Welcome!

Java IoT Authors: Elizabeth White, Pat Romanski, Liz McMillan, Jamie Maidson, Yakov Fain

News Feed Item

New Trustwave Report Uncovers Cybercrime Attack Targets, Victims, Motivations and Methods

2014 Trustwave Global Security Report Details Findings From Hundreds of 2013 Data Breach Investigations and Proprietary Threat Intelligence

CHICAGO, IL -- (Marketwired) -- 05/21/14 -- Trustwave today released the 2014 Trustwave Global Security Report which reveals the top cybercrime, data breach and security threat trends from 2013. The report includes the type of information most targeted, industries most compromised, how criminals typically got inside, when victims identified an attack, notable malware trends and other critical components of breaches that matter to businesses. It also reveals how cybercrime is impacting different regions of the world and offers recommendations for businesses to help them fight cybercrime, protect their data and reduce security risks.

Trustwave experts gathered the data from 691 breach investigations (a 54 percent increase from 2012) across 24 countries in addition to proprietary threat intelligence gleaned from the company's five global Security Operations Centers, telemetry from security technologies and ongoing threat research. All of the data was collected and analyzed by Trustwave experts.

Data and Systems Targeted

  • While payment card data continued to top the list of the types of data compromised, the report notes that 45 percent of data thefts in 2013 involved confidential, non-payment card data -- a 33 percent increase from 2012. Non-payment card data includes other sensitive and confidential information such as financial credentials, internal communications, personally identifiable information and various types of customer records.
  • E-commerce breaches were the most rampant making up 54 percent of assets targeted. Point-of-sale (POS) breaches accounted for 33 percent of our 2013 investigations and data centers made up 10 percent. Trustwave experts expect POS and e-commerce compromises to dominate into 2014 and beyond.

Victims of Compromise

  • When ranking the top ten victim locations, the report reveals the United States overwhelmingly house the most victims at 59 percent, which was more than four times as many as the next closest victim location, the United Kingdom, at 14 percent. Australia was ranked third, at 11 percent followed by Hong Kong and India, both at two percent. Canada was ranked sixth at 1 percent, tied with New Zealand, Ireland, Belgium and Mauritius.
  • Similar to 2012, retail once again was the top industry compromised making up 35 percent of the breaches Trustwave investigated in 2013. Food and beverage ranked second at 18 percent and hospitality ranked third at 11 percent.

Intrusion Methods

Malware Everywhere

  • Criminals continued to use malware as one of the top methods for getting inside and extracting data. The top three malware-hosting countries in 2013 were the United States (42 percent), Russia (13 percent) and Germany (9 percent).
  • Criminals relied most on Java applets as a malware delivery method -- 78 percent of exploits Trustwave detected took advantage of Java vulnerabilities.
  • Eighty-five percent of the exploits detected in 2013 were of third party plug-ins, including Java, Adobe Flash and Acrobat Reader.
  • Overall spam made up 70 percent of inbound mail, however malicious spam dropped five percent in 2013. Fifty-nine percent of malicious spam included malicious attachments and 41 percent included malicious links.

User Accidents

  • Unbeknownst to them, employees and individual users often open the door to criminals by using easily-guessable passwords. Trustwave experts found weak passwords led to an initial intrusion in 31 percent of compromises.
  • In December 2013, security researchers at Trustwave discovered a Pony botnet instance that compromised approximately two million accounts for popular websites. When analyzing those compromised credentials, Trustwave found that "123456" topped the list of the most commonly used password followed by "123456789," "1234" and then "password." Nearly 25 percent of the usernames had passwords stored for multiple sites.

Application Vulnerabilities

  • 96 percent of applications scanned by Trustwave in 2013 harbored one or more serious security vulnerabilities. The finding demonstrates the need for more application security testing during the development, production and active phases.

Detecting a Compromise

  • Trustwave experts found that self-detection continued to be low with 71 percent of compromised victims not detecting breaches themselves. However, the data also demonstrates how critical self-detection is improving the timeline to containment and therefore limiting the overall damage. For example, the median number of days it took organizations that self-detected a breach to contain the breach was one day whereas it took organizations 14 days to contain the breach when it was detected by a third party.
  • The report also reveals the median number of days from initial intrusion to detection was 87 and the median number of days from detection to containment was seven. Upon discovery of a breach, 67 percent of victims were able to contain it within 10 days. From 2012 to 2013, there was a decrease in the amount of time an organization took to contain a breach. In half of the compromises investigated by Trustwave, the victim contained the breach within four months of the initial intrusion.

