commonly misappropriated or mislaid include laptops, documents, desktops and flash drives.
What to do: A certain amount of property loss is due course for any business, and companies should prepare with that in mind. All devices should be encrypted, with important data backed up. Sensitive equipment should be locked down or moved to secure areas. Using outdated, undesirable tech may also deter thieves who want the gear rather than the data.
5) Miscellaneous Errors
Industries affected: Public, admin and health
All of the categories include errors of a kind, but within this group were human mistakes which directly lead to a breach, as opposed to ones which merely left the system open to attack. Almost half of those found by Verizon were misdelivery – sending sensitive data to an unintended recipient.
Second and third on the list were the mistaken publishing of information and failing to dispose properly of data. Of all miscellaneous errors found by Verizon, half involved documents, and a third of the time an external source such as a customer found the breach.
What to do: Data Loss Prevention software can scan emails to check for strings of sensitive data and prevent files being sent. Better publishing processes, such as the use of a proofreader, can also prevent sensitive data becoming public, as can checking a sample of post before it is despatched.
