If 2011 was the “Year of the Data Breach,” then 2013 was the “Year of the Mega Data Breach,” after a 62 percent increase in the number of breaches logged, according to the "Internet Security Threat Report 2014" from Symantec.
The attacks exposed more than 552 million personal identities, with eight out of ten of the top breaches in 2013 accounting for 10 million identity losses each. In an email to SCMagazine.com, Kevin Haley, director of Symantec Security response said that 2013 hadn't been shaping up as an extraordinary year for breaches “until we hit the last three months,” when retailers like Target and Neiman Marcus were hit in high-profile incidents “when the most data would be available.”
While targeted attacks grew by 91 percent last year, it was the length of the attacks — on average three times longer than earlier incidents — that proved surprising, Haley says.
Calling attackers “more careful, more patient,” he says they “continue to poke and prod to find any weakness they can take advantage of” making attacks “very hard to guard against.”
Zero-day vulnerabilities are particularly hard to combat, and the research shows a significant uptick in those attacks — 23 reported last year, a 61 percent increase over 2012 figures. The report shows 97 percent of those were Java-based and that it took on average four days to issue a patch after a vulnerability among the top-five was published.
“They allow targeted attackers to silently infect their targets via spear-phishing and watering hole attacks,” Haley said. “And once these vulnerabilities are generally known about they are quickly incorporated into attack toolkits letting common cyber criminals exploit these vulnerabilities.”
Ransomware, too, spiked in 2013, increasing a startling 500 percent from the year before with the report showing that small and medium-sized businesses more frequently targeted.
Public administration, or government, topped the industries targeted by spear phishing attacks, accounting for 16 percent, followed closely by professional services at 15 percent. In comments sent by email to SCMagazine.com, Rohyt Belani, CEO and co-founder of PhishMe, said that manufacturing (accounting for 13 percent in the report) and mining (one percent) are increasingly targets.