Attacks/Breaches
2/4/2010
02:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hospitality Industry Hit Hardest By Hacks

Trustwave report on data breach investigations shows hotels were breached more than financial institutions last year, and nearly all attacks were after payment-card data

Hackers checked into hotel networks more than any other in 2009, and all organizations hit by attacks didn't discover breaches for an average of 156 days, according to a new report based on real-world attacks worldwide.

Nicholas Percoco, senior vice president of Trustwave's SpiderLabs, announced at Black Hat DC this week these and other findings the company compiled in 218 data breach investigations in organizations across 24 countries. Financial services companies accounted for about 19 percent of the breaches, but that was far fewer than in the hospitality industry, where 38 percent of all breaches took place. Retail (14.2 percent) and food and beverage (13 percent) also suffered a fair chunk of attacks, according to Trustwave's data.

And not surprisingly, a whopping 98 percent of targeted data was payment card information. Percoco said that credit card and debit card information is most in demand because it's easy "to turn into cash quickly."

Authentication credentials, financial information, healthcare, and other sensitive information each accounted for 1 percent of the targeted data. And the bad guys mostly hit software-based point-of-sales systems last year, Percoco said, with 83 percent of attacks hitting those systems, 11 percent e-commerce systems, and 3 percent payment processing systems. About 2 percent hit ATM machines. "We don't see a lot of raw hardware-tampering. But we do see it from time to time," Percoco said.

Percoco outlined the three main steps in a typical data breach and how attackers mostly operate at each level: initial entry, data harvesting, and exfiltration.

Nearly half of these attacks occur via remote access applications, of which 90 percent exploit default or weak passwords, according to the report. Around 42 percent of attacks occurred via third-party connections; 6 percent, SQL injection; 4 percent, exposed services; and 2 percent, remote file inclusion attacks. Interestingly, less than 1 percent began with an email Trojan.

Around 54 percent of the attacks used malware to harvest stolen data: More than two-thirds (67 percent) deployed memory parsers; 18 percent, keystroke loggers; 9 percent, network sniffers; and 6 percent, malware that the bad guys control who accesses the malware, such as in ATM attacks, according to Percoco.

The actual exfiltration of the stolen data is executed in various ways. Nearly 30 percent used Microsoft Network Shares; 27 percent, native remote access apps; malware via FTP; and 10 percent, native FTP clients. SQL injection was used in 6 percent of the attacks.

Percoco also discussed a sampling of penetration testing data gathered by Trustwave in its report. "Attackers are using old vulnerabilities to get in and out. They know they aren't going to be detected [in many cases], so they are camping out and not trying to hide because no one's watching," he said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?