"Security is a process that involves foresight, manpower, advanced skillsets, threat intelligence and technologies. If businesses are not fully equipped with all of these components, they are only increasing their chances of being the next data breach victim," said Robert J. McCullen, Chairman and Chief Executive Officer at Trustwave. "As we have seen in our investigations, breaches are going to happen. However, the more information businesses can arm themselves with regarding who are their potential attackers, what those criminals are after and how their team will identify, react and remediate a breach if it does occur, is key to protecting their data, users and overall business."

Action Plan
The 2014 Trustwave Global Security Report recommends businesses implement the following action plan:

1. Protect users from themselves: Educate employees on best security practices, including strong password creation and awareness of social engineering techniques like phishing. Invest in gateway security technologies as a fallback to automate protection from threats such as zero-day vulnerabilities, targeted malware and malicious email.
2. Annihilate weak passwords: Implement and enforce strong authentication policies. Thirty percent of the time, an attacker gains access because of a weak password. Strong passwords -- consisting of a minimum of seven characters and a combination of upper and lower case letters, symbols and numbers -- play a vital role in helping prevent a breach. Even better are passphrases that include eight to 10 words that make up a sentence that only the user knows. Businesses should also deploy two-factor authentication for employees who access the network. This forces users to verify their identity with information other than simply their username and password, like a unique code sent to a user's mobile phone.
3. Protect the rest: Secure all of your data, and don't lull yourself into a false sense of security just because you think your payment card data is protected. Assess your entire set of assets -- from endpoint to network to application to database. Any vulnerability in any asset could lead to the exposure of data. Combine ongoing testing and scanning of these assets to identify and fix flaws before an attacker can take advantage of them.
4. Model the Threat: Model the threat and test your systems' resilience to it with penetration testing. Pitting a security expert against your network hosts, applications and databases applies a real-world attacker's perspective to your systems (a threat model). A penetration test transcends merely identifying vulnerabilities by demonstrating how an attacker can take advantage of them and expose data.
5. Plan your response: Develop, institute and rehearse an incident response plan. Identify what sorts of events or indicators of compromise will trigger your incident response plan. A plan will help make your organization aware of a compromise sooner, limit its repercussions and shorten its duration.

Download a complimentary copy of the full 2014 Trustwave Global Security Report here.

About Trustwave
Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than two million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com.

Follow Trustwave on Twitter at www.twitter.com/Trustwave, on Facebook at www.facebook.com/Trustwave, and on LinkedIn at www.linkedin.com/company/trustwave. All trademarks used herein remain the property of their respective owners. Their use does not indicate or imply a relationship between Trustwave and the owners of such trademarks.

More Stories By Marketwired .

Copyright © 2009 Marketwired. All rights reserved. All the news releases provided by Marketwired are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials is strictly forbidden, including but not limited to, posting, emailing, faxing, archiving in a public database, redistributing via a computer network or in a printed form.

