2014 was the year when “designer vulnerabilities” emerged, when breaches and security incidents were being announced so fast that we struggled to keep up, when old financial malware began being used to hit new targets.
The recently released IBM X-Force Threat Intelligence Quarterly notes that in 2014:
- More than a billion emails, credit card numbers, passwords and other types of personally identifiable information have been leaked online in wake of security breaches. “Based on pure volume, the total number of records breached in 2014 was nearly 25 percent higher than in 2013,” the researchers added.
- When primary points of entry are well secured, cyber attackers will seek other ways to breach the target. “A prime example was the public disclosure of sensitive photos stored on a cloud service. The security of the cloud service itself was not fundamentally flawed, but users’ weak passwords and easy-to-guess security questions, coupled with lax policies on brute-force authentication, resulted in stolen data,” they shared.
- Cryptographic libraries on nearly every common web platform—including Microsoft Windows, Mac OS X and Linux—were found to be vulnerable to fairly trivial remote exploitations (Heartbleed, Shellshock, POODLE, FREAK)
- Most commonly attacked industries were computer services (28.7%), retailers (13%) and the government (10.7%). The number of incidents in the United States was far higher than in other countries (likely due to tough disclosure laws). Most common attack types were the following:
- Ransomware attacks became more common, as did extortion attempts fueled by targeted DDoS attacks
- The well known Citadel financial malware began being used to collect other sensitive information instead of financial data, and to target petrochemical sellers and suppliers as well as password management software.
- Vulnerabilities in mobile applications are higher than ever, as flaws pop up in app development frameworks and app developers fail to update to a non-vulnerable version in a timely fashion.
For more details, download the report here (registration required).