Hotels, retailers, and restaurants really need to lock down their point-of-sale systems, but don't have to sweat Web app attacks as much as financial services companies do.
Payment systems are under fire....About 94 percent of security incidents fall into nine basic attack patterns....Web app attacks dominate the financial services sector....And point-of-sale and distributed denial of service attacks plague retail.
Those are the primary takeaways from Verizon's 2014 Data Breach Investigations Report (DBIR), which included 50 global companies' stats, 1,367 confirmed data breaches and 63,437 security incidents.
Verizon's DBIR report has a bevy of goodies, but the most interesting graphics are these:
What that latter graphic highlights is the risk weighting by industry. For instance, hotels and restaurants really need to lock down their point-of-sale systems, but don't have to sweat Web app attacks. Retail needs to focus on point-of-sale terminals and denial of service attacks, but cyberespionage isn't likely to be an issue. Utilities, manufacturing, and mining need to worry about cyberespionage from other countries.
"It's a complex landscape and you can't take a top 10 list and say that everyone defend against the same things," said Jay Jacobs, senior analyst at Verizon Enterprise Solutions and DBIR co-author. "There's a risk grid by industry."
But since 2013 was the year of retail attacks -- or at least publicized ones, thanks to Target -- here's a snippet from the report:
"From an attack pattern standpoint, the most simplistic narrative is as follows: Compromise the POS device, install malware to collect magnetic stripe data in process, retrieve data, and cash in. All of these attacks share financial gain as a motive, and most can be conclusively attributed (and the rest most likely as well) to organized criminal groups operating out of Eastern Europe. Such groups are very efficient at what they do; they eat POSs like yours for breakfast, then wash 'em down with a shot of vodka. While the majority of these cases look very much alike, the steps taken to compromise the point-of-sale environment offer some interesting variations."
The most popular point-of-sale attack involves RAM-scraping malware, which grabs payment card data while it's being processed in memory before it's encrypted.
Regarding Web attacks, Verizon's Enterprise unit recommended the following controls:
Other items worth noting:
"Yes, it's unorthodox as far as recommendations go, but it might actually be an effective theft deterrent (though it will probably increase loss frequency). That shiny new MacBook Air on the passenger seat may be too tempting for anyone to resist, but only those truly dedicated crooks will risk incarceration for a 4" thick mid-90s lap brick. Or, if being the fastest hunk of junk in the galaxy is a must, perhaps there's a lucrative aftermarket for clunky laptop covers. She may not look like much, but she's got it where it counts, kid."
This story originally posted as "Verizon's data breach report: Point-of-sale, Web app attacks take center stage" on ZDNet.