Cybercrime attack targets, victims, motivations and methods
Trustwave experts gathered the data from 691 breach investigations (a 54 percent increase from 2012) across 24 countries in addition to proprietary threat intelligence gleaned from the company’s five global security operations centers, telemetry from security technologies and ongoing threat research.
While payment card data continued to top the list of the types of data compromised, 45 percent of data thefts in 2013 involved confidential, non-payment card data—a 33 percent increase from 2012. Non-payment card data includes other sensitive and confidential information such as financial credentials, internal communications, personally identifiable information and various types of customer records.
E-commerce breaches were the most rampant making up 54 percent of assets targeted. Point-of-sale (POS) breaches accounted for 33 percent of our 2013 investigations and data centers made up 10 percent. Trustwave experts expect POS and e-commerce compromises to dominate into 2014 and beyond.
When ranking the top ten victim locations, the United States overwhelmingly house the most victims at 59 percent, which was more than four times as many as the next closest victim location, the United Kingdom, at 14 percent. Australia was ranked third, at 11 percent followed by Hong Kong and India, both at two percent. Canada was ranked sixth at 1 percent, tied with New Zealand, Ireland, Belgium and Mauritius.
Similar to 2012, retail once again was the top industry compromised making up 35 percent of the breaches Trustwave investigated in 2013. Food and beverage ranked second at 18 percent and hospitality ranked third at 11 percent.
96 percent of applications scanned by Trustwave in 2013 harbored one or more serious security vulnerabilities. The finding demonstrates the need for more application security testing during the development, production and active phases.
Malware everywhere:
- Criminals continued to use malware as one of the top methods for getting inside and extracting data. The top three malware-hosting countries in 2013 were the United States (42 percent), Russia (13 percent) and Germany (9 percent).
- Criminals relied most on Java applets as a malware delivery method—78 percent of exploits Trustwave detected took advantage of Java vulnerabilities.
- Eighty-five percent of the exploits detected in 2013 were of third party plug-ins, including Java, Adobe Flash and Acrobat Reader.
- Overall spam made up 70 percent of inbound mail, however malicious spam dropped five percent in 2013. Fifty-nine percent of malicious spam included malicious attachments and 41 percent included malicious links.
Detecting a compromise:
- Self-detection continued to be low with 71 percent of compromised victims not detecting breaches themselves. However, the data also demonstrates how critical self-detection is improving the timeline to containment and therefore limiting the overall damage. For example, the median number of days it took organisations that self-detected a breach to contain the breach was one day whereas it took organisations 14 days to contain the breach when it was detected by a third party.
- The median number of days from initial intrusion to detection was 87 and the median number of days from detection to containment was seven. Upon discovery of a breach, 67 percent of victims were able to contain it within 10 days. From 2012 to 2013, there was a decrease in the amount of time an organisation took to contain a breach. In half of the compromises investigated by Trustwave, the victim contained the breach within four months of the initial intrusion.
“Security is a process that involves foresight, manpower, advanced skillsets, threat intelligence and technologies. If businesses are not fully equipped with all of these components, they are only increasing their chances of being the next data breach victim,” said Robert J. McCullen, Chairman and Chief Executive Officer at Trustwave. “As we have seen in our investigations, breaches are going to happen. However, the more information businesses can arm themselves with regarding who are their potential attackers, what those criminals are after and how their team will identify, react and remediate a breach if it does occur, is key to protecting their data, users and overall business.”
Trustwave recommends businesses implement the following action plan:
Protect users from themselves: Educate employees on best security practices, including strong password creation and awareness of social engineering techniques like phishing. Invest in gateway security technologies as a fallback to automate protection from threats such as zero-day vulnerabilities, targeted malware and malicious email.
Annihilate weak passwords: Implement and enforce strong authentication policies. Thirty percent of the time, an attacker gains access because of a weak password. Strong passwords—consisting of a minimum of seven characters and a combination of upper and lower case letters, symbols and numbers—play a vital role in helping prevent a breach. Even better are passphrases that include eight to 10 words that make up a sentence that only the user knows. Businesses should also deploy two-factor authentication for employees who access the network. This forces users to verify their identity with information other than simply their username and password, like a unique code sent to a user’s mobile phone.
Protect the rest: Secure all of your data, and don’t lull yourself into a false sense of security just because you think your payment card data is protected. Assess your entire set of assets—from endpoint to network to application to database. Any vulnerability in any asset could lead to the exposure of data. Combine ongoing testing and scanning of these assets to identify and fix flaws before an attacker can take advantage of them.
Model the threat: Model the threat and test your systems’ resilience to it with penetration testing. Pitting a security expert against your network hosts, applications and databases applies a real-world attacker’s perspective to your systems (a threat model). A penetration test transcends merely identifying vulnerabilities by demonstrating how an attacker can take advantage of them and expose data.
Plan your response: Develop, institute and rehearse an incident response plan. Identify what sorts of events or indicators of compromise will trigger your incident response plan. A plan will help make your organisation aware of a compromise sooner, limit its repercussions and shorten its duration.