Breach report identifies breach patterns, best mitigation
The 2014 Verizon Breach Investigations Report gathered the data from more than 63,000 cybersecurity incidents to get descriptive statistics and trending. Stephen Brannon of the Verizon Cyber Intelligence Center presented the latest results and associated recommended controls at Safeguarding Health Information: Building Assurance through HIPAA Security, a program hosted by the Dept. of Health & Human Services’ Office of Civil Rights and the National Institute of Standards and Technology held in Washington D.C. on Sept. 23.
This year’s report represents numerous countries and organizations in many different sectors for a broad perspective. The data also helps organizations determine which threats are the most likely. Three patterns describe more than two-thirds of the breaches examined, Brannon said.
One of those three patterns responsible for the bulk of breaches, according to Brannon, were point-of-sale intrusions which happen when a credit or debit card is swiped. The overall frequency is declining, he said, but attackers are going after larger targets, such as the recent Target and Home Depot incidents.
The recommended controls include restriction of remote access and mixed use, enforce password policies, network segmentation and monitoring and two-factor authentication. These are basic controls but “people are still not doing them,” Brannon said.
The second pattern is insider and privilege misuse. Most activity abuses the trust necessary to perform normal duties, he pointed out. The most common is privilege abuse. Most incidents happens at the victim organization and the motivation primarily is financial. Recommended controls include knowing your data and who has access to it, review user accounts, watch for data exfiltration and publish audit results to make sure people know you’re watching.
The third pattern is physical theft and loss. The report found that assets are stolen more often from offices than from vehicles or residences. And, loss is reported more frequently than theft by a factor of 15 to 1. More losses and thefts are reported because of disclosure regulations than fraud, Brannon said. The recommended controls include encrypting devices, keeping them with you at all time, backing them up and locking them down.
Brannon also addressed miscellaneous errors. Unintentional actions directly compromised a security attribute of an information asset. Highly repetitive processes involving sensitive data are particularly error prone, he said. Discovery typically takes a long time and it’s external about two-thirds of the time. Brannon said to fight these vulnerabilities, organizations should consider data loss prevention software, tightening up processes around posting documents and spot-checking large mailings.
Editor
Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.