• United States



Bob Violino
Contributing writer

What kind of target are you?

Sep 30, 20138 mins
Application SecurityCyberattacksCybercrime

Some attackers want money or data, while others hope to make you look bad. What do you have that might put you on a hacker's hit list?

Is your organization a likely target for security attacks? While any company can be victimized by breaches, some enterprises have a much greater chance than others of being on the hit list, according to security experts and executives.

One of the most common ways organizations expose themselves to attacks is by giving cybercriminals a chance to break through. The majority of those that suffer attacks are targets of opportunity — not specifically chosen but attacked because they exhibited a weakness someone knew how to exploit, according to the “2013 Data Breach Investigations Report” from Verizon Enterprise Solutions, a unit of Verizon Communications.

[Social engineering and phishing attacks are getting smarter, but are employers?]

“An opportunistic attack happens because the attacker was presented with an opportunity and said, ‘Why not?'” says Wade Baker, managing principal of the Verizon Risk Team and principal author of the data breach report.

More often than not in these cases, the organizations had something connected to the Internet that shouldn’t have been, Baker says. Certain services companies run online “are like a beacon that says ‘attack me,'” he says. “Cybercriminals are constantly running scans looking for known vulnerabilities such as FTP, and if you’re running FTP and expose that on the Internet, it’s almost certain that you will have attacks aimed your way.”

Organizations that do an extremely poor job taking care of the basics, such as operating system and device patching and configuration and secure application coding, are far more likely to fall victim to opportunistic attackers who are looking for the easy targets, says Bob Rudis, director of enterprise information security and IT risk management at Liberty Mutual Insurance.

“It’s far too easy to do a basic vulnerability scan or even just perform lookups in SHODAN [a search engine] to hunt for potential victims, Rudis says. “It’s almost a guarantee that if you have something that is Internet-facing and haven’t done the bare-minimum basics, you’re going to have those assets fall victim to a successful attack. Whether that results in a full-on breach or not is a variable that has many factors.”

Three-quarters of breaches result from simple opportunistic attacks, not highly determined and sophisticated groups, according to the Verizon report. The study consists of data – covering more than 47,000 reported security incidents and 621 confirmed data breaches from the past year – gathered from 19 global organizations, including law-enforcement agencies, national incident-reporting entities, research institutions and private security firms.

While the exact percentage of attacks that result from vulnerability scans is difficult to ascertain, Baker is fairly sure it’s a large majority of all cyberattacks, possibly more than 90 percent. “This [scanning] goes on constantly,” he says. Attackers are looking at point-of-sale systems, certain types of remote desktop services, blogging platforms, and other systems that can have weaknesses.

“There are so many [vulnerabilities] out there, and there are different lists where people can find vulnerabilities,” Baker says. “They show what actions and techniques different criminals use.”

But online exposure isn’t the only problem that makes companies targets for attack.

“Attackers look for vulnerabilities in both machines and people,” says Phil Hochmuth, program manager of security products at research firm IDC, which is owned by CSO’s parent company. “This is to say, they scan Web servers for vulnerabilities which could be exploited to gain access to sensitive data, [and] they also look at individuals working for target organizations and go after them with targeted attacks, with the goal of getting access via the employee’s credentials or identity.”

The Verizon report notes that “all kinds of organizations – from government agencies to iconic consumer brands, Internet startups to trusted financial institutions – have reported major data breaches in the last year.” But it also shows that certain characteristics make some companies more likely targets.

For example, 37 percent of breaches during the past year affected financial organizations (more than any other type of business); 24 percent of attacks occurred in retail environments and restaurants; and 20 percent of network intrusions involved manufacturing, transportation and utilities.

[Seductive technology: What are its implications for data security?]

Although most attacks are opportunistic, according to the report, that’s not to say all attackers lack motives when they select targets. Often organizations are singled out because they have something that’s enticing to a hacker or other criminal, or are known to be vulnerable to particular types of attacks, Baker says.

“They are targeted because of the types of data they have,” Baker says. “So for financially motivated crimes, if you process payments or credit cards, then you’re a target. If it’s online threats, then just by having an IP address, you’re a target. If it’s espionage, if you have intellectual property that people want, then that makes you more of a target.”

Avivah Litan, vice president and distinguished analyst at research firm Gartner, agrees that many cybercriminals are going after specific types of data, and they’re taking aim at specific types of technology tools companies use so that they can break in and achieve financial gain.

For example, online retailers might be a likely target of breaches because they use shopping carts or certain point-of-sale systems that are vulnerable to security breaks. Cybercriminals “go out there and study which sites have the equipment they know” is vulnerable, Litan says. “They go where the money is,” she says. “Any financial services company, a payments processor or a bank or a mutual fund firm [is vulnerable]. They’re attacked all the time.”

Rudis agrees that organizations that have fluid financial assets, such as banks, are going to continue to be targets at both the technology level and the personnel level, “and by a cadre of different actors” including organized crime, activists and terrorists.

But there are plenty of other motives that drive bad guys to attack particular targets. “Organizations with valuable intellectual property – software, pharmaceutical, electronics, manufacturing – are likely targets, as they potentially have digital assets that could be valuable to a competitor,” Hochmuth says.

High-tech companies, such as chip or disk-drive manufacturers, are also a huge target because of the product information they have, Litan says. Security companies are targets because criminals are looking for insights they can use to break into systems or exploit weaknesses in software. Organizations that either support controversial issues or get into the headlines for other reasons can become the targets of activists, Rudis says.

Utility companies might be a target for hackers who are looking to take down the power grid. Other likely targets include patent firms (for intellectual property) and healthcare organizations (for insurance scams).

In short, “if a company has something the bad guys want, it will be a target,” Litan says. “I don’t think criminals necessarily know who has lapsed security processes. But any company with lax processes is more vulnerable than ones that are better prepared.”

[Still going rogue in the cloud]

Indeed, the way companies use technology resources, such as social networking, can play a key role in opening them up to security breaches.

“If a major corporation doesn’t think about how it uses social media at all and just blabs on about anything, it certainly can become a target,” Baker says. “We’ve seen that, where companies engage in something that is viewed by a certain segment of the population as being out of step. Attacks have started because of that. Social media is a good way to be out there, but it can backfire.”

Rudis agrees that social media, if used incorrectly, can make organizations targets for attack. “If an organization has a large population on social media or they use social media in ways that attract the wrong kind of attention, they will definitely need to pay attention to that vector,” he says.

Attackers may also factor in the size of the organization when deciding who to target. Small and midsize businesses (SMBs) might be particularly vulnerable because they lack resources and sophisticated security programs.

“SMBs are increasingly being targeted, especially small e-commerce firms or financial organizations,” Hochmuth says. “These companies often have a bad combination of circumstances: limited IT resources and security technology, combined with something [digital] worth stealing, usually customer payment data. Criminals have targeted these types of companies for years, especially as large enterprises have begun investing more in information security.”

It’s not necessarily a matter of attackers specifically looking for smaller businesses to attack. But in scanning for vulnerabilities, they’re liable to come across organizations that have left themselves open for attack — and often it’s smaller companies that don’t have the resources or the knowledge to lock themselves down, Baker says.

Franchises can also be at risk, because when hackers find a vulnerability that they can exploit against one franchisee, that same exploit often works on other franchisees as well.

Clearly, there are many factors that can make organizations targets for security attacks. Companies must be diligent about implementing the proper security mechanisms, and if necessary, revamping processes or the way they expose information and systems to minimize their risk.

Bob Violino is a freelance writer and editor. He can be reached at