Now is the time of the year when the security community eagerly wait for the statistics and reporting to be collated and generated by the various companies and research bodies, so we can see exactly where the threats are moving and how the security risk landscape is evolving. In particular we are all waiting for the king of stats, Verizon’s DBIR, which isn’t too far away.
Last year was the worst year for security breaches in the last 10 years. We had 4 of the top 10 breaches of all time occurring in 2013, and the final tally of records exposed topped 2.5 billion.
If we look at the largest and most well-known breaches of last year, we see that Adobe, Korea Credit Union and Target / Fazio made up the top 3 breaches.
Figure 1. Breaches by Data Type
Interestingly enough, pretty much all of the top 15 breaches of last year involved email records, and a large majority usernames and passwords.
POS malware also made the mainstream news with the blackPOS malware used in the Target/Fazio breach that exposed the card details and personal information of 110 million consumers. Then we saw the Neiman Marcus breach. Neiman Marcus were compromised with the same malware, and 1.1 million credit and debit cards were exposed – this served as a massive warning for the retail sector, an industry with a large target on its back.
If we look at some of the statistics from the 3 main databreach services (Datalossdb, Privacyrights and idtheftcenter) we see some explosive numbers in terms of growth from 2012.
PrivacyRights.org Data Breach Figures
600 total breaches in 2013 (680 in 2012)
55,213,441 records exposed in 2013 (27,545,995 in 2012)
DataLossDB.org Data Breach Figures
1419 worldwide total breaches in 2013 (1632 in 2012)
705 million records exposed in 2013 versus 267 in 2012
idtheftcenter.org Data Breach Figures
619 total breaches in 2013 (447 in 2012)
57,868,922 records exposed in 2013 (17,317,184 in 2012)
And with each month that passes we see cyber-attacks becoming more and more sophisticated. If we look at case of the Target breach, their intrusion traced back to network credentials that Target issued to Fazio Mechanical, a heating, air conditioning and refrigeration firm. The credentials were stolen in an email malware attack at Fazio, 2 months before the Target breach.
We also saw a large increase in mobile attacks over 2013 which will no doubt continue into 2014.
For those of you wondering, the 4 breaches of last year that made their way into the top 10 incidents of all time, were Adobe, Korea Credit Union, Target and Pinterest.
Denial of Service Attacks (DdoS)
We also saw the largest DdoS in history last year, with Spamhaus copping the enormous 300 Gbps DdoS attack. This was recently topped with a 400Gbs NTP reflection attack against CloudFlare.
Of the incidents last year, 89% could have been prevented! And 31.3% of incidents involved inside threats, as opposed to 25% the previous year, showing a growing increase in the insider threat space.
Espionage and Snooping
Last year was also the year of espionage and spying, with the Edward Snowden leaks, the wakeup call to the entire world as to the masses of data collected by the NSA and other law enforcement agencies. The release of this classified material was called the most significant leak in US history by Pentagon Papers leaker Daniel Ellsberg.
And then came the totally awesome Mandiant report, which showed the world evidence identifying the Chinese government APT1 cyber espionage group involved in espionage operations on at least 141 organisations, from all walks of industry and government, of which systematically stole hundreds of terabytes of data.
2013 was a seriously scary year in the security space, reaffirming that we live in a world of risk and uncertainty. Personally, I fear the worst is yet to come, but with a multi-layered security approach, regular security assessments, and industry, threat and user awareness, your organisation can be in the best possible position to mitigate these threats.
To find out more about the year that was, and how to defend your organisation from threats, attackers and risks, I am presenting at Kiandra’s Security and real world threats breakfast seminar on the 12th of March, there are still a few spots left if you act fast! More here!
Data Sources & References: