Highlights from 450 global data breach investigations

Trustwave released details form a report that highlights details and trends from 450 global data breach investigations, 2,500 penetration tests, nine million Web application attacks, two million network and vulnerability scans, five million malicious websites, 20 billion e-mails as well as research and analysis of zero-day security threats.

For the first time, the retail industry made up 45 percent of Trustwave data breach investigations (a 15 percent increase from 2011) with e-commerce attacks emerging as a growing trend surpassing the amount of point-of-sales attacks.

Mobile malware increased 400 percent, with malware found on Android devices growing from 50,000 to more than 200,000 samples.

The report also revealed that out of three million user passwords analyzed, 50 percent of business users are still using easily-guessed passwords—the most common being “Password1” because it often meets the minimum standard for acceptable passwords. The findings indicated that in 2012, nearly every industry, country and type of data was involved in a breach of some kind with cyber-security threats increasing as quickly as businesses can implement measures against them.

Key findings:

• Applications emerged as the most popular attack vector. E-commerce sites were the number one targeted asset accounting for 48 percent of all investigations.
• 64 percent of organizations attacked took more than 90 days to detect an intrusion with the average time for detection being 210 days — 35 days longer than in 2011; 5 percent took more than three years to identify the criminal activity. Most victim organizations still rely on third parties, customers, law enforcement or a regulatory body to notify them a breach has occurred – a worldwide security problem.
• Employees leave the door open to further attacks. Whether due to lack of education or policy enforcement, employees pick weak passwords, click on phishing links and share company information on social and public platforms.
• Attacks were discovered in 29 different countries. The largest percentage, 34.4 percent,originated in Romania.
• Spam volume shrank in 2012 but still represents 75.2% percent of a typical organization’s inbound e-mail and roughly 10 percent of spam messages are malicious.
• Businesses seem to be rapidly adopting an outsourced, third-party information technology operations model. 63 percent of investigations revealed a third party responsible for system support, development or maintenance, introduced security deficiencies easily exploited by hackers.
• The two most noteworthy methods of intrusion, SQL injection and remote access, made up73 percent of the infiltration methods used by criminals in 2012.
• Out of the 450 cases investigated in 2012, about 40 variations of malware were found. Trustwave attributed the 40 unique types of malware to six criminal groups. Three criminal teams caused the majority of payment of service credit card breaches. Russia and the U.S. are the largest contributors when it comes to malware attacks making up 39.4 percent and 19.7 percent of hosted malware, respectively.

To improve security posture, Trustwave recommends six focus areas for organizations in 2013:

Educate employees. Employees are the first line of defense against attackers. Organizations should conduct security awareness training on a regular basis for all existing and new employees.

Identify Users. Every user-initiated action should be tagged to a specific person, whether in a physical or digital environment. Every year, a significant number of data breaches occur as the result of an attacker obtaining access to a user’s account.

Register Assets. With the increase of bring-your-own-device (BYOD), it is more important than ever to have a complete inventory or registry of valid devices. A device should never be allowed access to a controlled environment unless it’s registered and known. In addition, the patch levels and vulnerabilities should be assessed on a regular basis not only to work to improve the security of those in the environment but also to understand what risks exist when issues can’t be resolved in the short term.

Protect Data. Attacks are more sophisticated than ever, and keeping cybercriminals out requires a multi-faceted approach. Businesses should implement a “more than technology” approach to security that includes team training and education, secure code review, and periodic penetration and vulnerability testing for e-commerce Web applications, as well as a data lifecycle methodology that governs data from creation to destruction. They should also create resiliency in systems by layering proven technologies such as a powerful secure Web gateway and a Web application firewall that can be deployed to improve protection and performance of business-critical applications, with virtual patching capabilities that combat threats in real-time.

Unify Activity Logs. Most businesses today treat physical and information security controls separately. Badge systems, HR records, and even loss prevention are not typically tied to the same team that monitors firewalls, intrusion detection and other security technology. Businesses should employ technology like security information and event management (SIEM) to take over the processing of these logs.

Visualize Events. The ultimate goal for organizations should be to develop an environment in which security threats are discovered innately-by both responsible security professionals and others in the organization. Security event visualization allows businesses to identify patterns, emerging vulnerabilities and attacks, and respond quickly and decisively across the organization when an attack does occur. Using the right data sources, advanced SIEM analytics, and data modeling, security event visualization prepares businesses to effectively mitigate current and future threats.

The complete report will be available on February 20.