Symantec released its annual threat report earlier this week, and unfortunately, the company's findings aren't exactly reassuring about the state of security last year.
Whereas the prior two years were deemed “data breach” years, 2014 is being pegged as the year of “high profile vulnerabilities,” the report states, as Heartbleed, POODLE and Bash bug were all disclosed, among a host of other far-reaching flaws.
Overall, 24 zero-day vulnerabilities were discovered in 2014, the highest recorded yet in a year, and if the sheer number of vulnerabilities wasn't bad enough, the report points out that it took vendors 204 days, 22 days and 53 days to patch the top three most exploited bugs.
It took an average of 19 days to patch the top five vulnerabilities, which Kevin Haley, director, product management at Symantec Security Response, attributed not to more complex flaws, but to the vulnerabilities not being seen as extremely pressing, he said in an interview with SCMagazine.com.
One vulnerability, for example, didn't lead directly to exploitation; rather, it provided a window into companies' systems and a chance for attackers to gather information. Because of this, Haley said creating a patch might have been pushed aside while more concerning vulnerabilities were addressed.
Armed with these zero-day vulnerabilities, attackers stepped up spear-phishing attacks this past year, which increased eight percent from 2013. However, the attackers deployed 14 percent less email toward 20 percent fewer targets. This is a marked change from the “spray and prey” approach that had attackers emailing as many people as possible in the hopes that at least one would click on malicious material, Haley said.
“[The attackers] are spending more time figuring out who they're going to send to; they're being selective and sending less emails because it gives them less of a chance of being caught,” he said. “It's a pretty good indication that the sophistication of these groups is not just technology but putting in the time upfront to do research on their targets to be more effective.”
Going off that, five out of every six large companies was targeted with spear phishing, marking an increase of 40 percent from the previous years. Small companies weren't spared either, though, with 60 percent of all targeted attacks being directed at them.
Data breaches this year increased by 23 percent, but the number of breaches that impacted more than 10 million record dropped by 50 percent to only four breach incidents.
These bigger breaches require patience on the attackers' side, Haley said, as these large enterprises tend to have thorough security infrastructure already in place. Smaller businesses might be easier to penetrate, but the return of less records might not be as worthwhile, he explained.
The report wasn't all bad news, however. The number of bots decreased from 2.3 million to 1.9 million in 2014, and the overall email spam rate dropped to 60 percent from 66 percent.