Editor's Note: This is the second of a three-part series on industry cyber security reports, covering an additional three vendor data summaries. Click here for Part I, covering four data summaries. Part III of the series will cover industry surveys and will be available July 14.
One of the most useful example of cyber information sharing are the wealth of reports put out by cyber security vendors and analysts. In our cyber summer reading series, we're discussing 10 of the most useful reports and explaining how their lessons can help improve your cyber posture.
Inclusion does not mean endorsement, nor does exclusion imply anything negative.
Below are three vendor reports that provide key insights into current cyber threats. NJVC has used these reports to evaluate our ability to defend customer domains against new and rapidly changing threat vectors.
HP
The Takeaway: Cyber security is a matter of regular vigilance. Patch updates. Configurations. There is not set-it-and-forget-it in cyber security.
(Visit HP's Security Research library here.)
Every year, the HP Security Research team disseminates a cyber threat report. The stellar 2013 edition provides an understanding of the attack surface, defined as the sum of vulnerabilities available for exploitation, processes or technologies. HP is able to draw on its independent research, as well as installed HP security products, to produce a wide range of conclusions. Some of the report's key findings are:
How can this be rectified against the overall trend of increasing attacks each year? As industries improve their core security postures, it appears that high-severity vulnerabilities have an increasing cost in the black market and tend to be more highly guarded.
This finding implies that fixing source code weaknesses alone is not enough to sufficiently fill this security gap. Items such as server configurations, user access controls and other system administrative-type settings expose applications to attacks by determined adversaries.
This conclusion indicates that the overall IT infrastructure is struggling to maintain some type of secure core. As vulnerabilities are identified and patches are applied, new vulnerabilities are uncovered due to the deployment of new applications and browser and operating system updates, and the ongoing struggle against cyber threats continues.
In addition, HP oversees a project, HP Zero Day Initiative, which has pioneered the execution of a vulnerability “white market” where defined threats are purchased and, as a result, removed from usage and exploitation by the corresponding black market .
Over time this black market has become more sophisticated, enabling lower-skilled cyber criminals to purchase online tools to carry out attacks with very little technical expertise. By creating a corresponding white market, the intent is to reduce the quantity of available exploits to be bought and sold.
Furthermore, HP further brings light to this murky marketplace by discussing the factors that drive the price of vulnerabilities being sold. In 2013, the largest quantity of items was uncovered for Microsoft Internet Explorer and Oracle's Java. In fact, the consistently high number of Java vulnerabilities caused HP to take a much deeper dive into the root causes, and dedicated 10 pages of the cyber threat report to highlight this research. Java continues to represent a serious attack vector because a very small percentage of the overall installed user base maintains patch currency.
A final important note: In the report, HP provides a detailed case study on the cyber attack on Korean financial institutions in March 2013. This attack represented the very definition of an advanced persistent threat, as the malware overwrote master boot records of affected disk drives, rendering them inoperable. Root directories also were deleted, which caused machines to be unable to be rebooted. While no pattern of data exfiltration was identified, the attacks caused an obvious business disruption to some 48,000 computers. Ouch.
McAfee Labs
The Takeaway: Information sharing on cyber security vulnerabilities must increase among commercial verticals.
(Click here to view the McAfee Labs library)
McAfee, an Intel Security company, operates a global threat intelligence network through the software and devices it deploys and operates worldwide. McAfee Labs is its business subsidiary that focuses on threat research and intelligence.
McAfee Labs is bold enough to offer predictions on the cyber-related threats the company believes will be most impactful. Its 2014 predictions focused on seven areas and highlighted the key overall market trends that industry professionals should be cognizant based on its field observations.
The company’s most recent report, “McAfee Labs Threat Report Fourth Quarter 2013,” summarizes the global email and web threats the company observed. As with most vendors that are blessed and cursed with a huge amount of data as its research core, McAfee takes great care to summarize key conclusions of interest to a wide audience.
Specific highlights in this report include how:
The overall malware black market enables the generation of code which is reusable across multiple targets. The Target data breach captured most of the headlines late last year due to the large volume of account compromises, but it appears variants of the very same code base were used to exploit other retailers. It is becoming more and more important for peer companies in a vertical industry to be willing to share information on attacks to mitigate them.
The widespread attacks are further enhanced through more sophisticated compromises, such as those at certificate authority companies responsible for a large portion of trust enabling transactions to occur between parties that do not know each other. As certificate authorities are compromised, the trust scheme between third parties erodes, and compromised software can proliferate very easily.
Symantec
The Takeaway: Threat actors hit you where live electronically. Compromised legitimate websites, mobile attacks and phishing represent an increasing attack vector.
(Click here for Symantec's Security Response library.)
Symantec produces an Internet Security Threat Report (ISTR)' its most recent version (Volume 19) was released in April 2014. This 98-page comprehensive view of Internet threat data was collected via Symantec’s global intelligence network, and is comprised of more than 41.5 million attack sensors, operating in more than 157 countries, that records thousands of events per second.
A partial listing of the ISTR’s key findings is:
Symantec termed 2013 the “Year of the Mega Breach,” given that eight separate breaches each exposed more than 10 million identities. In total, the company estimates that 552 million identities were exposed over the course of the year—a tremendous 493-percent increase over 2012.
Symantec’s website scan surveys found that 77 percent of all websites had one or more vulnerabilities—compromising a legitimate website is one of the primary methods by which malware can be introduced into an organization. One in eight of all sites had critical unpatched vulnerabilities, which means the sites were not current with the installed set of baseline software since they were running older versions of software that had reported and known vulnerabilities.
Another disturbing finding highlighted in this report is the 64-percent gain in zero-day vulnerabilities from 2012 to 2013 (up from 14 up to 23), with 97 percent of these exploits enabled through Java. Once a vulnerability is identified and published, attackers can switch to the next unidentified vulnerability for malware insertion.
One other compelling feature of the Symantec report is its 2013 Security Timeline, which chronologically lists notable cyber events through the entire year, if you can tolerate the unrelenting sequence of negative news.
We will continue with our Cyber Summer Reading series next week, focusing primarily on industry surveys, a useful complement to data summaries.
