Vast majority of tested applications have at least one vulnerability: cyber security report

Cyber criminals are increasingly making use of malware-as-a-service, an issue of concern given that 97% of applications tested by Trustwave in 2015 had at least one vulnerability, note findings from the 2016 Trustwave Global Security Report.

While the lion’s share of applications tested last year had at least one vulnerability, 10% of the vulnerabilities discovered were rated as critical or high risk, notes the report, based on hundreds of real-life data breach investigations, billions of security and compliance events and thousands of penetration tests across 17 countries in 2015. The median number of vulnerabilities discovered per application by Trustwave’s security testing service was 14.

Detailing the top cyber crime, data breach and security threat trends from 2015, the report examines cyber crime as a business model and the methods used to maximize profits from malicious attacks.

“The most common vulnerability types included session management vulnerabilities, information leakage vulnerabilities, and cross-site vulnerabilities,” notes a statement from Trustwave – which uses tools such as managed security services and ethical hackers to help businesses fight cyber crime, protect data and reduce security risk – announcing the release of the report Tuesday.

The report points out that 64% of the applications had session management vulnerabilities, up from 58% in 2014. “Session management vulnerabilities can allow an attacker to take over or eavesdrop on a user session, which can place sensitive information at risk,” it explains. [Click on image below to enlarge)

Cyber crime is becoming a lucrative business, Trustwave suggests, pointing out that it was demonstrated in last year’s report “how attackers launching a malware infection campaign could expect to earn a breathtaking US$84,100 in profit from an initial investment of just US$5,900” in just 30 days. “In parts of the world where many attacks originate, the prospect of that kind of money can mean a trip out of poverty,” the latest report states.

“Cyber criminals have been congregating and organizing for years, but 2015 showed a marked increase in the behaviour we would normally associate with legitimate businesses,” says Robert McCullen, CEO and president of Trustwave.

“The biggest cyber crime operations are essentially computer software and services companies, albeit illicit ones. Developers create tools that they sell or rent to customers through online black markets, complete with sales, money-back guarantees, and reputation systems,” notes the report.

“As enterprise software vendors have increasingly moved to the cloud, so too have malware vendors. Where once prospective cyber criminals bought exploit kits as packaged software, today they pay for access to a central server administered by the exploit kit maker, who keeps it stocked with the freshest exploits and all the tools one needs to exploit thousands of unsuspecting computers. Malware-as-a-service,” the report adds.

In all, 42% of the malware observed by Trustwave used obfuscation, while 33% used encryption.

Perhaps less surprising are the types of businesses being targeted. Retail was the most compromised industry, accounting for 23% of Trustwave investigations, followed by hospitality at 14%, and food and beverage at 10%.

The company cites a big hike in compromises affecting corporate and internal networks, more than doubling to 40% in 2015 from 18% in 2014.

That said, 38% of its investigations related to e-commerce breaches, down from 42% in 2014, and 22% of investigations were of point-of-sale (POS) breaches. “POS compromises decreased eighteen percentage points from 2014 to 2015, making up 40% of Trustwave investigations in 2014 and 33% in 2013,” the statement notes.

As the increasing adoption of so-called chip-and-PIN payment card technology finally began to reduce the attack surface for POS systems, “criminals shifted their focus slightly from broad-based attacks on retail to a tighter focus on specific industries and platforms,” the report adds.

In all, “85% of compromised e-commerce systems used the Magento open-source platform. At least five critical Magento vulnerabilities were identified in 2015, and most of the affected systems were not fully updated with security patches,” Trustwave reports.

“Depressingly – but predictably – most of the affected systems were not fully up to date with security patches, with some being behind by more than 12 months,” the report adds. “With so much attention being paid to zero-day vulnerabilities, it’s vital to remember that it doesn’t matter how fast a vendor releases a patch if the patch is never applied.”

