Cybercrime attack targets, victims, motivations and methods - Business Works
BW brief

Cybercrime attack targets, victims, motivations and methods

by John Yeo, EMEA Director, Trustwave In the midst of the current 'two-week security' attack global threat, John Yeo, EMEA Director at Trustwave looks at the type of information most targeted, industries most compromised, how criminals typically got inside, when victims identified an attack, notable malware trends and other critical components of breaches that matter to businesses. How cybercrime is impacting different regions of the world and offers recommendations for businesses to help them fight cybercrime, protect their data and reduce security risks.

We gathered the data from 691 breach investigations (a 54% increase from 2012) across 24 countries, in addition to proprietary threat intelligence gleaned from the company's five global Security Operations Centers, telemetry from security technologies and ongoing threat research. All of the data were collected and analysed to produce our latest 2014 Global Security Report.

Data systems targeted

  • While payment card data continued to top the list of the types of data compromised, the report notes that 45% of data thefts in 2013 involved confidential, non-payment card data — a 33% increase from 2012. Non-payment card data includes other sensitive and confidential information such as financial credentials, internal communications, personally identifiable information and various types of customer records.

  • E-commerce breaches were the most rampant making up 54 percent of assets targeted. Point-of-sale (POS) breaches accounted for 33% of our 2013 investigations and data centers made up 10%. Trustwave experts expect POS and e-commerce compromises to dominate into 2014 and beyond.

Victims of compromise

  • When ranking the top ten victim locations, the report reveals the United States overwhelmingly house the most victims at 59%, which was more than four times as many as the next closest victim location, the United Kingdom, at 14%. Australia was ranked third, at 11%, followed by Hong Kong and India, both at two percent. Canada was ranked sixth at one percent, tied with New Zealand, Ireland, Belgium and Mauritius.

  • Similar to 2012, retail once again was the top industry compromised making up 35% of the breaches Trustwave investigated in 2013. Food and beverage ranked second at 18% and hospitality ranked third at 11%

Intrusion methods

Malware everywhere ...

  • Criminals continued to use malware as one of the top methods for getting inside and extracting data. The top three malware-hosting countries in 2013 were the United States (42%), Russia (13%) and Germany (9%).

  • Criminals relied most on Java applets as a malware delivery method — 78% of exploits we detected took advantage of Java vulnerabilities.

  • 85% of the exploits detected in 2013 were of third party plug-ins, including Java, Adobe Flash and Acrobat Reader.

  • Overall spam made up 70% of inbound mail, however malicious spam dropped five percent in 2013. Fifty-nine percent of malicious spam included malicious attachments and 41% included malicious links.

User accidents

  • Unbeknownst to them, employees and individual users often open the door to criminals by using easily-guessable passwords. Our experts found weak passwords led to an initial intrusion in 31% of compromises.

  • In December 2013, our security researchers discovered a Pony botnet instance that compromised approximately two million accounts for popular websites. When analysing those compromised credentials, Trustwave found that '123456' topped the list of the most commonly used password followed by '123456789', '1234' and then 'password'. Nearly 25% of the usernames had passwords stored for multiple sites.
[Check our recent article on Five simple steps to a truly secure password and be safe!]

Application vulnerabilities

  • 96% of applications we scanned in 2013 harbored one or more serious security vulnerabilities. The finding demonstrates the need for more application security testing during the development, production and active phases.

Detecting a compromise

  • Our experts found that self-detection continued to be low, with 71% of compromised victims not detecting breaches themselves. However, the data also demonstrates how critical self-detection is improving the timeline to containment and therefore limiting the overall damage. For example, the median number of days it took organisations that self-detected a breach to contain the breach was one day whereas it took organisations 14 days to contain the breach when it was detected by a third party.

  • The report also reveals the median number of days from initial intrusion to detection was 87 and the median number of days from detection to containment was seven. Upon discovery of a breach, 67% of victims were able to contain it within 10 days. From 2012 to 2013, there was a decrease in the amount of time an organisation took to contain a breach. In half of the compromises investigated by Trustwave, the victim contained the breach within four months of the initial intrusion.

"Security is a process that involves foresight, manpower, advanced skillsets, threat intelligence and technologies. If businesses are not fully equipped with all of these components, they are only increasing their chances of being the next data breach victim," said Robert McCullen, Chairman and CEO at Trustwave. "As we have seen in our investigations, breaches are going to happen. However, the more information businesses can arm themselves with regarding who are their potential attackers, what those criminals are after and how their team will identify, react and remediate a breach if it does occur, is key to protecting their data, users and overall business."

Action plan

We recommend businesses implement the following action plan:

  1. Protect users from themselves: Educate employees on best security practices, including strong password creation and awareness of social engineering techniques like phishing. Invest in gateway security technologies as a fallback to automate protection from threats such as zero-day vulnerabilities, targeted malware and malicious e-mail.

  2. Annihilate weak passwords: Implement and enforce strong authentication policies. Thirty percent of the time, an attacker gains access because of a weak password. Strong passwords - consisting of a minimum of seven characters and a combination of upper and lower case letters, symbols and numbers - play a vital role in helping prevent a breach. Even better are passphrases that include eight to ten words that make up a sentence that only the user knows. Businesses should also deploy two-factor authentication for employees who access the network. This forces users to verify their identity with information other than simply their username and password, like a unique code sent to a user's mobile phone.

  3. Protect the rest: Secure all of your data and don't lull yourself into a false sense of security just because you think your payment card data is protected. Assess your entire set of assets - from endpoint to network to application to database. Any vulnerability in any asset could lead to the exposure of data. Combine ongoing testing and scanning of these assets to identify and fix flaws before an attacker can take advantage of them.

  4. Model the threat: Model the threat and test your systems' resilience to it with penetration testing. Pitting a security expert against your network hosts, applications and databases applies a real-world attacker's perspective to your systems (a threat model). A penetration test transcends merely identifying vulnerabilities by demonstrating how an attacker can take advantage of them and expose data.



Download a complimentary copy of the full 2014 Trustwave Global Security Report: here



Tweet article
BW on TwitterBW RSS feed