pixel_dreams - Fotolia
The retail sector suffered the most breach incidences (16.7%) in 2017 as attackers became more organised, the latest Trustwave security report shows.
The retail sector was followed by the finance and insurance industry(13.1%) and hospitality (11.9%), according to the 2018 Trustwave global security report, which is based on the analysis of billions of security events worldwide, hundreds of data-beach investigations and internal research.
However, despite the high volume of attacks on the retail sector, the report shows that incidents impacting point-of-sale (POS) systems decreased by more than a third to 20% of the total, which is attributed to increased attack sophistication and targeting of larger service providers and franchise head offices rather than smaller high-volume targets.
The report notes a marked increase of 9.5% in compromises targeting businesses that provides IT services including web-hosting providers, POS integrators and help-desk providers. A compromise of just one provider opens the gates to a multitude of new targets. In 2016, service provider compromises did not register in the statistics, the report said.
Phishing and social engineering was the top method of compromise (55%), followed by malicious insiders (13%) remote access (9%). This indicates the human factor remains the greatest hurdle for corporate cyber security teams, the report, noting that “CEO fraud”, a social engineering scam encouraging executives to authorise fraudulent money transactions continues to increase.
All web applications tested displayed at least one vulnerability with 11 as the median number detected per application. Most of the web application vulnerabilities (85.9%) involved session management allowing an attacker to eavesdrop on a user session to commandeer sensitive information.
Targeted web attacks are becoming prevalent and much more sophisticated, the report shows, with many breach incidents showing signs of careful preplanning by cyber criminals probing for weak packages and tools to exploit.
Cross-site scripting (XSS) was involved in 40% of attack attempts, followed by SQL injection (SQLi) at 24%, path traversal at 7%, local file inclusion (LFI) at 4%, and distributed denial of service (DDoS) at 3%.
The median time between intrusion and detection for externally detected compromises was 83 days in 2017, up from 65 days in 2016. However, the median time between intrusion and detection for compromises discovered internally dropped to zero days in 2017 from 16 days in 2016, meaning businesses discovered the majority of breaches the same day they happened.
Although down from the previous year, payment card data is still the most highly targeted type of data in breaches, accounting for 40% of data stolen in all the breaches analysed.
The data shows that several major Necurs botnet campaigns were responsible for propagating ransomware, banking trojans and other damaging payloads, with spam containing malware remaining high at 26%, although down from 34.6% in 2016. More than 90% of spam-borne malware is delivered inside archive file such as .zip and is typically labeled as invoices or other types of business files the report said.
Although the number of vulnerabilities patched in five of the most common database products was 119 – down from 170 in 2016 – the report said 53% of computers with server message block protocol version 1 enabled were vulnerable to the Eternalblue exploit used to disseminate the WannaCry and NotPetya attacks.
Vulnerabilities have seen a sharp surge in the past decade, the report said, with a marked increase in vulnerability disclosures from 2012 and a dramatic spike in 2017.
“This is in part due to the doubling of internet users over the course of a decade. The technically savvy, including both security researchers and criminals, are now actively looking for vulnerabilities with the latter selling corresponding exploits on the dark web to make hefty profits. More vulnerabilities equate to greater potential for exploitations,” the report said.
The report shows that cyber criminals and their attacks are becoming more methodical and organised, said Steve Kelley, chief marketing officer at Trustwave. “As long as cyber crime remains profitable, we will continue to see threat actors quickly evolving and adapting methods to penetrate networks and steal data.
“Security is as much a ‘people’ issue as it is a technology issue. To stay on par with determined adversaries, organisations must have access to security experts who can think and operate like an attacker while making best use of the technologies deployed,” he said.