Company investigations determined that in 60% of cases, attackers were after payment card data, split about evenly between card track (magnetic stripe) data (31% of incidents), which came mainly from POS environments, and card-not-present, or CNP, data (29%), which mostly came from e-commerce transactions.

The report notes that in 10% of the cases examined, the attackers simply sought to destroy or damage information rather than to collect it. “Other attackers sought proprietary information (11%), financial credentials (7%), and personally identifiable information (4%). In some cases, multiple types of data were exposed and targeted, meaning that the exposure of any one type of data does not reflect the totality of the breach.” [Click on image to enlarge]

Regionally, 35% of data breach investigations conducted by Trustwave occurred in North America, 21% were in the Asia-Pacific Region, 12% were in Europe, the Middle East and Africa, and 10% were in Latin America and the Caribbean.

Methods of intrusion varied widely, with a number of factors – ranging from insecure remote access software and policies to weak passwords – contributing to compromise. [Click on image below to enlarge]

The report highlights some stark geographical differences, including that 24% of breaches in North America were discovered by law enforcement agencies in 2015 compared to 0% elsewhere in the world. “The longer a data compromise lasts, the more harm the attacker can do, and the more costly the breach can be,” it emphasizes.

Overall, 59% of breach victims did not detect breaches themselves, although self-detection increased from 19% in 2014 to 41% in 2015. Self-detection leads to quicker containment of a breach. Still, for self-detected breaches in 2015, a median of 15 days elapsed from intrusion to containment.

“In cases where the victims did not learn of the breach before being notified of it by regulatory bodies, law enforcement or other third parties, the duration was usually much longer. (Compromises detected by regulatory bodies, card brands and merchant banks accounted for 36% of incidents, with law enforcement agencies and other third parties accounting for 11% each.)

The median time between intrusion and detection for externally detected compromises was 168 days in 2015, up from 126 in 2014, the report notes.

“In an unusual and unwelcome development, a small percentage of the compromises in 2015 were first reported by the attackers themselves, often for blackmail purposes,” the report states.

Trustwave notes that duration varied greatly. “The median number of days from the first intrusion to detection of the compromise decreased from 86 days in 2014 to 80.5 days in 2015, with values ranging from zero days to 2,000 days,” the report points out. “Once intrusions were detected, they were usually contained quickly. The median number of days from detection to containment decreased from seven days in 2014 to two days in 2015.”

“The cost and effort of securing a network against data compromise pales in comparison to the cost and effort of cleaning up after a breach,” the report emphasizes. Trustwave offers the following recommendation for customers looking to mitigate the risk they face from data compromise:

• firewall configuration – among other things, systems connected to a payment processing environment should not be allowed to “surf” the web, and all firewalls should be hardware-based and should provide stateful packet inspecting capabilities;
• passwords – among other things, passwords should be changed at least every 90 days, and each user should have his or her own unique account so that activities on a system can be tracked;
• systems configuration – among other things, ensure that system-hardening guidelines are in place to address known vulnerabilities and security threats, and implement a strong change control process to track all changes made to systems in the environment;
• remote access solution – among other things, use two-factor authentication for all remote access into the environment, and enable auditing and logging for remote access into the environment;
• malware removal – among other things, ensure anti-virus software is current on all systems and that it is set to update virus definitions;
• logging and monitoring – among other things, conduct a daily review of the logs from all devices, implement an intrusion detection system and implement file-integrity monitoring software;
• patch management – among other things, patch the operating system within 30 days of vendor-released security patches/hotfixes;
• external and internal scanning – among other things, regularly conduct external and internal scanning to proactively find and remediate vulnerabilities; and
• policy and procedures – conduct employee security awareness training to educate employees, and ensure that systems that handle sensitive data only be used for business purposes.

“Though the tactics used by exploit kits and advanced persistent threats change constantly, one thing remains constant: exploit writers like to seek out the low-hanging fruit,” the report notes. “When one technology becomes too difficult to exploit effectively, attackers move on to another.”