If 2011 was the “Year of the Data Breach,” then 2013 was the “Year of the Mega Data Breach,” after a 62 percent increase in the number of breaches logged, according to the "Internet Security Threat Report 2014" from Symantec.
The attacks exposed more than 552 million personal identities, with eight out of ten of the top breaches in 2013 accounting for 10 million identity losses each. In an email to SCMagazine.com, Kevin Haley, director of Symantec Security response said that 2013 hadn't been shaping up as an extraordinary year for breaches “until we hit the last three months,” when retailers like Target and Neiman Marcus were hit in high-profile incidents “when the most data would be available.”
While targeted attacks grew by 91 percent last year, it was the length of the attacks — on average three times longer than earlier incidents — that proved surprising, Haley says.
Calling attackers “more careful, more patient,” he says they “continue to poke and prod to find any weakness they can take advantage of” making attacks “very hard to guard against.”
Zero-day vulnerabilities are particularly hard to combat, and the research shows a significant uptick in those attacks — 23 reported last year, a 61 percent increase over 2012 figures. The report shows 97 percent of those were Java-based and that it took on average four days to issue a patch after a vulnerability among the top-five was published.
“They allow targeted attackers to silently infect their targets via spear-phishing and watering hole attacks,” Haley said. “And once these vulnerabilities are generally known about they are quickly incorporated into attack toolkits letting common cyber criminals exploit these vulnerabilities.”
Ransomware, too, spiked in 2013, increasing a startling 500 percent from the year before with the report showing that small and medium-sized businesses more frequently targeted.
Public administration, or government, topped the industries targeted by spear phishing attacks, accounting for 16 percent, followed closely by professional services at 15 percent. In comments sent by email to SCMagazine.com, Rohyt Belani, CEO and co-founder of PhishMe, said that manufacturing (accounting for 13 percent in the report) and mining (one percent) are increasingly targets.
“With the rise of the nation-state actors these industries are under constant attack as the proverbial ‘pot of gold' of proprietary information and intellectual property is very lucrative,” he said. “The lack of an IT savvy workforce and appropriate budgets to fund cyber security efforts further exacerbate the problem.
As the Symantec report reveals, not all the news was bad. Spam dropped to 66 percent from 68 percent the year before, with the number of botnet-infected computers on the decline, decreasing from 3.4 billion to 2.3 billion in 2013.
Spear phishing attacks are down 28 percent from 2012 (though up two percent from 2011).
“Companies have gotten better at protecting against spear phishing campaigns. That's why we've seen attackers use less emails, target less employees, but run more campaigns,” Haley said. “They had to step up their efficiency as companies use improved technology to stop these attacks and train employees to better protect themselves.”
Still, some industries are targeted more than others with government taking the biggest hit, accounting for 16 percent of the attacks in 2013, followed closely by professional services (15 percent).
To better protect themselves against data breaches, Haley recommends that organizations adopt best practices, including understanding where sensitive data resides and where it's flowing, educating employees and implementing a strong security posture.
“Companies of all sizes [should] re-examine, rethink and possibly re-architect their security posture,” pointing out that the loss of reputation and consumer trust “can be much harder to recover.”