Cyber-security has become a major compliance issue in recent years as the frequency and severity of data breaches and information security incidents has prompted organizations to direct all available resources to deal with the problem.
To help companies in their efforts, Verizon’s 2017 Data Breach Investigations Report takes a deep dive into 1,935 breaches and 42,068 security incidents from 65 contributing organizations. In the report, Verizon defines “incident” as “a security event that compromises the integrity, confidentiality or availability of an information asset” and defines a “breach” as “an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.”
“The majority of breaches are financially motivated and somewhat opportunistic in nature,” Mark Spitler, the report’s lead author, said in a recent Webinar discussing the results. “I don’t expect that to go away any time soon.” Specifically, 73 percent of breaches were financially motivated, while another 21 percent were the result of cyber-espionage carried out by state-affiliated actors.
An assessment of data breach trends by industry based on data in the Verizon data breach report—including who carries them out, how they are carried out, and what companies can do to mitigate the risk—is discussed in more detail below.
Healthcare. Whether caused by an internal or external threat, data breaches plague healthcare organizations more than any other industry. Insider misuse is especially problematic, with healthcare being the only industry in which employees are the predominant threat actors in breaches.
The specific motives behind breaches caused by internal actors are almost equally divided between financial motivations (identity theft) and fun (employees accessing patient data out of curiosity—for friends or relatives, for example).
Carelessness is another big issue in the healthcare industry. Delivering healthcare records to the wrong patient, disposal errors, and lost documents made up another 30 percent of healthcare breaches.
It’s upsetting to continue to hear about unencrypted laptops resulting in a breach disclosure, Spitler said. “It’s not going to get your laptop back,” he said, “but it can prevent you from having to say, ‘We just lost a thousand patient records.’ ”
The Verizon report recommends several measures healthcare organizations can implement to mitigate the risk of a breach or incident:
Have a process that requires a second individual to sign off on any online changes to avoid publishing errors;
Have a policy in place for disposal of any personally identifiable information (PII) and make sure that it is monitored for compliance;
Encrypt all mobile devices to limit the impact of lost or stolen devices;
Routinely check employee activity to ensure they are not viewing, downloading, or printing information that they have no business need for;
Use warning banners, making it clear to employees that their data use at work is being monitored; and
Where feasible, tokenize sensitive information—such as Social Security Numbers—when used to identify a record and the employee does not need it for billing purposes or patient care.
Ransomware—when attackers encrypt the contents of a device and then demand a ransom to unlock the data—is another top cyber-threat facing healthcare organizations. This is because electronic health records—rich in credit card data, Social Security Numbers, employment information, and medical records—fetch a high price on the black market.
“The majority of breaches are financially motivated and somewhat opportunistic in nature.”
Mark Spitler, Researcher, Verizon
In the Verizon report, ransomware attacks were not counted as breaches because of the inability to confirm that data confidentiality was violated, the report explains. Guidance issued by the Department of Health and Human Services, however, recommends that healthcare organizations treat ransomware as a breach for reporting purposes. In the event of a ransomware attack, the Verizon report recommends backing up all systems routinely and have them ready to fall back on.
Financial and insurance. In the financial services industry, 88 percent of incidents resulted from denial-of-service (DoS) attacks; Web app attacks; or cyber-espionage, the Verizon report finds. Ninety-six percent of these attacks were financially motivated—such as accessing systems to fraudulently transfer money or using the personal information of customers for identity theft.
The Verizon report defines a DoS attack as “any attack intended to compromise the availability of networks and systems.” This Includes both network and application attacks designed to overwhelm systems, resulting in performance degradation or interruption of service.
One way to minimize the risk of a DoS attack is to “have a DoS protection and mitigations service in place and make it your job to know the details of the agreement with the provider,” the report states. Additionally, the report recommends using two-factor or multifactor authentication to help secure all Web applications.
“Not all industries are going to be affected by the same threats with equal frequency,” Spitler said. In the financial services industry, for example, insurers and investment bankers do not have to worry about credit card skimmers in the same way that commercial bank or credit unions do.
After taking ATM skimming, DoS, and botnets out of the equation, the Verizon report found privilege misuse to be the most common incident pattern within select financial industry breaches. Thus, it’s a good idea to “keep an eye on employees, and periodically monitor their activities,” the report advises. “Do not give them permissions they do not need to do their job, and make sure you disable accounts immediately upon termination or voluntary departure.”
Another important measure: Keep audit logs of user activity not just to hunt down malicious or inappropriate users, but also to prevent external adversaries from gaining access using legitimate internal credentials, Spitler said. The same security controls designed to identify employee misuse can also detect external attackers masquerading as privileged users.
CYBER-ATTACKS ACROSS INDUSTRIES
Below is a list of companies from various sectors that fell victim to cyber-attacks in 2016.
Hollywood Presbyterian Medical Center ransomware attack. In February 2016, Hollywood Presbyterian Medical Center disclosed that it had experienced a malware attack earlier that month, which temporarily affected the operation of its computer network. The malware locked access to certain computer systems by encrypting files, preventing hospital staff from sharing communications electronically.
To make matters worse, the hackers demanded ransom to obtain the decryption key—40 Bitcoins, or approximately $17,000, to be exact. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Hollywood Presbyterian Chief Executive Officer Allen Stefanek said in a statement. “In the best interest of restoring normal operations, we did this.” The hospital said it also immediately notified law enforcement.
