Year of the Mega Breach
Because eight breaches in 2013 each exposed greater than 10 million identities — including Target — 2013 has been been dubbed the Year of Mega Breach. The total number was 62 percent greater than in 2012 with 253 total breaches, and up from 208 breaches in 2011. In 2012 only one breach exposed over 10 million identities. In 2011, only five were of that size.
Over 552 million identities were breached in 2013, putting consumer’s credit card information, birth dates, government ID numbers, home addresses, medical records, phone numbers, financial information, email addresses, login, passwords, and other personal information into the criminal underground. By contrast 2011 saw 232 million identities exposed, half of the number in 2013.
Web of vulnerabilities
Scans of public websites by Symantec found that 78 per cent of sites contained vulnerabilities. Sixteen per cent of them were classified as critical vulnerabilities that could allow attackers to access sensitive data, alter the website’s content or compromise visitors’ computers. This means that when an attacker looks for a site to compromise, one in eight sites make it relatively easy to gain access.
Reports of the death of spear phishing are greatly exaggerated. While the total number of emails used per campaign has decreased and the number of those targeted has also decreased, the number of spear phishing campaigns themselves saw a 91 per cent rise in 2013.
Digging for gold
While the most targeted attacks in 2013 were against governments and the services industry, the industries at most risk of attack were mining, governments and then manufacturing. Their odds of being attacked are 1 in 2.7, 1 in 3.1 and 1 in 3.2 respectively.
There’s a sucker born …
Users continue to fall for scams on social media sites. Fake offers such as free cell phone minutes accounted for the largest number of attacks of Facebook users in 2013 – 81 per cent in 2013 compared to 56 per cent in 2012. And while 12 per cent of social media users say someone has hacked into their social network account and pretended to be them, a quarter continue to shared their social media passwords with others and a third connect with people they don’t know.
Only half of mobile users take basic security precautions, yet 38 per cent have experienced mobile cybercrime. Lost or stolen devices remain the biggest risk, but mobile users don’t make things easy: They storing sensitive files online (52 per cent), store work and personal information in the same online storage accounts (24 per cent) and sharing logins and passwords with families (21 per cent) and friends (18 per cent), putting their data and their employers’ data at risk.
What to do
The SANS Institute has a top 20 list of IT critical controls. We can’t list them all, but consider these: Start with an inventory of authorized devices and software on the network, build a secure image for all systems and regularly update configurations, regularly run automated vulnerability scans. For more see http://www.sans.org/critical-security-controls
Every year Symantec issues an Internet Security Threat report, which gathers data from its products, services and third party sources to paint a picture of the security landscape. What it found in 2013 wasn’t pretty – and that was before Heartbleed.
These are numbers that should have every organization concerned: The number of identities exposed through data breaches last year was astonishing. Mobile threats are increasing but users seem indifferent.
If you want to do something to improve your organization’s security, consider advice in the U.S. National Institute of Standards and Technology’s cyber security framework or its framework for critical infrastructure.