Information Security Research

Candy everybody wants

The publishing of the 2017 Verizon Data Breach Investigations Report (DBIR) was met by the information security community last week with its usual anticipation. Over the ten years of its existence, security pros have come to rely on the report for trends, statistics, and patterns that help focus organizational efforts and make a case for additional, much-needed support for the security program. The DBIR also offers excellent charts, graphs, and quotes that are used throughout the year to fortify security-related presentations and blog posts (like this one!). Needless to say, the issuance of the DBIR has become an industry event of sorts, giving people the opportunity to carefully examine or comb through the most relevant parts of the report, arguing the finer points against that which they see in their organizational environments.

The amount of data gathered, analyzed, and presented each year grows, along with the format of the final product. In some ways, this creates a challenge in making true year-on-year comparisons. However, anyone following infosec throughout the year won’t find any tremendous surprises in the 2017 report.

If lust and hate is the candy

Based on the data collected from 65 contributing organizations, 2016’s most affected industries were Accommodation (including food service), Education, Entertainment, Finance, Healthcare, Information, Manufacturing, Professional, Public Administration, and Retail. Combining reported incidents[i] and confirmed breaches[ii], Public Administration takes the first-place spot. Given the size and reporting requirements of the industry, coupled with a tendency to participate in the DRIB, public sector organizations come in at over 21,000 events, with the highest number of overall incidents, and third highest amount of breaches (239). The industry with the highest number of breaches in 2016 was Finance, with 471 confirmed. Healthcare, despite all the press it’s received over the last year, reported the second highest number of breaches—296, a far cry from the quantity in financial services—but only 458 incidents, which is 7th on the list after Public Administration, Entertainment, Professional, Finance, Information, and Manufacturing.

More interesting than tallying up the biggest winners and losers, however, is understanding how companies in these industries were attacked and by whom. Knowing these patterns rather than sheer numbers provides guidance on what other organizations in the same industry should be looking out for. By no means does the DBIR suggest that organizations should only look for trends and patterns in one’s industry, but seeing the big picture gives security teams a place to focus first—which is helpful given companies’ ever-increasing threat landscapes.

If blood and love tastes so sweet

Starting with the largest bucket first, according to the data, public sector organizations should be most concerned with cyber-espionage, privilege misuse, and “miscellaneous errors.” Public Administration also must keep a closer watch on internal actors versus the average organization—forty percent of breaches in public administration were caused by insiders versus 25% overall. With the amount of trade secrets and personal information collected and retained by the public sector, it’s no surprise that those with devious tendencies want “in” on that information. What is unnerving, however, is the frequency with which those individuals—state-affiliated actors and unauthorized employees alike—can access what they want.

Manufacturing also reports a high percentage of cyber-espionage as an attack pattern. As the report points out, “when you make stuff, there is always someone else who wants to make it better, or at least cheaper. A great way to make something cheaper is to let someone else pay for all of the R&D and then simply steal their intellectual property.” The same goes for academic institutions; colleges and universities are built on research and the generation of new ideas, findings, and solutions to major problems, like how to cure cancer and how to slow the Earth’s progression towards a boiling point. These institutions also operate on a premise of openness and sharing—what good will it do to learn how gravity works if you don’t tell anybody else? In that kind of environment, security teams have a greater-than-usual challenge of securing data and information, regardless of its sensitivity.

The larger issue about which security teams in education environments needs to be aware is personal information, as the DBIR shows that more than half of the reported breaches include the compromise and disclosure of personally identifiable information (PII) of students and employees. The way attackers are getting at desired data in this industry is through hacking, primarily, followed pretty closely by social, i.e., phishing, then malware. The DBIR states that “use of stolen credentials against web applications was the dominant hacking tactic,” indicating that it’s likely students, staff, and professors are using soft password-ID combinations on their accounts, even if the information with which they’re interacting is sensitive.

