The term “intel” is often used in a military context. It’s relevant to cybersecurity, because we’re defending our information assets from multiple attackers. Knowing everything we can about our adversaries and their battle plans, resources, and methods gives us a strategic advantage. It puts us in a position to set priorities on defenses that are most likely to thwart attackers.
One of the best sources of intel for cybersecurity strategies is the 2023 Verizon Data Breach Investigations Report, available at no cost. This annual report collects data from a wide spectrum of sources, including law enforcement and government agencies, cybersecurity research teams, cybersecurity technology firms, and data breach disclosure reports. It applies to four global regions: Asia Pacific (APAC); Europe, Middle East, and Africa (EMEA); Latin America and the Caribbean (LAC); and North America (NA).
This year’s report contains a thorough analysis of 16,312 incidents (defined as a compromise of data integrity, confidentiality, or availability) and 5,199 confirmed data breaches. I’ll touch on some highlights in this article, but I encourage you to read the entire report.
WHO’S ATTACKING – AND WHY?
The first question most of us ask is who is attacking us? The analysis shows that 93% of the breaches in our sector come from external adversaries, with organized crime at the top of the list. What’s their motivation? Financial reasons are by far the main driver in 94.6% of overall breaches. In our sector, accommodation and food services, they account for 100% of attacks.
Hospitality sector targets include specific data types. Knowing this helps us to prioritize our prevention efforts. The number one target is card data, which accounts for 41% of the attacks. Not far behind are credentials, or login details, at 38%. Personally identifiable information (PII) is also highly desirable and represents 34% of the attacks. This implies that credentials are being targeted as a means of accessing either card data or personal data.
Another useful part of the report relates to the type of attacks. In hospitality, 90% of attacks used one of these primary methods:
System intrusion is dominated by ransomware and malware. These attacks typically pair automation with one of two methods:
- PHISHING: Attackers send emails that prompt you to click on a link and provide information. Maybe they ask you to update your password or change a vendor’s or employee’s bank account number.
- PRETEXTING: This involves the use of stolen credentials to gain initial access. Once inside the system, attackers use high level hacking skills to leverage vulnerabilities and move toward the target data. You get a message that appears to be from a company executive, a team member, or perhaps a manager. The attacker attempts to persuade you to take some action, perhaps some routine task, that will make their scheme successful. The median amount stolen from these types of attacks has increased to US $50,000.
Key defenses for system intrusion include:
- Security awareness training
- Continuous vulnerability management
- Malware defenses (such as application control or whitelisting and anti-malware)
- Data backup recovery processes
Social engineering is running on email in 98% of the cases analyzed, and includes phishing, which accounts for 44% of attacks. and pre-texting, which is now more prevalent than phishing.
Security awareness training is a critical defense to combat social engineering. You should pair it with multi-factor authentication for account access and an account management process that disables dormant accounts and maintains an up-to- date inventory of authorized user and service accounts.
Basic web application attacks exploit coding errors to go straight into a database. In the hospitality sector, cloud services with application coding developed by a small team that isn’t well trained in secure coding are particularly vulnerable. It’s a dismaying reality that many software developers don’t pay attention to secure coding and the same basic attacks have continued for years. No matter how secure your infrastructure and networks are, attackers can easily get to target data through these basic web applications.
HOW TO LOWER YOUR RISK
A good resource for ways to lower these risks is the Open Web Application Security Project (OWASP). The OWASP Foundation tracks and identifies the most common coding errors and publishes a list of Top Ten Web Application Security Risks. See https:// owasp.org. Testing and buttoning down the coding errors on this list provides a huge defensive advantage.
If you look at the broad picture of breaches, 74% include a human element. This is significant in hospitality – our culture of being helpful and courteous works against us when it comes to social engineering.
Each of the three major types of attacks occurring in hospitality can be mitigated with either skills training for web developers or security awareness training for end users. Finance and customer service departments are favorite targets. Specialized awareness training is available for those groups.
SMALLER BUSINESSES HAVE DIFFERENT NEEDS
The report also addresses small and medium size businesses (SMBs). The types of attacks they face are essentially the same as those in the larger hospitality universe: System intrusions, basic web application attacks, and social engineering. The difference is the degree to which a lack of resources hampers their ability to respond.
The Verizon report includes excerpts from the Center for Internet Security (CIS) that provide guidance for small and medium size companies. (See CIS Critical Security Controls at cisecurity. org). This is also a free resource that you can download and use.
CIS recommends that small businesses focus on three top risk controls: security awareness and skills training, data recovery, and access control management. Mid-size companies should address three more controls: incident response management, application software security and penetration testing.
The Verizon report also contains an interesting development related to virtual money. It notes a sharp increase in breaches involving cryptocurrency compared to last year or 2020, when only one or two cases were reported. Although this isn’t a current issue in hospitality, it’s worth noting for future reference.
Other reliable and useful sources of intel for cybersecurity include:
- SANS NewBites, a free publication delivered twice a week by email. It features an executive summary format with comments by subject matter experts in the SANS -- sysadmin, audit, network, and security -- community.
- Threat Intelligence | Symantec Enterprise Blogs (security.com). This blog offers more technically oriented information and describes specific activities, but it consistently provides current information.