Verizon's data breach report: Point-of-sale, Web app attacks take center stage

Verizon's data breach report: Point-of-sale, Web app attacks take center stage

Summary: Hotels, retailers, and restaurants really need to lock down their point-of-sale systems, but don't have to sweat Web app attacks as much as financial services companies do.

TOPICS: Security

Payment systems were under fire, 94 percent of security incidents fall into nine basic attack patterns, Web application attacks dominate the financial services sector and point of sale and distributed denial of service attacks plague retail.

Those were the primary takeaways from Verizon's 2014 Data Breach Investigations Report (DBIR), which had 50 global companies contributing, 1,367 confirmed data breaches and 63,437 security incidents.

Verizon's DBIR report has a bevy of goodies, but the money graphics are these two:



What that latter graphic highlights is the risk weighting by industry. For instance, hotels and restaurants really need to lock down their point-of-sale systems, but don't have to sweat Web app attacks. Retail needs to focus on point-of-sale terminals and denial of service attacks, but cyber espionage isn't likely to be an issue. Utilities, manufacturing, and mining need to worry about cyber espionage from other countries.

"It's a complex landscape and you can't take a top 10 list and say that everyone defend against the same things," said Jay Jacobs, senior analysts at Verizon Enterprise Solutions and DBIR co-author. "There's a risk grid by industry."

But since 2013 was the year of retail attacks — or at least publicized ones thanks to Target — here's a snippet from the report:

From an attack pattern standpoint, the most simplistic narrative is as follows: Compromise the POS device, install malware to collect magnetic stripe data in process, retrieve data, and cash in. All of these attacks share financial gain as a motive, and most can be conclusively attributed (and the rest most likely as well) to organized criminal groups operating out of Eastern Europe.

Such groups are very efficient at what they do; they eat POSs like yours for breakfast, then wash ‘em down with a shot of vodka. While the majority of these cases look very much alike, the steps taken to compromise the point-of-sale environment offer some interesting variations.

The most popular point-of-sale attack involves RAM-scraping malware, which grabs payment card data while it's being processed in memory before it's encrypted.



Special Feature

IT Security in the Snowden Era

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.

Regarding Web attacks, Verizon's Enterprise unit recommended the following controls:

  • Don't use single-factor password authentication on anything that faces the Internet;
  • Set up automatic patches for any content management system such as Drupal and WordPress;
  • Fix vulnerabilities right away before the bad guys find them;
  • Enforce lockout policies;
  • Monitor outbound connections.

Other items worth noting:

  • Insider misuse remains a huge problem and much of security still revolves around trusting an individual — often an employee.
  • Healthcare, public sector, and mining are the industries with the most lost and stolen laptops. Thefts are often exposed in these industries due to mandatory reporting requirements.
  • Verizon's advice for preventing stolen gear was conventional for the most part — encrypt devices, back them up and lock them down — but did say it may make sense to buy "unappealing tech." Verizon said:

Yes, it’s unorthodox as far as recommendations go, but it might actually be an effective theft deterrent (though it will probably increase loss frequency). That shiny new MacBook Air on the passenger seat may be too tempting for anyone to resist, but only those truly dedicated crooks will risk incarceration for a 4” thick mid-90s lap brick. Or, if being the fastest hunk of junk in the galaxy is a must, perhaps there’s a lucrative aftermarket for clunky laptop covers. She may not look like much, but she’s got it where it counts, kid.

  • The US remains the largest victim of cyber espionage, with South Korea a distant second. State affiliated actors are 87 percent of cyber espionage cases and 49 percent of them hail from Eastern Asia.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Verizon is NOT making "unorthodox" recommendations!

    Verizon's recommendation are actually very conservative and very prudent. They are recommending that Internet sites perform a little due diligence, which should always be the priority when thinking about web-based security.

    In fact, technologies like grid cards and challenge-response via SMS should be the rule and not the exception for important online transactions like banking sites. Google Authenticator and Paypal security keys are great concepts that should be extended until better technologies are developed.

    In other words, it's time the Internet gets serious about security before it is too late!
  • Lose 'doze on POS systems

    Without that, security is a non starter.
    • Another simpleton response

      POS attack if you look at the chart is from 3rd party desktop, and desktop sharing. In other word is someone with access to the POS back office to access the POS. If employee gives access to someone that should not have access, it does not matter what OS is running.

      Notice that only 9% is physical attack to the POS which is very difficult to do at any retail store. These attach is not to the software but to take the POS and run with it.
      • again, BECAUSE POS runs windows

        get it ?!
        • No, I don't

          How does not running Windows on an individual POS terminal prevent attacks against corporate servers from succeeding? For example, Target runs the Toshiba (formerly IBM) 4690 OS at the store level, not Windows, yet they were still compromised.

          The big money in POS attacks is not through an individual POS device, but through a central server. In fact, the vast majority of successful POS attacks have been initiated against back office applications or servers at the corporate level. Blaming the OS on an individual POS terminal for such corporate-level breach ignores good sense.