Regardless of the market or industry, the majority of attacks are financially motivated. Even in data-rich environments such as health care, attackers are still after profits and exploit the same weaknesses and transaction processing systems that are vulnerable in other industries such as hotels and accommodations, food services and financial services. Verizon’s latest Data Breach Investigations Report (DBIR) broke out data breach characteristics by those industries, and came to a stunningly simple conclusion: Attackers will seek out the easiest way in, take what they need and get out quickly.
“You’re looking at opportunistic attacks,” said Jay Jacobs, managing principal at Verizon and one of the authors of the DBIR. Unlike breaches where intellectual property was stolen, attacks on these particular industries exploit weak passwords or default credentials on transaction processing systems reachable online, or physical equipment is either tampered with or stolen.
Health care institutions, for example, are not breached for patient records for the most part, or to hack medical devices. Attackers are after the same easy targets they would be after in other industries such as weak point-of-sale terminals.
“In health care, there is a tremendous focus from a regulatory standpoint around medical information,” Jacobs said. “Taking payment cards is not a large portion of their business. Some of that security is not as strong as in other sectors.”
Ninety-five percent of attacks are external against health care organizations, and hacking and/or malware were involved in almost all incidents. In most cases, the criminals are not necessarily targeting health care specifically.
“These scenarios typically play out by the attacker scanning large swaths of the Internet for potential victims, hacking into the exposed systems (often via weak or stolen credentials), and installing some type of malware to capture data and/or fulfill other nefarious purposes,” Verizon wrote in its report.
Beating a default or weak password was the most common entry point in breaches against health care organizations. Backdoor remote access malware and keyloggers were the most common malware types in these breaches. And most attacks were against point-of-sale terminals and servers. Attackers will follow the money and target POS systems that handle co-payments and other transactions.
“Many smaller health care clinics and offices lack the expertise or resources to manage their own POS infrastructure, and therefore rely on third-party vendors to do it for them. This requires that some sort of remote access and administrative service be enabled on these systems,” Verizon wrote. “The victim assumes that vendors know their trade and implement appropriate security measures, but experience shows this trust is often misplaced.”
Attackers are also compromising these systems in minutes, and are out well before attacks are detected, usually by law enforcement or a payment card provider months later.
Many of the same weaknesses and exploit scenarios are present in the accommodation and food services industries, by far the most maligned by data breaches as investigated by Verizon. Of the 656 breaches in this segment, 569 were carried against companies with fewer than 100 employees. There are few IT and security resources in these organizations and POS terminals and services have even fewer controls.
Attacks are carried out using keyloggers and form grabbers or hacks such as brute-force and dictionary attacks against weak or poorly protected POS credentials. For the most part, keyloggers used against accommodations and food services aren’t looking for personal information, but instead are built to grab magnetic strip data from a credit card, Verizon said. In almost all cases, attackers are successful in breaching a remote access interface online to install malware such as keyloggers on systems.
Financial services organizations, meanwhile, are generally considered more mature in terms of information security and invest in better controls. There are fewer opportunistic attacks against these companies, which are subject to targeted incursions by cyber criminals and even nation-states. Attackers deploy a variety of tactics against financials, Verizon said, including a number of physical attacks including tampering with ATMs and installing either card-skimming devices or cameras. Financials are also subject to web-based attacks against online banking applications or social engineering attacks against customers and employees in an effort to steal legitimate system credentials.
While most attacks come from external attackers, Verizon reported nine percent of attacks involved an insider, the highest rate among the vertical markets it analyzed. Attackers sometimes collude with tellers or other insiders to perpetrate fraudulent transactions, Verizon said.
Physical attacks, meanwhile, are almost three times more prevalent than malware or hacking attacks because of skimming attacks, primarily. As for technical attacks, keyloggers and backdoors were among the attacks most often seen, but there were fewer compromises of weak or default passwords, indicating a level of regulation and maturity not present in other industries. Attacks are discovered and contained much quicker than in other industries; most attacks are discovered within days, rather than months or even years.