81% of breach victims did not identify breach themselves: Trustwave

The lion’s share of cyber breaches observed in the 2015 Trustwave Global Security Report were not identified by the victims, Trustwave reports.

Released Tuesday, findings are based on data from 574 data breach forensic investigations by the company across 15 countries in 2014, penetration testing results, threat intelligence from its five global security operations centres, telemetry from security technologies and threat and vulnerability research.

The seventh annual edition of the report reflects hundreds of real-life data breach investigations and proprietary threat intelligence, notes the report.

Trustwave points out 81% of the victims did not identify the breach themselves. Specifically, 86 days was the median length it took to detect a breach, while the median length of a breach (from intrusion to containment) was 111 days.

“10% fewer victims detected a breach themselves in 2014 compared to the year prior. Our 2014 investigations continued to support an assertion we made in 2013: When you’re capable of detecting a breach on your own, or partnering with a managed security services provider that can on your behalf, you detect a breach sooner and contain it quicker,” the report adds.

“Once the breach was detected, the number of days it took victims to contain the breach ranged from -34 days (meaning the attacker intruded upon and left the network before the victim identified it as a breach 34 days later) to 174 days, with a median of seven days (equal to the 2013 median),” the report states. “In only about 15% of cases did a breach begin (intrusion) and end (containment) before it was detected.” [click image below to enlarge]

Detection likely speaks to vulnerability. The report indicates that 98% of applications had at least one vulnerability last year, with Trustwave pointing out the maximum number of vulnerability found in a single application was 747.

“Among the most exposed assets of an organization’s infrastructure, applications are a preferred target of cyber criminals,” the report states. “Some of those vulnerabilities are considered more critical than others. Still, to find one-third of applications vulnerable to SQL injection — a high-impact flaw dating back to 1998 — shows that many organizations have a long way to go in protecting themselves from application attacks.”

Looking specifically at email, the report notes 60% of inbound email observed was spam, 6% of spam observed included a malicious attachment or link, and spam campaigns spreading ransomware and malicious macro Office documents were a problem in 2014.

Mobile applications were also an issue, with the report noting that 95% of mobile applications were vulnerable (critical, high-risk, medium-risk or low-risk). In all, 35% had critical issues, 45% had high-risk issues and 6.5 was the median number of vulnerabilities per mobile application.

“In 90% of those apps, vulnerabilities allowed our testers to expose sensitive information, including cardholder data, usernames and/or passwords, personally identifiable information (PII) or even source code,” the report points out. [click image below to enlarge]

Cyber attacks can be lucrative for perpetrators. Trustwave reports that in opportunistic attacks, cyber criminals are making an estimated 1,425% return on investment for exploit kit and ransomware schemes, noting that an investment of $5,900 for a one-month ransomware campaign can pocket a profit of $90,000.

“Considering targeted attacks have been responsible for many of the high-profile data breaches in the news, people may be most familiar with them. But the spoils of an opportunistic attack can equal or exceed those compromises,” the report notes. “The burgeoning underground market for related tools, services and support allow cyber criminals to carry out these opportunistic attacks and generate significant revenue without developing even a single line of code themselves,” the report points out.

Looking at where investigations are occurring, 42% were of e-commerce breaches (down 13% compared to 2013), 40% were for point-of-sale (POS) breaches (up from 33% in 2013), and 18% were for compromises of corporate/internal networks (up 8% over 2013).

A chart in the report illustrates industry breakdown of IT environments compromised by those three areas: [click image below to enlarge]

Weak passwords or weak remote access security contributed to 94% of POS breaches, the report states, while weak or non-existent input validation or unpatched vulnerabilities contributed to 75% of e-commerce breaches. Overall, 28% of breaches resulted from weak passwords and another 28% from weak remote access security.

With regard to sectors being targeted, the report notes that retail was the most compromised industry in 2014, accounting for 43% of the investigations. That was followed by 13% in the food and beverage industry, and 12% in the hospitality industry.

In terms of the type of data targeted, the report notes that proprietary data accounted for 8%, financial credentials for 12%, track data (POS transaction data) for 31% and PII + CHD (e-commerce transaction data) for 49%.

“Looking strictly at 2014 investigations in North America, in 63% of cases, the attacker targeted track data — the information used in POS transactions,” the report states. “This is another signal that attackers may be having a field day compromising POS systems in the United States due to the country’s slow adoption of chip-and-PIN technology.” [click image below to enlarge]

As for location, while the percentage of compromises investigated was down 9% in the United States from 2013, the country remains a focus. It accounts for half
of the compromises investigated by Trustwave, followed by Australia, which accounted for 24% of breaches (up from 13%); and the United Kingdom, remaining stable at 14%.

Other countries where compromises were investigated include Argentina, Colombia, France, Germany, India, Malaysia, Mexico, New Zealand, Singapore, Spain, Sweden and Taiwan. [click image below to enlarge]

Other survey findings include the following:

• 33% of exploits detected were of Adobe Flash (up 28.2%) and 29% were for Microsoft Internet Explorer, while exploits detected were down 63.5% for Oracle Java;

• 30% of attacks observed were WordPress “pinback” denial-of-service attacks;

• 24% of attacks observed were exploits of the Bash or Shellshock vulnerability;

• 60% of inbound email observed was spam; and

• Password1 was still the most common password.

Perpetrators “are professional, organized, determined and innovative — meticulously evolving their techniques to ensure they remain steps ahead of their targets. Often, they know more about their victims than their victims know about themselves,” the report states.

“The sheer vulnerability of organizations and the ease by which attackers can strike is a hair-raising predicament with no guaranteed solution,” it cautions.