2015 TRUSTWAVE GLOBAL
SECURITY REPORT
1,425%
• Estimated ROI for a one-month ransomware campaign
• Based on Trustwave SpiderLabs research into underground markets
• One example: $5,900 investment = $84,100 profit
• Make it difficult and expensive for criminals to target your organization
WHY DO CYBERCRIMINALS DO WHAT THEY DO?
1
Trustwave Global Security Report Overview
2
Data Compromise Investigations
3
Threat Intelligence & Security Research
4
Security Testing
5
Wrap Up
• Detailing cybercriminals’ methods and impact in the previous year • 574 compromised locations investigated across 15 countries
• Billions of events each day across five global SOCs • 4 million vulnerability scans
• Thousands of web app security scans • Tens of millions of web transactions • Tens of billions of email messages • Millions of blocked malicious websites • Thousands of penetration tests
THE 2015 TRUSTWAVE GLOBAL SECURITY REPORT
1
Who is falling victim?
2
What IT systems are criminals compromising?
3
How are criminals breaking in?
4
What data are criminals targeting?
5
How long does it take to detect a breach?
6
How long does a breach last?
GEOGRAPHIC LOCATIONS OF VICTIMS
ENVIRONMENTS COMPROMISED BY REGION
COMPROMISES BY INDUSTRY
Distribution of investigations by industry 2014
ENVIRONMENTS COMPROMISED BY INDUSTRY
FACTORS CONTRIBUTING TO COMPROMISE
Distribution of investigations by factors that made the breach possible
Weak Remote Access Security
Weak Passwords
Weak (or Non-Existent) Input Validation
Unpatched Vulnerabilities
28%
28%
15%
15%
Misconfigurations8%
Malicious Insider6%
TYPES OF DATA TARGETED
Distribution of investigations by type of data targeted
PII + CHD (E-commerce Transaction Data)
49%
Track Data (POS Transaction Data)
31%
Financial Credentials
12%
Proprietary Data
BREACH DETECTION
Distribution of investigations by modes of detection
DURATION OF A COMPROMISE
Median durations between various compromise milestones
111
Days a
breach
lasted
86
7
Days to
detect a
breach
Days to
contain a
breach
1
Types of Attacks
2
The Rewards of Cybercrime
3
Celebrity Vulnerabilities
4
Top Host-Based Vulnerabilities
5
Top Exploit Traffic
6
Attacks on Web Applications & Servers
7
Spam Trends
8
Exploit Kits and
TARGETED ATTACK
SKB Enterprises serves a lot of customers, handles a lot of payment card transactions and probably has a lot of customer data stored somewhere. I’m going to figure out how to break in.
OPPORTUNISTIC ATTACK
I know how to compromise a web server via an Adobe Cold Fusion
vulnerability. I’m going to scan the Internet to find unpatched servers and see whether I can access some valuable data inject malicious code to infect visitors with malware
• Target identified first
• ONLY THEN is the attack considered • More effort spent planning and executing • Usually targeting larger organizations
• Exploit and vulnerability identified first
• Target doesn't matter, just needs to be vulnerable to exploit • Low-hanging fruit
ROI CALCULATION FOR RANSOMWARE CAMPAIGN
RETURN ON INVESTMENT
REVENUE
Payload - $3,000 Infection Vector - $500 Traffic Acquisition - $1,800 Daily Encryption - $600 Total Expenses - $5,900 Visitors 20,000 Infection Rate 10% Payout Rate 0.5% Ransom Amount $300Length of Campaign 30 days
Total Revenue $90,000 Total Expenses - $5,900 Revenue $90,000 Gross Profit $84,100
ROI
1,425%
EXPENSES
THE YEAR OF THE CELEBRITY VULNERABILITY
• Vulnerabilities with memorable names and logos
• Helped bring awareness of technical security issues to the masses • Sometimes not as serious as the media attention suggests
• Trustwave observations of real-world prevalence and exploits
– 0.60 percent of vulnerabilities detected were Heartbleed – 2.47 percent of exploit traffic targeted POODLE
NETWORK VULNERABILITY SCAN ANALYSIS
Top 5 Most Frequently Detected Vulnerabilities
EXPLOIT TRAFFIC DETECTED
ATTACKS ON WEB APPLICATIONS AND SERVERS
SPAM CATEGORIES
2014 2013
6% OF SPAM INCLUDES MALICIOUS
LINKS OR ATTACHMENTS
PREVALENT EXPLOIT KITS
Exploit kit prevalence based on telemetry from Trustwave Secure Web GatewayNeutrino
5%
TOP EXPLOITED APPLICATIONS
Most exploited client-side applications and plug-ins as observed by Trustwave in 2014RIG
25%
33%
Flash
Nuclear
23%
29%
Internet Explorer
Angler
17%
10%
Adobe Reader
Fiesta
13%
13%
Silverlight
Magnitude
9%
15%
Java ( 63%)
1
Web Application Security
2
Mobile Application Security
3
Most Common Penetration Testing Findings
4
Most Common Business Passwords
WEB APPLICATION SECURITY
98%
Of applications
are vulnerable
20
Median flaws per
application
FREQUENCY OF APPLICATION VULNERABILITY TYPES
Top application vulnerabilities identified by Trustwave in 2014, proportioned by type
2014 2013
MOBILE APPLICATION VULNERABILITIES
Cumulative percentages of mobile application in which Trustwave identified at least one vulnerability of varying severities
COMMON PENETRATION TESTING FINDINGS
COMMON PENETRATION TESTING FINDINGS
Top Ten Penetration Testing Findings in a Comparative Ranking
Authentication bypass SQL injection
Logic flaws
Unpatched systems
Weak administrator password
Shared local administrator password Authorization bypass
Unencrypted storage of sensitive data Cross-site scripting (XSS), persistent
PASSWORD ANALYSIS
Cracked 51 percent of passwords w/in 24 hours & another 37 percent w/in two weeks
FOLLOW-UP QUESTIONS
• Have you considered all possible attack vectors?
Attackers have.
– Do you know what attackers are targeting? – Do you know where those assets reside? – Trustwave can help
• How do you know your security is effective? – Don’t guess, test
– Validate your assumptions with penetration testing – Trustwave can help
