The 2014 Trustwave Global Security Report has revealed that, while payment card data continues to top the list of the types of data compromised, at least 45% of data thefts in 2013 involved confidential, non-payment card data – a 33% increase from 2012.
Non-payment card data includes other sensitive and confidential information such as financial credentials, internal communications, personally identifiable information and various types of customer records.
This is one of the findings from the newly-released report, which reveals the top cybercrime, data breach and security threat trends from 2013. The report includes the type of information most targeted, industries most compromised, how criminals typically got inside, when victims identified an attack, notable malware trends and other critical components of breaches that matter to businesses.
It also reveals how cybercrime is impacting different regions of the world and offers recommendations for businesses to help them fight cybercrime, protect their data and reduce security risks.
Trustwave experts gathered the data from 691 breach investigations (a 54% increase from 2012) across 24 countries in addition to proprietary threat intelligence gleaned from the company’s five global Security Operations Centres, telemetry from security technologies and on-going threat research. All of the data was collected and analysed by Trustwave experts.
E-commerce breaches were the most rampant making up 54% of assets targeted. Point-of-sale (POS) breaches accounted for 33% of our 2013 investigations and data centres made up 10%. Trustwave experts expect POS and e-commerce compromises to dominate into 2014 and beyond.
When ranking the top ten victim locations, the report reveals the United States overwhelmingly house the most victims at 59%, which was more than four times as many as the next closest victim location, the United Kingdom,
at 14%. Australia was ranked third, at 11% followed by Hong Kong and India, both at two%. Canada was ranked sixth at 1%, tied with New Zealand, Ireland, Belgium and Mauritius.
Similar to 2012, retail once again was the top industry compromised making up 35% of the breaches Trustwave investigated in 2013. Food and beverage ranked second at 18% and hospitality ranked third at 11%.
Criminals continued to use malware as one of the top methods for getting inside and extracting data.
The top three malware-hosting countries in 2013 were the United States (42%), Russia (13%) and Germany (9%).
Criminals relied most on Java applets as a malware delivery method – 78% of exploits Trustwave detected took advantage of Java vulnerabilities.
Eighty-five percent of the exploits detected in 2013 were of third party plug-ins, including Java, Adobe Flash and Acrobat Reader.
Overall spam made up 70% of inbound mail, however malicious spam dropped five% in 2013. Fifty-nine% of malicious spam included malicious attachments and 41% included malicious links.
Unbeknown to them, employees and individual users often open the door to criminals by using easily-guessable passwords. Trustwave experts found weak passwords led to an initial intrusion in 31% of compromises.
In December 2013, security researchers at Trustwave discovered a Pony botnet instance that compromised approximately two million accounts for popular websites. When analysing those compromised credentials, Trustwave found that “123456” topped the list of the most commonly used password followed by “123456789,” “1234” and then “password.” Nearly 25% of the usernames had passwords stored for multiple sites.
At least 96% of applications scanned by Trustwave in 2013 harboured one or more serious security vulnerabilities. The finding demonstrates the need for more application security testing during the development, production and active phases.
Trustwave experts found that self-detection continued to be low with 71% of compromised victims not detecting breaches themselves. However, the data also demonstrates how critical self-detection is improving the timeline to containment and therefore limiting the overall damage.
For example, the median number of days it took organisations that self-detected a breach to contain the breach was one day whereas it took organisations 14 days to contain the breach when it was detected by a third party
The report also reveals the median number of days from initial intrusion to detection was 87 and the median number of days from detection to containment was seven. Upon discovery of a breach, 67% of victims were able to contain it within 10 days.
From 2012 to 2013, there was a decrease in the amount of time an organisation took to contain a breach. In half of the compromises investigated by Trustwave, the victim contained the breach within four months of the initial intrusion.
“Security is a process that involves foresight, manpower, advanced skillsets, threat intelligence and technologies. If businesses are not fully equipped with all of these components, they are only increasing their chances of being the next data breach victim,” says Robert McCullen, Chairman and CEO of Trustwave.
“As we have seen in our investigations, breaches are going to happen. However, the more information businesses can arm themselves with regarding who are their potential attackers, what those criminals are after and how their team will identify, react and remediate a breach if it does occur, is key to protecting their data, users and overall business.”
The 2014 Trustwave Global Security Report recommends businesses implement the following action plan:
* Protect users from themselves – educate employees on best security practices, including strong password creation and awareness of social engineering techniques like phishing. Invest in gateway security technologies as a fall back to automate protection from threats such as zero-day vulnerabilities, targeted malware and malicious email.
* Annihilate weak passwords – implement and enforce strong authentication policies. Thirty% of the time, an attacker gains access because of a weak password. Strong passwords – consisting of a minimum of seven characters and a combination of upper and lower case letters, symbols and numbers – play a vital role in helping prevent a breach.
Even better are passphrases that include eight to 10 words that make up a sentence that only the user knows. Businesses should also deploy two-factor authentication for employees who access the network. This forces users to verify their identity with information other than simply their username and password, like a unique code sent to a user’s mobile phone.
* Protect the rest – secure all of your data, and don’t lull yourself into a false sense of security just because you think your payment card data is protected. Assess your entire set of assets – from endpoint to network to application to database. Any vulnerability in any asset could lead to the exposure of data. Combine on-going testing and scanning of these assets to identify and fix flaws before an attacker can take advantage of them.
* Model the threat – model the threat and test your systems’ resilience to it with penetration testing. Pitting a security expert against your network hosts, applications and databases applies a real-world attacker’s perspective to your systems (a threat model). A penetration test transcends merely identifying vulnerabilities by demonstrating how an attacker can take advantage of them and expose data.
* Plan your response – develop, institute and rehearse an incident response plan. Identify what sorts of events or indicators of compromise will trigger your incident response plan. A plan will help make your organisation aware of a compromise sooner, limit its repercussions and shorten its duration.
