October 2, 2008

Verizon Business Data-Breach Report Examines Industry-Specific Challenges

BASKING RIDGE, N.J., Oct. 2 /PRNewswire/ -- Enterprises should assess their security strategies knowing that the challenges differ significantly by industry and that a one-size-fits-all approach is rarely effective. Those are the key findings in a supplemental analysis of data breaches released by Verizon Business today.

The latest study is based on the 2008 Verizon Business Data Breach Investigations Report, issued in June. The landmark report analyzed breaches spanning four years and more than 500 forensic investigations involving 230 million compromised records including three of the five largest breaches ever reported.

In its supplemental analysis, Verizon Business security experts used the original data to provide a rare glimpse at the differences and similarities among attacks across four key industries: financial services, high-tech, retail and food and beverage. The four groups studied constituted a sufficient sample size for independent data analysis.

"The supplemental report provides further insight into the nature of breaches, underscoring that good security does not lend itself to a cookie-cutter approach," said Dr. Peter Tippett, vice president of research and intelligence, Verizon Business Security Solutions. "Understanding what happens when a data breach occurs is critical to proactive prevention. Through our more targeted analysis, we are hoping to provide answers to businesses around the globe that want to protect not only their data but their reputation."

   Key Findings Across Industries    Findings, by vertical market, include:    Financial Services   --  Financial services face a greater risk from insiders, whereas partners       represent the chief source of risk for other industries analyzed.    --  A blend of attack types is used against financial services, with       deceit and misuse as the most common attacks.    --  On average, attacks take longer and tend to be more sophisticated.       Discovery often takes weeks, although financial services organizations       generally learn of breaches more quickly than other types of       organizations.    --  Relative to other industries, financial organizations demonstrated a       higher level of asset awareness. Breaches associated with unknown or       lost systems, data, connections and privileges occurred far less       frequently.    High-Tech Services   --  The picture in high-tech services is complex. More than any other       industry, errors were a contributing factor and attacks were fairly       sophisticated. Though presumably tech-savvy, high-tech organizations       had a difficult time keeping track of information assets and system       configurations.    --  Malicious insiders are a big issue. Insider misuse, which refers to       using granted resources or privileges, or both, for any unauthorized       purpose, is much higher in high-tech.  Such behavior is inherently       difficult to control in a culture where workers often have high levels       of access to many systems.    --  Hacking is significant. Tech firms tend to do a better job on basic       system and application configurations, forcing attackers to rely on       vulnerabilities to compromise systems. A consistent and comprehensive       approach to patch deployment is often lacking.    --  Attacking Web applications represents the most common method of       intrusion. Additionally, the percentage of breaches involving       intellectual property is higher in the high-tech community.    Retail    --  Retail represents the largest portion of the overall cases analyzed.    --  Many attacks exploit remote access connections, but Web applications       are also frequently targeted. Attacks on wireless networks are growing       and are significantly higher than in any other industry.    --  Simple attacks are prevalent, but a considerable number of more       difficult attacks were employed against retail establishments.    --  Retail is highly reliant on third-parties to discover breaches.       Typically, discovery happens more quickly than in food and beverage       but lags behind both the finance and high-tech industries.    --  Overall, attacks against this industry are largely opportunistic,       seeking quick payloads of data that can easily be used for fraudulent       purposes.    Food and Beverage    --  Most breaches originate from external sources but leverage a partner's       trusted remote access connection as the point of entry into online       repositories of payment card data.    --  These attacks rely on poor security configurations rather than       application or software vulnerabilities, are quickly executed and are       highly repeatable.    --  Many attacks exploited point-of-sale systems that criminals use to       stage additional attacks and spread malware (corrupt software)       throughout food and beverage chain establishments.    --  It takes food and beverage organizations a considerable amount of time       to learn of a breach. When they do, the discovery is almost always       made by a third party.   

Tippett added, "This report clearly shows it's not about clever or complex security protection measures. It really boils down to doing the basics from planning to implementation to monitoring of the data."

To access the Verizon Business Supplemental Report, please click below: http://www.verizonbusiness.com/resources/security/databreachsuppwp.pdf.

A complete copy of the 2008 Data Breach Investigations Report is available at: http://www.verizonbusiness.com/resources/security/databreachreport.pdf.

To blog about this report, visit us at: http://securityblog.verizonbusiness.com/.

About Verizon Business

Verizon Business, a unit of Verizon Communications , operates the world's most connected public IP network and uses its industry-leading global-network capabilities to offer large-business and government customers an unmatched combination of security, reliability and speed. The company integrates advanced IP communications and information technology (IT) products and services to deliver leading enterprise solutions including managed services, security, mobility, collaboration and professional services. These solutions power innovation and enable the company's customers to do business better. For more information, visit http://www.verizonbusiness.com/.

VERIZON'S ONLINE NEWS CENTER: Verizon news releases, executive speeches and biographies, media contacts, high-quality video and images, and other information are available at Verizon's News Center on the World Wide Web at http://www.verizon.com/news. To receive news releases by e-mail, visit the News Center and register for customized automatic delivery of Verizon news releases.

Verizon Business

CONTACT: Janet Brumfield, +1-614-723-1060, [email protected],or Junaidah Dahlan, +65-6248-6827, [email protected], orClare Ward, +44-118-905-3501, [email protected], all of VerizonBusiness

Web Site: http://securityblog.verizonbusiness.com/

Company News On-Call: http://www.prnewswire.com/comp/094251.html