Attacks/Breaches
2/4/2010
02:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hospitality Industry Hit Hardest By Hacks

Trustwave report on data breach investigations shows hotels were breached more than financial institutions last year, and nearly all attacks were after payment-card data

Hackers checked into hotel networks more than any other in 2009, and all organizations hit by attacks didn't discover breaches for an average of 156 days, according to a new report based on real-world attacks worldwide.

Nicholas Percoco, senior vice president of Trustwave's SpiderLabs, announced at Black Hat DC this week these and other findings the company compiled in 218 data breach investigations in organizations across 24 countries. Financial services companies accounted for about 19 percent of the breaches, but that was far fewer than in the hospitality industry, where 38 percent of all breaches took place. Retail (14.2 percent) and food and beverage (13 percent) also suffered a fair chunk of attacks, according to Trustwave's data.

And not surprisingly, a whopping 98 percent of targeted data was payment card information. Percoco said that credit card and debit card information is most in demand because it's easy "to turn into cash quickly."

Authentication credentials, financial information, healthcare, and other sensitive information each accounted for 1 percent of the targeted data. And the bad guys mostly hit software-based point-of-sales systems last year, Percoco said, with 83 percent of attacks hitting those systems, 11 percent e-commerce systems, and 3 percent payment processing systems. About 2 percent hit ATM machines. "We don't see a lot of raw hardware-tampering. But we do see it from time to time," Percoco said.

Percoco outlined the three main steps in a typical data breach and how attackers mostly operate at each level: initial entry, data harvesting, and exfiltration.

Nearly half of these attacks occur via remote access applications, of which 90 percent exploit default or weak passwords, according to the report. Around 42 percent of attacks occurred via third-party connections; 6 percent, SQL injection; 4 percent, exposed services; and 2 percent, remote file inclusion attacks. Interestingly, less than 1 percent began with an email Trojan.

Around 54 percent of the attacks used malware to harvest stolen data: More than two-thirds (67 percent) deployed memory parsers; 18 percent, keystroke loggers; 9 percent, network sniffers; and 6 percent, malware that the bad guys control who accesses the malware, such as in ATM attacks, according to Percoco.

The actual exfiltration of the stolen data is executed in various ways. Nearly 30 percent used Microsoft Network Shares; 27 percent, native remote access apps; malware via FTP; and 10 percent, native FTP clients. SQL injection was used in 6 percent of the attacks.

Percoco also discussed a sampling of penetration testing data gathered by Trustwave in its report. "Attackers are using old vulnerabilities to get in and out. They know they aren't going to be detected [in many cases], so they are camping out and not trying to hide because no one's watching," he said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4231
Published: 2015-07-03
The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative privileges in one VDC, aka Bug ID CSCur08416.

CVE-2015-4232
Published: 2015-07-03
Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users to execute arbitrary OS commands by entering crafted tar parameters in the CLI, aka Bug ID CSCus44856.

CVE-2015-4234
Published: 2015-07-03
Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs CSCun02887, CSCur00115, and CSCur00127.

CVE-2015-4237
Published: 2015-07-03
The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ(99.1), 7.2(0)ZZ(99.3), and 9.1(1)SV1(3.1.8) on Nexus devices allows local users to execute arbitrary OS commands via crafted characters in a filename, aka Bug IDs CSCuv08491, CSCuv08443, CSCuv08480, CSCuv08448, CSCuu99291, CSCuv0...

CVE-2015-4239
Published: 2015-07-03
Cisco Adaptive Security Appliance (ASA) Software 9.3(2.243) and 100.13(0.21) allows remote attackers to cause a denial of service (device reload) by sending crafted OSPFv2 packets on the local network, aka Bug ID CSCus84220.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report