Metrics are vital for CISOs to do their job effectively. Unfortunately the numbers included in the latest Trustwave global survey show that infosec pros and software developers around the world still have a long way to go.
Consider these figures, gathered from data from Trustwave devices:
–Nearly half the compromises investigated in 2016 were due to insecure remote-access software and policies (30 per cent) or phishing and social engineering (19 per cent), according to the report released Tuesday. Remote access and phishing/social engineering nearly doubled since in 2015. Add code injection (18.8) and these three factors accounted for 64 per cent of causes behind compromises.
On the other hand, there were significantly fewer incidents of server misconfigurations, SQL injection, malicious insiders and browser exploits in 2016 compared to the year before.
SOLUTIONS: The report recommends using two-factor authentication for all remote access into the environment. Third-party remote access must be an on demand solution. Ensure third-party remote access turns off by default and authorized users only enable it when needed. Also, enable auditing and logging for remote access into the environment
–Detection isn’t there: In 2016 compromises detected by regulatory bodies, card brands and merchant banks accounted for nearly half of incidents, followed by self-detected compromises. In fact the rate of outside detection increased last year (49 per cent compared to 36 per cent in 2015). Meanwhile self-detected compromise only slightly increased in 2016 (43 per cent of incidents, compared to 41 per cent in 2015).
This is important, says the report, because organizations that detect compromises typically identify and contain them more quickly than outside parties.
SOLUTIONS: The report recommends firewalls be configured to restrict inbound and outbound access to and from the network. Confine inbound access only to those services (open ports) necessary to conduct business. Restrict outbound traffic to only trusted sites or IP addresses. In addition to network segmentation, all firewalls for accessible ports and services should be hardware-based and provide stateful packet inspection (SPI) capabilities.
In addition, each user should have a unique account so systems personnel can track activities. Avoid using generic or default account names.
Windows event logs should be configured to capture security, application and system events on all systems. Retain logs for at least 90 days on the system and one year offline. Conduct a daily review of the logs from all devices.
–Truly secure web applications are rare: 99.7 per cent of applications tested last year displayed at least one vulnerability. They range from mostly harmless to potentially devastating. However, the percent of apps with vulnerabilities keeps climbing every year. In 2013 it was 96 per cent. On the other hand the median number of vulnerabilities detected per application dropped to 11 in 2016 from 14 in 2015.
But here’s a chilling stat: The largest number of vulnerabilities found in a single application was 1,267. The app is unnamed.
Trustwave found vulnerabilities related to session management in 77 per cent of the applications tested in 2016. This type of vulnerability can allow an attacker to take over or eavesdrop on a user session, placing sensitive information at risk, the report notes. Most of the session management vulnerabilities identified involved improper handling of HTTP cookies, used to preserve state across inherently stateless web connections.
The second biggest vulnerabilities related to improper or inadequate validation and sanitization of user input (60 per cent of the applications tested), followed by information leakage (46 per cent) and poor encryption (43 per cent).
There’s more in the report including advice on how to stop compromises, an examination of attacks on Web applications including content management systems, email threats and exploitation trends.
For the full report click here. Registration required