April 15, 2016 By Larry Loeb 2 min read

Symantec’s new “2016 Internet Security Threat Report” summarized some troubling trends that affect the security of computer users on networks.

In the 80-page report, the firm discovered a total of more than 430 million unique pieces of malware in 2015, up 36 percent from 2014. A new zero-day vulnerability was discovered, on average, once each week in 2015. Symantec puts the cumulative number at 54, which is a 125 percent increase from the year before.

Zero-Day Vulnerabilities on the Rise

Attack groups exploit these zero-day vulnerabilities until they are publicly exposed, at which point they drop them in favor of other newly discovered vulnerabilities, according to Symantec. The report noted the hunt for zero-day exploits is being professionalized rather than executed by lone cybercriminals.

Symantec also found the most attractive target is widely used software such as Internet Explorer and Adobe Flash Player. In fact, the report said four of the five most exploited zero-day vulnerabilities in 2015 were in Flash.

Microsoft was also a popular target for malicious zero-day developers. The top 10 zero-day vulnerabilities found targeting MS software were distributed across Microsoft Windows (6), Internet Explorer (2) and Microsoft Office (2). Four other zero-day vulnerabilities focused on Android software.

Website Vulnerabilities

It’s not just zero-day attacks that cause problems. The threat report found that more than 75 percent of all legitimate websites have unpatched vulnerabilities that can be exploited.

More seriously, 15 percent of legitimate websites have critical vulnerabilities that allow cybercriminals to gain access to and manipulate these sites for their own purposes. Symantec attributed this to website administrators failing to secure their websites through the application of manufacturers’ patches.

Malware may also use site plugins as an infection vector. Windows obviously attracts many exploits because of its large user base, and the same applies to WordPress plugins. WordPress is estimated to power one-fourth of the world’s websites, and Symantec stated that “vulnerable plugins found on WordPress sites can and will be exploited.”

Nondisclosure by Victims

One trend causing worry among experts is companies choosing not to report the records they lost in a breach. This number rose by 85 percent, from 61 to 113.

“More and more companies aren’t actually revealing what was breached,” Kevin Haley, director of security response at Symantec, told CSO Online. “They will say attackers came and stole from us, but [are] not saying how many records were lost.”

Not all companies have to disclose all the details of every breach, he explained. The disclosure laws vary by location and industry.

Companies affected by a breach may worry that such acknowledgment will only inflame those whose records were breached, but disclosure is necessary to regain trust. There will never be effective security through obscurity. Only an open policy of dealing with all the effects of a breach can bring stability to a bad situation.

More from

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Can memory-safe programming languages kill 70% of security bugs?

3 min read - The Office of the National Cyber Director (ONCD) recently released a new report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software." The report is one of the first major announcements from new ONCD director Harry Coker and makes a strong case for adopting memory-safe programming languages. This new focus stems from the goal of rebalancing the responsibility of cybersecurity and realigning incentives in favor of long-term cybersecurity investments. Memory-safe programming languages were also included as a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today