Then we give ‘em what they want

Denial of service (DoS) attacks were also a prevalent attack pattern among educational services in 2016. Of course, colleges and universities weren’t alone in this category; financial services and retail organizations were a big DoS target as well. In fact, in financial services, DoS attacks were the most common incident type. This makes sense, given the sheer number of people financial services serves. That said, there is no indication that DoS against financial service firms lead to data loss or disclosure. What did? Web application attacks and payment card skimming. The report is quick to point out that not all sectors within financial services operate equally, noting that investment bankers and insurers, who feature prominently in financial services, don’t “[have] to worry about dudes in hoodies and track pants installing skimmers and cameras on ATMs.” Point taken.

The report also removed banking Trojans from its analysis, stating that “the sheer amount of those breaches” would overwhelm the dataset, skewing it so significantly that other attack patterns would not appear to be as big of a concern as they are. Banking Trojans, however, should be top of mind for security teams in this industry since they are so effective and prevalent. Even as this blog post is written, news of a new variant is circulating on the internet.

Retail is also impacted significantly by DoS, web application attacks, and payment card skimming. Threat actor motives against this industry are overwhelmingly financial (96%), thus it’s no surprise that attackers compromise web apps, likely by compromising consumer credentials, and stealing customer card information as it’s input or transferred to the merchant. Retail, like financial services, is segmented, with e-commerce behaving differently than brick-and-mortar shops. The report notes that “Traditional storefront retailers have an entirely different attack surface.” For these retailers, payment card skimming, which often involves physical tampering, is the attack of choice. Notably, point of sale (POS) attacks are not common among retail organizations.

So their eyes are growing hazy

Where POS attacks are common, however, is within Accommodation, which includes hotels and food service/restaurants. POS compromise in this industry was rampant in 2016, though the numbers are down from previous years. With Shoney’s, Chipotle, InterContinental Hotels Group, and Sabre Corp. all reporting breaches just within the last month, this is a category to be watched throughout 2017, as it looks likely that large-scale POS breaches will continue to dominate in Accommodation. How are attackers getting into POS systems? Primarily through hacking and malware, per the DBIR. It’s important to point out that privilege misuse was a one of the top three attack patterns in Accommodation, therefore it’s likely that stolen credentials were used opportunistically, and largely by organized criminal groups.

‘Cause they want to turn it on

The final major category covered in the 2017 DBIR is an industry gaining plenty of attention for its vulnerability: Healthcare. Looking at the data, above, the industry isn’t (comparatively) as much of a cyber attack victim as the media would make it seem (again, this could be partially due to data submitted for this report, and partially due to the media attention healthcare breaches receive based on the extremely sensitive nature of data breached during such an attack). Personal healthcare data earns a pretty penny on the black market, and IT and security teams working in doctor’s offices and hospitals suffer the same fate as educational services: Healthcare providers’ needs trump all else. This is a tricky and highly regulated industry driven by the ultimate sensitive data. And while doctors and nurses and the like are well educated, they’re not known for overwhelming technical prowess (nor should they be), and thus privilege misuse, miscellaneous errors (like improper data disposal or swapped patient identities), and physical theft and loss are among the top three attack patterns reported.

Interestingly in the healthcare category, 68% of threat actors are internal—which is a far cry from the overall report average of 25%—and 23% of actor motives were characterized as “for fun.” This is disturbing.

Well who do you want to blame?

Plenty of additional juicy data is provided in the 2017 DBIR. Keep in mind, though, if you do choose to read all seventy-six pages, that the data is only as good as the contributing organizations and can’t be considered a Holy Grail. What is provided, however, is a good guideline for security practitioners. Unfortunately, no team or organization can risk taking its eye of the proverbial ball, but gaining an understanding of general trends, patterns, and statistics for any given industry is a helpful hand up.

[i] Defined by Verizon as “A security event that compromises the integrity, confidentiality or availability of an information asset.”

[ii] Defined by Verizon as: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.”