The second part of Verizon’s DBIR 2017 summarizes industry specific data breaches, followed by the nine incident patterns most commonly associated with the reported data breaches.
With so many verticals affected by attack incidents and data breaches, the DBIR 2017 extensively covers industry-specific findings, with a deep dive into each industry that examines the differences in detail.
DBIR first provides the big picture of industry- specific data breaches, citing a reported 1,935 data breaches within 2016. The finance sector tops the list at 471 data breaches, followed by healthcare (296), public sector (239), and accommodation (201).
“The totals within Table 1 provide information on the sample size for this year’s study and are not indicative of one industry being more or less secure than another. It is more of an indication of how well an industry is represented by our data contributors…. Think of Table 1 as opening up the fridge to see just what ingredients you have to cook with, and if you have enough of an industry to ‘make the bread rise.”
The DBIR also took a look at which industries rely heavily on the internet to do business, and discovered that these verticals suffered greater from Distributed Denial of Service (DDoS) attacks.
“Taken together, Information, Retail, Finance, and Education all featured high numbers of distributed denial of service (DDoS) attacks. These industries, which rely on a web presence to do business and to communicate with customers, also saw the largest median DDoS attack sizes. But just because other industries didn’t see as many or as large of attacks doesn’t mean they’re secure against DDoS campaigns.”
Data Breaches – a Deep Dive by Industry
In comparing verticals, Verizon looks at the variables of data breaches – analyzing the types of patterns, actions, and assets involved for each breach – to determine the “hot spots” for each vertical. Pattern types include web attacks, point of sale breaches, cyber espionage, and miscellaneous errors; actions most often included hacking, malware, social attacks; and the assets that criminals used in data breach attacks involved servers, people, networks, and user development.
The Accommodation sector showed a pattern of point of sale intrusions (180), with hacking (171) and malware (180) as the common actors, most commonly using servers (175) and user development (174).
Continuing with the Accommodation vertical as an example, which includes hotels and restaurants, it is evident that the 180 breaches suffered within this sector in 2016 was dominated by point-of-sale (POS) breaches – the top industry for POS intrusions – with the majority (96%) of the breaches occurring by external forces with a financial motivation.
“96% of breaches involved external actors—almost all by financially-motivated organized criminal groups attacking targets of opportunity and compromising payment card data. The threat action categories of malware and hacking were ubiquitous in attacks against this industry, with third-party managed POS devices (both terminals and controllers) accounting for the majority of the assets that were compromised.”
The DBIR offers a “Thing to consider” summary for each industry studied. For the Accommodation industry, the report recommends the following measures to fight against POS malware attacks:
- The level of software installation occurring in this industry needs to decrease as this particular variety of integrity compromise represents 94% of breaches this year.
- Don’t use default passwords as doing so makes criminals’ lives much easier.
- Filter remote access to your POS network. Only allow connections from whitelisted IP addresses.
- Patch promptly and consistently and make certain all terminals and servers are running the most recent version of software.
Incident Classification Patterns
Verizon concluded its report by featuring the nine incident classification patterns, with 88% of all breaches analyzed in the DBIR falling into one of the nine categories. Verizon looks at this section as a way to provide guidance on what is most likely to negatively impact an organization.
“Understanding these areas of concern goes a long way to help struggling security professionals gain insight on where and how to invest their limited resources. The patterns provide a quick and easy way to assess a baseline of where the most likely danger will arise.”
Here are a couple of categories worth examining:
- Denial of Service (DDoS) Attacks: DDoS attacks refer to “any attack intended to compromise the availability of networks and systems. Includes both network and application attacks designed to overwhelm systems, resulting in performance degradation or interruption of service.”
This category saw 11,246 incidents, five with confirmed data disclosure. Entertainment, Professional Services, Public, Information, and Finance saw the most instances of this category, with large organizations the targets in 98 % of attacks. Across the board, the median size of DoS attacks decreased. Most attacks also didn’t last for more than a few days. But the security industry still witnessed some notable attacks driven by IoT botnets, including Mirai’s DDoS attack campaign against Dyn on 21 October 2016.
- POS Intrusions: Point-of-sale attacks are described by Verizon as “remote attacks against the environments where card-present retail transactions are conducted. POS terminals and POS controllers are the targeted assets. Physical tampering of PIN entry device (PED) pads or swapping out devices is covered in the Payment Card Skimmers section.”
Accommodation and Food Services as well as Retail suffered the greatest from POS intrusions. In total, there were just 212 incidents, 207 with confirmed data disclosure. Many of these attacks involved RAM scraping. However, keylogging/spyware also played a part.
DBIR 2017 – Conclusion
Much like the growth of data breaches reported within Verizon’s DBIR, the DBIR itself has also evolved.
Within the last decade, the DBIR went from a brief report totally comprised of breaches investigated by one entity (Verizon), which were primarily focused on Financial and Retail verticals, to a collaborative effort with as many as 70 organizations spanning the globe. Over the last decade our scope has broadened to encompass a bit of almost everything cyber- related that is occurring in enterprises around the world.
With the many new threats that have emerged and evolved over the last 10 years – hacktivism moving from availability attacks to full-blown data breaches, the prevalence of nation-state and state-affiliated espionage, the rise and dominance of phishing, DDoS attacks, more sophisticated and polymorphic malware—DBIR’s goal remains the same.
“Our goal has always been to help organizations understand the threats they are facing, and enable them to make sound evidence-based risk management decisions.”
Until DBIR 2018, let’s all hope that knowledge is power in the fight against data breaches.