2014

TRUSTWAVE GLOBAL

SECURITY REPORT

John Yeo

VP at Trustwave

Stockholm - November 2014

1 Victim Demographics

2 Data and Systems Targeted

3 Intrusion Methods

4 Indicators of Compromise

5 Detection Statistics

6 Understanding Widespread Malware

7 Actions and Recommendations

2014 GSR: AGENDA

Welcome…

1 Victim Demographics

2 Data and Systems Targeted

3 Intrusion Methods

4 Indicators of Compromise

5 Detection Statistics

6 Understanding Widespread Malware

7 Actions and Recommendations

2014 GSR: AGENDA

2014 GSR: SUMMARY OF FINDINGS

1. More victims, more breaches

2. Shift in data types

3. Similar targets and methods as past years

4. Self detection = early detection

5. Response is key

2014

TRUSTWAVE GLOBAL

SECURITY REPORT

WHO WERE THE

VICTIMS?

THE VOLUME OF DATA

BREACH INVESTIGATIONS

INCREASED 54% OVER 2012

ATTACK SOURCE

IP ADDRESSES

LOCATION OF

VICTIMS

19% United States 4% Germany

18% China 4% United Kingdom

16% Nigeria 4% Japan

5% Russia 3% France

5% Korea 3% Taiwan

19% Other Countries

19% United States 1% Mauritus

14% United Kingdom 1% New Zealand

11% Australia 1% Ireland

2% Hong Kong 1% Belgium

2% India 1% Canada

7% Other Countries

35% 18%

11%

RET

AIL

FOO

D &

BEV

ERA

GE

HO

SP

ITA

LIT

Y

35% RETAIL

18% FOOD & BEVERAGE

11% HOSPITALITY

9% FINANCE

8% PROFESSIONAL SERVICES

6% TECHNOLOGY

4% ENTERTAINMENT

3% TRANSPORTATION

2% HEALTH CARE

4% OTHER

2014

TRUSTWAVE GLOBAL

SECURITY REPORT

WHAT WAS

TARGETED?

33% INCREASE IN

NON-CARD DATA

TARGETED

POS payment

card data

(track data)

45%

36%

19%

Non-payment

card data

E-commerce

payment card data

E-COMMERCE MADE

UP 54% OF ASSETS

TARGETED

POINT-OF-SALE (POS)

BREACHES ACCOUNTED

FOR ONE THIRD OF OUR

INVESTIGATIONS

2014

TRUSTWAVE GLOBAL

SECURITY REPORT

HOW DID

ATTACKERS GET

ACCESS?

WEAK PASSWORDS

OPENED THE DOOR FOR

THE INITIAL INTRUSION IN

31% OF COMPROMISES

MOST COMMON

PASSWORD FOUND

WITHIN CORPORATE

ENVIRONMENTS?

TOP 25 PASSWORDS

16

BY PERCENT

PASSWORD LENGTH

17

ALMOST ALL

APPLICATIONS

SCANNED

HARBORED ONE

OR MORE

SERIOUS

SECURITY

VULNERABILITIES

TOP 10 APPLICATION VULNERABILITIES

2014

TRUSTWAVE GLOBAL

SECURITY REPORT

INDICATORS OF

COMPROMISE

Businesses often…

1. Don’t centralize logging

2. Log but don’t monitor

3. Log the wrong things

important because…

ANOMALOUS ACCOUNT ACTIVITY

UNEXPLAINED OR SUSPICIOUS OUTBOUND DATA

NEW AND/OR SUSPICIOUS FILES DROPPED

GEOGRAPHIC ANOMALIES IN LOGINS

UNEXPLAINED OR SUSPICIOUS CHANGES TO THE WINDOWS REGISTRY

EVIDENCE OF LOG TAMPERING

EVIDENCE OF TAMPERING WITH ANTI-VIRUS SERVICES

ANOMALOUS SERVICE ACTIVITY (SERVICES ADDED, STOPPED OR PAUSED)

INTERRUPTION IN THE PAYMENT PROCESS FLOW (E-COMMERCE)

UNEXPLAINED ACCESS TO ADMINSTRATION CONSOLES OR WEB ADMIN (E-COMMERCE)

2014

TRUSTWAVE GLOBAL

SECURITY REPORT

DETECTION

STATISTICS

71% OF COMPROMISE

VICTIMS DID NOT DETECT

BREACHES THEMSELVES

2014

TRUSTWAVE GLOBAL

SECURITY REPORT

UNDERSTANDING

WIDESPREAD

MALWARE

NARRATIVE OF A

MALICIOUS CAMPAIGN

THE TOP THREE MALWARE

HOSTING COUNTRIES WERE:

42% UNITED STATES

13% RUSSIA

9% GERMANY

MALWARE STRAINS:

PASSWORD STEALERS

BANKING TROJANS

DDOS BOTS

RANSOMWARE

FAKE UPDATES OR ANTI-VIRUS

CRYPTO-CURRENCY MINER

POINT-OF-SALE MALWARE

SPAMBOTS

BLACKHOLE TOPPED

THE LIST OF MOST

PREVALENT EXPLOIT

KITS AT 49%

85% OF EXPLOITS

DETECTED WERE OF

THIRD-PARTY PLUG-INS

INCLUDING JAVA AND

ADOBE FLASH, ACROBAT

AND READER

78% OF EXPLOITS

DETECTED WERE OF

JAVA VULNERABILITIES

SPAM MADE UP

70 PERCENT OF

INBOUND MAIL

IN TERMS OF

MALICIOUS SPAM,

59% INCLUDED

ATTACHMENTS &

41% INCLUDED LINKS

2014

TRUSTWAVE GLOBAL

SECURITY REPORT

ACTION PLAN/

RECOMMENDATIONS

TO DO LIST:

1. Educate employees on best

security practices through

security awareness training.

2. Invest in gateway security

technologies to protect

networks and users against

zero-day exploits, targeted

malware and blended

threats.

TO DO LIST:

1. Implement and enforce

strong password policies for

employees.

2. Change default and “admin”

passwords immediately.

3. Consider two-factor

authentication solutions.

TO DO LIST:

1. Know your data - discover all

types of sensitive data

across your environment.

2. Combine ongoing scanning

and testing across all assets

- endpoint, network,

application and database -

so you can identify and fix

flaws before an attacker

finds them.

TO DO LIST:

1. Pit a security expert against

your network hosts,

applications and databases

for a real-world threat

perspective.

2. Test resilience of your

systems with regular

penetration testing.

TO DO LIST:

1. Develop, institute, and

rehearse an incident

response plan.

2. Ensure ongoing security

training and education of

your IT staff.

3. Consider a MSSP for expert

help, including ongoing

tuning of your technologies

and continuous threat

monitoring.

IN CLOSING, SECURITY IS:

1. A continuous process

2. Compliance != Security

3. Is bigger than the IT dept

4. Is an effective combination:

• of People

• pf Process

• of Technology; AND

• of expert partners

2014

TRUSTWAVE GLOBAL

SECURITY REPORT

Further

Resources

www.trustwave.com/GSR

blog.spiderlabs.com

ANY QUESTIONS?