Symantec’s new “2016 Internet Security Threat Report” summarized some troubling trends that affect the security of computer users on networks.

In the 80-page report, the firm discovered a total of more than 430 million unique pieces of malware in 2015, up 36 percent from 2014. A new zero-day vulnerability was discovered, on average, once each week in 2015. Symantec puts the cumulative number at 54, which is a 125 percent increase from the year before.

Zero-Day Vulnerabilities on the Rise

Attack groups exploit these zero-day vulnerabilities until they are publicly exposed, at which point they drop them in favor of other newly discovered vulnerabilities, according to Symantec. The report noted the hunt for zero-day exploits is being professionalized rather than executed by lone cybercriminals.

Symantec also found the most attractive target is widely used software such as Internet Explorer and Adobe Flash Player. In fact, the report said four of the five most exploited zero-day vulnerabilities in 2015 were in Flash.

Microsoft was also a popular target for malicious zero-day developers. The top 10 zero-day vulnerabilities found targeting MS software were distributed across Microsoft Windows (6), Internet Explorer (2) and Microsoft Office (2). Four other zero-day vulnerabilities focused on Android software.

Website Vulnerabilities

It’s not just zero-day attacks that cause problems. The threat report found that more than 75 percent of all legitimate websites have unpatched vulnerabilities that can be exploited.

More seriously, 15 percent of legitimate websites have critical vulnerabilities that allow cybercriminals to gain access to and manipulate these sites for their own purposes. Symantec attributed this to website administrators failing to secure their websites through the application of manufacturers’ patches.

Malware may also use site plugins as an infection vector. Windows obviously attracts many exploits because of its large user base, and the same applies to WordPress plugins. WordPress is estimated to power one-fourth of the world’s websites, and Symantec stated that “vulnerable plugins found on WordPress sites can and will be exploited.”

Nondisclosure by Victims

One trend causing worry among experts is companies choosing not to report the records they lost in a breach. This number rose by 85 percent, from 61 to 113.

“More and more companies aren’t actually revealing what was breached,” Kevin Haley, director of security response at Symantec, told CSO Online. “They will say attackers came and stole from us, but [are] not saying how many records were lost.”

Not all companies have to disclose all the details of every breach, he explained. The disclosure laws vary by location and industry.

Companies affected by a breach may worry that such acknowledgment will only inflame those whose records were breached, but disclosure is necessary to regain trust. There will never be effective security through obscurity. Only an open policy of dealing with all the effects of a breach can bring stability to a bad situation.

More from

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates. Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?…

3 min read

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read