Half a Billion Reasons Why Data Security Still Faces Major Challenges
Today we released the 2014 IBM X-Force Threat Intelligence Quarterly which explores the latest security trends—from malware delivery to mobile device risks—based on 2013 year-end data and ongoing research.
New Quarterly Format and Team Expansion – Introducing Trusteer
The first thing previous readers will notice is that we completely revamped the report in terms of style, format and page count. Previously, the X-Force Trend and Risk Report was over a hundred pages and released twice a year. This marks the first version of the “IBM X-Force Threat Intelligence Quarterly” which as the name suggests, is a four times a year report in a more compact and focused format.
With this edition of the report, we are introducing data collected from the researchers at Trusteer, an IBM company since September, 2013. Trusteer technology and research focuses on preventing the root cause of most fraud: malware and phishing attacks that compromise customers’ computers and mobile devices.
We are pleased to welcome Trusteer to IBM and to this report.
— IBM Security (@IBMSecurity) February 24, 2014
Central Strategic Targets are the Focus of Security Incidents
Since 2011, IBM X-Force has been reporting on the steady increase and scope of security incidents, data breaches and cyber-attacks. At the mid-year of 2013, we looked at how attackers were optimizing their operations around methods which included a path of least resistance to reach the largest number of potential targets for the minimal amount of exploit effort. This methodology continues into 2014.
Central strategic targets, which provided easy access to thousands of personal records in one location, continued to be the focus in 2013 rather than going through smaller individual attack efforts. Some of these include:
- DNS providers
- Social media networks with large user bases, and
- Popular forum software sites
Distributed denial of service attacks (DDoS), SQL injection (SQLi), and malware were widely used attack techniques, while watering hole attacks (a more focused form of malware), were less common but still effective at targeting niche groups of users.
Across industries, IBM X-Force reported that computer services, governments and financial markets experienced the largest percentage of attacks, with notable efforts exposing weaknesses in point of sale (POS) credit card systems affecting the retail industry and dominating headlines late in the year.
More than half a billion records of personally identifiable information (PII) such as names, emails, credit card numbers and passwords were leaked in 2013—and these security incidents show no signs of stopping.
Malware was the third most-utilized attack type in the security incidents tracked by X-Force.
Attackers use spear-phishing messages to draw users to websites that contain weaponized content such as hidden malicious Java applets (exploit sites). Once the user accesses the exploit site, the hidden Java applet exploits vulnerabilities to cause a chain of events that end with the delivery of the malware to the user’s machine, without the user’s awareness.
Our research showed that end user applications were exploited heavily via Oracle Java, Adobe Reader and popular browsers.
Fifty percent (50%) of the exploits observed by X-Force malware research (Trusteer) in December 2013 targeted Oracle Java vulnerabilities indicating Java as a high risk application and top target, exposing organizations to attacks. Adobe Reader and popular browsers were the next most common application targets for these exploits.
Java is a widely deployed high-risk application that exposes organizations to advanced attacks. The number of Java vulnerabilities has continued to rise over the years, and 2013 was no exception. The number of reported Java vulnerabilities jumped significantly between 2012 and 2013, more than tripling.
Research has indicated that with this increase in vulnerabilities, there has been a significant increase in Java exploits as well, as evidenced by half of the observed sample customers affected. This was a result of the discoveries of new zero-day vulnerabilities and the introduction of exploits into popular exploit toolkits.
Within the report we also discuss the challenges faced by executives when it comes to mobile devices and bring-your-own-device (BYOD) initiatives. There is much hype in the market on the topic of just how vulnerable are these mobile devices? We discuss what the reality versus current perceptions might be on mobile devices.
Finally, within the vulnerability section of the report we discuss the overall trends of publicly disclosed vulnerabilities that are up slightly in 2013 over 2012 numbers, but there are key reporting areas that continue to decline.