Yesterday, Verizon released their data breach investigations report, which gives new insight into cyber espionage and denial-of-service attacks, and features nine common incident patterns, bringing together views from 50 global organisations and more than 63,000 confirmed security incidents.
The Verizon DBIR paints a picture of how point-of-sale attacks have evolved. POS Terminals that are directly connected to the open internet by small businesses represent low hanging fruit that is incredibly easy to pluck.
> See also: 4 things that will happen in the internet of things space
In the past year we know that POS malware was used in much more sophisticated attacks against larger, better defended retail establishments. This process mirrors what we expect to see with other kinds of embedded systems associated with the Internet of Things.
If there is a business model associated with attacking devices, it will be pursued, and it will first impact systems that are easy to compromise. If those attacks prove lucrative, we’ll see them replicated in increasingly sophisticated attacks that get at devices that are more heavily defended. What drives all of this activity is the opportunity to make money.
I think Verizon’s security recommendations are particularly noteworthy, because they are rooted in a wealth of knowledge about how organisations get compromised. Many of these recommendations might seem like table stakes – update your anti-virus, patch your systems, use good passwords or two-factor authentication – but you’d be amazed at how many organizations fail to execute on these basic steps.
> See also: Restaurant chain sues IT supplier over ‘malware-infected’ POS system
The report also highlights approaches that are on the leading edge of what IT shops are doing, and probably deserve to be adopted more broadly, including threat indicator feeds, network behavioral anomaly detection, and monitoring of internal networks for lateral movement by sophisticated adversaries and malicious insiders.
My favorite recommendation in the report is the suggestion that organisations should adopt unappealing technology in order to deter theft. It reminds me of a scene in one of William Gibson’s novels in which someone is applying spray-on rust to a brand new bicycle in order to make it look unattractive to thieves. Sometimes, having the latest tech gadgets can make you a target, and its all the more troublesome if you happened to have loaded a bunch of sensitive information onto that gadget right before it grew legs.