SWIFT data breach. The Society for Worldwide Interbank Financial Telecommunication (SWIFT), a member-owned cooperative, disclosed in August 2016 in a private letter to its members that it had uncovered yet more cyber-theft attempts on its member banks. The discovery followed the $81 million heist at Bangladesh Central Bank in February 2016.
“Customers’ environments have been compromised and subsequent attempts [were] made to send fraudulent payment instructions,” read a copy of the letter reviewed by Reuters. “The threat is persistent, adaptive and sophisticated, and it is here to stay.”
FACC data breach. FACC, an Austrian-based aerospace parts make—with clients including Airbus and Boeing—announced in January 2016 that it had fallen victim to hackers. Rather than go after the company’s data and intellectual property, the criminals stole approximately €50 million (US$54.5 million) in funds.
Accommodation and food services
Wendy’s data breach. In May 2016, fast-food chain, Wendy’s, said in a securities filing that malware, “installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015.”
Wendy’s continued: “The company has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks and has disabled and eradicated the malware in affected restaurants.”
HEI Hotels and Resorts breach. In August 2016, HEI Hotels and Resorts, which operates 20 hotels across several well-known hotel chains, reported that its payment system had been breached. Affected properties included several Starwood’s Westin hotels, as well as several Starwood and Marriott properties. HEI said that unauthorized individuals installed malware on its payment processing systems at these affected properties enabling them to capture payment-card information at the point of purchase.
Eddie Bauer malware breach. In August 2016 (just weeks after HEI disclosed its breach), retail chain Eddie Bauer informed its customers that it had discovered that point-of-sale-systems at Eddie Bauer retail stores may have been accessed without authorization. Upon detecting the issue, the company engaged third-party digital forensic experts to investigate. That investigation determined that customers’ payment card information used at Eddie Bauer retail stores on various dates between January 2016 and July 2016 may have been accessed.
Retail. In the retail industry, 81 percent of 209 hacking incidents resulted from DoS attacks; Web app attacks; and payment card skimming attacks.
A Web app attack is where a Web app—such as a content management system or e-commerce platform—is used as a means of entry. Breaches involving e-commerce sites, for example, typically involve hacking the Web application, with credentials stolen from customers as part of phishing attacks being the predominant method of Web app compromise.
Traditional storefront retailers must contend with an entirely different threat vector: the installation of card skimmers inside gas pump terminals, ATMs, or point-of-sale (PoS) terminals. These devices account for almost 60 percent of non-e-commerce retail breaches.
“Using default or easily guessable passwords simply will not cut it in today’s world,” the report states. “Implement multifactor authentication across your enterprise but especially for remote access into payment card processing networks.”
Manufacturing. In the Verizon report, cyber-espionage comprised most breaches within this industry, resulting in 108 out of 124 breaches. Most of these breaches were conducted by state-affiliated actors, but instances of internal espionage pilfering trade secrets were present, as well, the report states.
Many of these attacks are financially motivated. In fact, a whopping 90 percent of data stolen in manufacturing targeted valuable corporate data—such as intellectual property, trade secrets, or other sensitive information.
Unique to the manufacturing industry is how long these attacks are carried out. Typically, criminals infiltrate the network, locate the sensitive data, and then lurk in the shadows siphoning the data as long as possible. Malware gets onto a company’s system, for example, when someone clicks on a malicious e-mail or visits an infected website.
Privilege misuse, which occurred in just eight instances in the manufacturing industry, made up the second most common incident pattern, the report found. Typically, privilege misuse occurs when a disgruntled employee leaves a company with sensitive corporate data.
To prevent cyber-espionage, the Verizon report recommends the following proactive measures:
Keep highly sensitive data segregated, and only allow access to those who require it to perform their job;
Train employees about phishing scams, and provide them with a quick and easy way to report suspicious e-mails;
Monitor internal networks, devices, and applications; and
Implement data-loss prevention controls to identify and block improper transfers of data by employees.
Hospitality industry. Among hotels and restaurants, PoS attacks dominate. Ninety-six percent
of breaches involved external actors, with 96 percent carried out by financially motivated organized criminal groups, the Verizon report states.
The hospitality industry is particularly vulnerable to malware attacks, representing 94 percent of breaches in 2016. “Malware is not going anywhere,” Spitler said. Most companies—even outside the hospitality industry—have some level of anti-virus software, but they need to be thinking bigger, he said.
The Verizon report recommends, for example, filtering remote access to PoS networks and only allowing connections from whitelisted IP addresses. It is also important to “patch promptly and consistently and make certain all terminals and servers are running the most recent version of software,” the Verizon report states.
Across all industries, the gap between the time it takes for a cyber-criminal to compromise a system and the time it takes for an organization to discover a breach is still significant. Thus, companies should focus their efforts on both making it more difficult for intruders to exit the system once they have broken into it and improve the speed with which a breach can be detected, Spitler said. Although companies will still have to deal with a data breach or security incident, he said, “the impact will be much less.”
The goal of Verizon’s data breach report is to arm companies with the knowledge they need to defend against these incidents, said John Loveland, global head of cyber-security strategy and marketing at Verizon. “We see the market shifting to intelligence-lead solutions, leveraging threat intelligence to make better decisions about how to allocate resources from a cyber-security perspective, as well as how to anticipate, prevent, and respond to cyber-breaches when they occur.”