Industry Differences in Types of Security Breaches

Interhack has been working on a taxonomy of security breaches, and has an interesting conclusion:

The Health Care and Social Assistance sector reported a larger than average proportion of lost and stolen computing hardware, but reported an unusually low proportion of compromised hosts. Educational Services reported a disproportionally large number of compromised hosts, while insider conduct and lost and stolen hardware were well below the proportion common to the set as a whole. Public Administration's proportion of compromised host reports was below average, but their proportion of processing errors was well above the norm. The Finance and Insurance sector experienced the smallest overall proportion of processing errors, but the highest proportion of insider misconduct. Other sectors showed no statistically significant difference from the average, either due to a true lack of variance, or due to an insignificant number of samples for the statistical tests being used

Full study is here.

Posted on June 10, 2009 at 6:18 AM • 14 Comments

Comments

BillJune 10, 2009 7:10 AM

I'm skeptical the raw data is complete verbose and accurate, so it follows any conclusion will not be either. And that's with or without disclosure laws too.

Another interpretation is it illustrates which areas different market sectors are least uncomfortable 'fessing-up to.

They've devised a taxonomy fit for their purpose; but stripping 'motive' from the equation is like stripping 'asset value' from risk management.

i.e. Was the laptop stolen for the hardware, or the data? It matters!

So yes, good effort but I'm not going to drink their kool-aid.... this time.

MarqJune 10, 2009 7:11 AM

"Educational Services reported a disproportionally large number of compromised hosts"

Students will undoubtly mess with remote control software to play tricks on their mates (even I did a few times, I even wrote my own for that purpose, raised a few laughs), but if the administrator is even half awake, these should not be accessible from the internet

BillJune 10, 2009 7:20 AM

@Marq

Most compromises are from the inside out. Meaning an internal workstation is infected by malware after it's user visited an external malicious website (say).

The malware then connects back out to the Internet to await further instructions from the bad guys on the Internet (c.f. Botnet).

This can be a bugger to spot. :(

MarqJune 10, 2009 7:51 AM

@Bill: True, but I would have thought there would be even less need students to browse onto dodgy sites at school. After all, if I was looking for something not quite legit, I certainly wouldn't do it at school/work etc.

AaronJune 10, 2009 8:37 AM

@Bill I agree, health care has HIPAA, if there is a breach the are highly disincentivized to reveal that it occurred. I think this reveals more about who is reporting what then anything.

BillJune 10, 2009 8:38 AM

@Marq
Unfortunately the bad guys increasingly use legitimate 'trusted' websites to serve malware, most notably social networking sites (Facebook and Twitter have both suffered recently).

BigBlueJohnJune 10, 2009 8:41 AM

Having been in charge of maintaining several hundred college computer lab PCs, I can assure Bill above that there is no end to the variety of sites that the kids will surf to. To keep malware out of your lab, you'd have to aggressively block outside sites, install security software on your machines, and re-image them between users. Even if 19 of my users in a row are smart, conscientious and know how to surf safely, once student #20 decides to click on that blind link that came in via his Hotmail account, and activate a zero-day worm... I've now got a dirty workstation.

Clive RobinsonJune 10, 2009 11:03 AM

As noted by others my first thought was "what's the full SP".

However after a little further thought I wonder if it shows the distrubution of resources within the organisations mentioned.

It might well be that the educational hosts admins are not trained as highly as those in health care, but due to the nature of the labs etc keep much better asset control (ie laptops are not issued to individuals but for a given class and then counted back in).

I suspect that the results although broad in brush strokes do paint a reasonable picture of the organisations priorities when it comes to resources.

Davi OttenheimerJune 10, 2009 1:51 PM

Great. This is a topic definitely in need of more exposure. I spoken about this in detail in my "Top 10 Breaches" presentations. The report does a nice job with illustrations but their analysis of the data seems only skin deep.

For example, Healthcare breach reports are usually related to lost media. It doesn't take statistical analysis to reach this conclusion. Look at the VA, Miami, Utah and Providence breaches alone and you should have the kind of basis you need to see the problem. The more important question is whether lost tapes and drives are a fair representation of true risk to protected health information (PHI).

I found no evidence in the study that they tried to control for this or explain the true likelihood of a breach by industry. It seems they advocate for more physical controls in healthcare as a response. I would have liked to see a recommendation instead that went towards encryption and/or reducing asset exposure through software. Even access control recommendations would have made more sense. There is already a fair amount of physical security but there is much room for improvement in terms of automation and software controls (e.g. who has what, where when -- tracking systems). This is especially important when you see the large spike in breaches for Healthcare versus other industries (not shown in this report, strangely). Physical security enhancements will not offset this rise. I guess I'll have to publish why.

Likewise, Education breach reports are typically related to compromised databases. Statistical analysis again is not required -- just look at the highest losses. Again, I found their analysis questionable.

"Insider misconduct is correspondingly lower than the general case. This could be attributed to the type of personally identifying information that an educational institution is likely to maintain. If a criminal’s goal is to steal identities for financial gain, there are probably more potentially lucrative targets than students."

This logic does not follow, not does the data on fraud and breaches support this conclusion.

NewtonJune 10, 2009 3:39 PM

@Patrick Stein

It's the Law of Conservation of Stupidity. Stupidity can never be eliminated, only transferred or transformed.

Nick S.June 10, 2009 4:49 PM

@BigBlueJohn:

"To keep malware out of your lab, you'd have to aggressively block outside sites, install security software on your machines, and re-image them between users."

I know of several computer labs that re-image (Windows) on every logout from the network...

Michael SeeseJune 12, 2009 10:43 PM

Speaking as someone in the financial services indusrty, we have a lot of regulations which (in theory) ensure data security. But we also have a lot of people with access to PII.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..