Verizon study: User error the cause of more IT breaches

By Angela Gunn, BetaNews

October 4, 2008, 3:11 PM

Security threats to businesses vary according to what sort of businesses ar targeted, according to a study covering over four years and 230 million compromised records.

Verizon originally issued its general Business Data Breach Investigations report back in June, but drill-down data on four industries -- financial services, technology, retail and food and beverage services, which together composed about 82 percent of the original survey -- merited a supplemental analysis this week. Some of the highlights:

• Don't get cocky, tech folk: Of the four industries examined, the tech sector presented the most breaches in which user error -- often by IT administrators -- was a contributing factor. That factor alone pushed internally generated breaches to 39 percent of all such incidents reported for tech -- the highest internal rate of the four industries, just ahead of the financial sector.

  On the other hand, highly sophisticated attacks were unleashed more frequently on tech-sector targets than on any other, even in the financial sector. Web applications are the most popular attack vector, and though it's a tiny percentage of the total, only the tech sector discovered a breach in connection with a blackmail or extortion attempt.

• Speaking of the financial sector, the split in that industry between externally, internally, and partner-caused breaches was fairly even, with 56 percent of their problems caused externally and a disturbing 41 percent originating with partner businesses. (Since breaches often involve multiple components, these numbers add up to more than 100 percent. In many multiple-source situations, one party is unaware that they're part of the problem.) That split is the closest thing to parity among the four sectors.

  The financial sector saw a significant number of attacks linked to known organized-crime groups overseas, particularly in Eastern Europe. Only in this sector do end users have a hand in more breaches than IT admins do, and this sector had nearly three times the number of breach discoveries made by the employees themselves.

• The food and beverage industry had the greatest split between external (80%), partner (70%) and internal (4%) breaches, but don't start feeling complacent about your credit card's safety in the hands of your food server just yet. The authors of the survey say that's probably because a light-fingered waiter or waitress is usually dealt with by law enforcement, not a risk-response team.

  The high numbers for partner breaches are likely to reflect compromises of point-of-sale (POS) systems or those systems' vendors -- directly or indirectly responsible, the researchers say, for all of the breaches reported in that sector -- which can then be used to attack any restaurants using the compromised gear.

• Retail -- which represented the largest group of cases analyzed -- saw a significantly higher percentage of Wi-Fi-based attacks than any other industry. The researchers described most retail breaches as opportunistic and not especially sophisticated.

  As with food and beverage, retailers typically finds out they've been breached when a third party clues them in, and it may take months for the problem to be uncovered. Only in the retail and food-and-beverage sectors were actual hacks a bigger problem than error, and in both sectors the preferred loot was payment-card data.

The data was drawn from the forensics files of the Verizon Business Risk Team, which were compiled between 2004 and 2007. A report to be issued next year will include data from 2008.