The Trustwave Global Security Report for 2014 was recently released. There are a number of very useful and insightful statistics in this report, which we can corroborate, based on our assessments of numerous organizations’ networks. We wanted to highlight a few of these statistics below:
Top 10 Internal Network Penetration Test Vulnerabilities
– which include weak passwords, shared accounts, and unencrypted storage
Top 10 External Network Penetration Test Vulnerabilities
– which include default SNMP strings and weak passwords:
Top 10 Web Application Vulnerabilities
– including path traversal, authentication bypass, SQL injection, unencrypted pages and XSS, just showing that the OWASP top 10 is alive and well
Passwords were the cause of a compromise 31% of the time
– it’s time to start upping the requirements for password length and complexity
Criminals relied most heavily on
Java applets as a malware delivery method
– Java and Adobe often have the top number of vulnerabilities when we assess an organization. Patch schedules for these products are essential.
71% of victims did not detect a breach themselves
– who wants their client notifying them of a breach. It’s time to implement defense in depth strategies with IDS/IPS protection and SIEM solutions
67% of victimes were able to contain a breach within 10 days upon discovery, however, the median number of days
from intrusion to detection was 87
– organizations just need to know it happened; in general they can handle the situation well once they know
Top Intrusion Indicators Include:
anomalous account activity, unexplained or suspicious outbound data, new and/or suspicious files dropped, geographic anomalies in logins, registry changes, log tampering, anti-virus tampering, services added/stopped/paused and more
– learning to recognize these signs or implementing tools that correlate these types of events can help in self detection
Over 13 client side zero-day vulnerabilities
were actively exploited in 2013
– again, it is essential to have a patching procedure
for third party plugins and apps
78% of detected exploits were Java related
Botnet analysis showed a continuing trend of using common and compromised passwords across multiple sites
– consider auditing for passwords that should not be allowed in your organization
Microsoft SQL Server was the only database that did not experience any known vulnerabilities in 2013
Android and iOS both had a number of vulnerabilities
– don’t assume that something is more secure based on social stigma, make sure all of your mobile devices are managed
In conclusion, I suggest everyone take a look at this report and take note of some of the recurring elements in any of these reports. Organizations need stronger passwords and they need to patch their stuff. Those two steps alone will mitigate a number of risks.
You can download the full report here.