@ThingsExpo Stories
The 19th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit y...
SYS-CON Events announced today that MangoApps will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. MangoApps provides modern company intranets and team collaboration software, allowing workers to stay connected and productive from anywhere in the world and from any device. For more information, please visit https://www.mangoapps.com/.
SYS-CON Events announced today that ContentMX, the marketing technology and services company with a singular mission to increase engagement and drive more conversations for enterprise, channel and SMB technology marketers, has been named “Sponsor & Exhibitor Lounge Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York City, New York. “CloudExpo is a great opportunity to start a conversation with new prospects, but what happens after the...
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 19th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world and ThingsExpo New York Call for Papers is now open.
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, wh...
Designing IoT applications is complex, but deploying them in a scalable fashion is even more complex. A scalable, API first IaaS cloud is a good start, but in order to understand the various components specific to deploying IoT applications, one needs to understand the architecture of these applications and figure out how to scale these components independently. In his session at @ThingsExpo, Nara Rajagopalan is CEO of Accelerite, will discuss the fundamental architecture of IoT applications, ...
The IoT is changing the way enterprises conduct business. In his session at @ThingsExpo, Eric Hoffman, Vice President at EastBanc Technologies, discuss how businesses can gain an edge over competitors by empowering consumers to take control through IoT. We'll cite examples such as a Washington, D.C.-based sports club that leveraged IoT and the cloud to develop a comprehensive booking system. He'll also highlight how IoT can revitalize and restore outdated business models, making them profitable...
In his session at 18th Cloud Expo, Bruce Swann, Senior Product Marketing Manager at Adobe, will discuss how the Adobe Marketing Cloud can help marketers embrace opportunities for personalized, relevant and real-time customer engagement across offline (direct mail, point of sale, call center) and digital (email, website, SMS, mobile apps, social networks, connected objects). Bruce Swann has more than 15 years of experience working with digital marketing disciplines like web analytics, social med...
SYS-CON Events announced today that Enzu, a leading provider of cloud hosting solutions, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Enzu’s mission is to be the leading provider of enterprise cloud solutions worldwide. Enzu enables online businesses to use its IT infrastructure to their competitive advantage. By offering a suite of proven hosting and management services, Enzu wants companies to foc...
Customer experience has become a competitive differentiator for companies, and it’s imperative that brands seamlessly connect the customer journey across all platforms. With the continued explosion of IoT, join us for a look at how to build a winning digital foundation in the connected era – today and in the future. In his session at @ThingsExpo, Chris Nguyen, Group Product Marketing Manager at Adobe, will discuss how to successfully leverage mobile, rapidly deploy content, capture real-time d...
IoT generates lots of temporal data. But how do you unlock its value? How do you coordinate the diverse moving parts that must come together when developing your IoT product? What are the key challenges addressed by Data as a Service? How does cloud computing underlie and connect the notions of Digital and DevOps What is the impact of the API economy? What is the business imperative for Cognitive Computing? Get all these questions and hundreds more like them answered at the 18th Cloud Expo...
As cloud and storage projections continue to rise, the number of organizations moving to the cloud is escalating and it is clear cloud storage is here to stay. However, is it secure? Data is the lifeblood for government entities, countries, cloud service providers and enterprises alike and losing or exposing that data can have disastrous results. There are new concepts for data storage on the horizon that will deliver secure solutions for storing and moving sensitive data around the world. ...
What a difference a year makes. Organizations aren’t just talking about IoT possibilities, it is now baked into their core business strategy. With IoT, billions of devices generating data from different companies on different networks around the globe need to interact. From efficiency to better customer insights to completely new business models, IoT will turn traditional business models upside down. In the new customer-centric age, the key to success is delivering critical services and apps wit...
The essence of data analysis involves setting up data pipelines that consist of several operations that are chained together – starting from data collection, data quality checks, data integration, data analysis and data visualization (including the setting up of interaction paths in that visualization). In our opinion, the challenges stem from the technology diversity at each stage of the data pipeline as well as the lack of process around the analysis.
SYS-CON Events announced today that 24Notion has been named “Bronze Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. 24Notion is full-service global creative digital marketing, technology and lifestyle agency that combines strategic ideas with customized tactical execution. With a broad understand of the art of traditional marketing, new media, communications and social influence, 24Notion uniquely understands how to con...
WebRTC is bringing significant change to the communications landscape that will bridge the worlds of web and telephony, making the Internet the new standard for communications. Cloud9 took the road less traveled and used WebRTC to create a downloadable enterprise-grade communications platform that is changing the communication dynamic in the financial sector. In his session at @ThingsExpo, Leo Papadopoulos, CTO of Cloud9, will discuss the importance of WebRTC and how it enables companies to fo...
SYS-CON Events announced today TechTarget has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. TechTarget is the Web’s leading destination for serious technology buyers researching and making enterprise technology decisions. Its extensive global networ...
Korean Broadcasting System (KBS) will feature the upcoming 18th Cloud Expo | @ThingsExpo in a New York news documentary about the "New IT for the Future." The documentary will cover how big companies are transmitting or adopting the new IT for the future and will be filmed on the expo floor between June 7-June 9, 2016, at the Javits Center in New York City, New York. KBS has long been a leader in the development of the broadcasting culture of Korea. As the key public service broadcaster of Korea...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York and Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty ...
There are several IoTs: the Industrial Internet, Consumer Wearables, Wearables and Healthcare, Supply Chains, and the movement toward Smart Grids, Cities, Regions, and Nations. There are competing communications standards every step of the way, a bewildering array of sensors and devices, and an entire world of competing data analytics platforms. To some this appears to be chaos. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will discuss the vast to...