Verizon Data Breach Report Reveals Industry-Specific Risks

The report finds that financial services companies face the highest risk from insiders, while high-tech, retail, and food and beverage businesses are most vulnerable to partner companies.

Thomas Claburn, Editor at Large, Enterprise Mobility

October 2, 2008

5 Min Read

When it comes to data breaches, different security strategies work better for different industries.

In a supplemental report that follows up on a data breach study released in June -- covering 500 forensic investigations over four years into incidents that led to 230 million compromised records -- Verizon Business compares and contrasts data breaches across four industry sectors: financial services, high tech, retail, and food and beverage.

"You have to tailor security to industry-specific threats," said Bryan Sartin, managing principal of investigative response for Verizon Business. "A cookie-cutter approach is not enough."

The report, released Thursday, finds that financial services companies face a greater risk from insiders, in contrast to the three other industry sectors where partner companies represent the major source of risk.

Risk in this context is measured by multiplying the number of records exposed by the likelihood that a given source -- external, internal, or partner -- will be involved. External threats are the most likely source of breaches on a per-incident basis across all industries, but insider incidents compromised more records among financial companies.

The reason for this, said Sartin, is that "these financial companies are pretty good at external security and external connections to business partners."

The most common forms of attack against financial services companies involve deceit and misuse. The attacks take longer and tend to be more sophisticated. It often takes weeks for these attacks to be discovered, but that's better than the average across industry sectors.

As Verizon's June study revealed, 75% of breaches were not discovered by the victim, and in 63% of cases, months or years passed between the initial breach and discovery.

On a positive note, the supplemental report shows that financial services companies tend to be more aware of their assets and suffer fewer data breaches than other industry sectors as a consequence of unknown or lost systems.

The retail sector represented the largest number of cases among the 500 analyzed. Retail attacks often exploit remote access connections, Web applications, and wireless networks. They're largely opportunistic, seeking valuable data that can be used quickly for a profit.

The retail sector is slower on average than the high-tech or financial sectors to discover breaches, though it does better than the food and beverage industry in that regard.

In the food and beverage industry, most breaches were traced to external sources, but attackers often made use of a partner's trusted remote access connection to gain access to payment card data stores. The attackers tended to rely on misconfigurations rather than vulnerabilities, and they often took advantage of point-of-sale systems to introduce malware across company networks.

At high-tech companies, system complexity proved to be a source of problems. High-tech organizations appear to be prone to errors arising from the difficulty of tracking information assets and of maintaining proper system configurations.

"Compared to financial services, retail, and food and beverage companies, high-tech organizations have more sophisticated back ends," said Sartin. "Sophistication leads to errors."

High-tech companies also face risks from insiders, but in contrast to other industry sectors, high-tech companies are particularly vulnerable to IT administrators gone bad.

Among high-tech companies, 77% of internal breaches involved IT administrators. In the financial and retail sectors, respectively, IT administrators were involved in breaches 31% and 45% of the time. There were an insufficient number of cases in the food and beverage industry to provide statistics for comparison. Verizon's study suggests that tech firms tend to do a better job with basic system configuration, which forces attackers to rely on vulnerabilities for their attacks. This might not be a problem if tech companies did a better job at patch deployment, but the study found that they often lack a strong patch deployment program.

Web applications represented the most common attack vector at tech companies.

Sartin described one forensic investigation that involved a mining company. The company made large mining equipment, which it sold mainly to customers in Canada's Northwest Territories and in South Africa. The company made most of its money off the sale of spare parts rather than mining gear itself.

The company started to notice that generic versions of its parts were showing up on the black market in South Africa, Sartin explained. When company investigators obtained some of these unauthorized parts, they found that the tolerances were almost exactly the same as the authorized ones manufactured by the company.

"It became clear that someone had gotten into one of their CAD systems," Sartin said. "And sure enough they had an online CAD system that they'd made available to engineers in the field."

Further investigation revealed that someone had penetrated the system using a SQL injection attack. "Someone had stumbled onto the data and sold it," said Sartin, who added that the perpetrator has been arrested and prosecuted.

Sartin described another case he worked on involving a large shipping company that sent goods overseas on routes through Southeast Asia, from Singapore to Indonesia.

The company was having problems with pirates. Not college kids downloading copyrighted music, but armed robbers with boats. The company's container ships weren't armed and tried to defend themselves with water cannons, but weren't having much luck. Generally, the crews retreated and locked themselves in cabins for safety when boarded.

Despite the fact that the many containers on the ship looked alike, the pirates always seemed to know which ones had the most valuable, sellable goods in them. "Someone had access to bill-of-lading information," Sartin said.

This information enabled them to strike quickly and get away, rather than having to open every container on the ship.

Verizon's investigators found that the shipping company's Web-based inventory system had been breached. "This underscores the idea that anybody who has access to data of value ... can find somebody to buy it," said Sartin.

The investigators' findings were turned over to local authorities. No arrest has been made.

For information security directors at large corporations, the growing reliance on contractors is a major security concern. Many businesses are turning to software-based contractor-isolation solutions to address this potential threat. Download the TechWeb report Efficiently Isolating Contractors From Sensitive Data: The Many Advantages of Software-based Contractor Isolation to learn more about contractor security trends and software-based contractor isolation (registration required).

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights