How Cyber-criminals Infiltrate the Enterprise
Large Corporations Targeted
Five out of six large companies (2,500-plus employees) were hit by spear-phishing attacks in 2014, a 40% rise since 2013, whereas attacks on small and mid-size businesses increased 26 and 30%, respectively.
Non-Targeted Attacks
Non-targeted attacks still comprise the majority of malware, increasing by 26% this year. There were 317 million new pieces of malware created and 1 million new threats released daily.
Stalking Security Researchers
To avoid detection, before executing their code, malware authors spot security researchers by testing for virtual machines. In 2014, 28% of all malware was “virtual-machine aware.”
Digital Extortion Rising
Digital extortion through ransomware attacks grew 113% last year, driven by a 4,000% increase in crypto-ransomware attacks. In 2013, this accounted for 0.2% of ransomware attacks, whereas this year they were 45 times more frequent.
Cyber-criminals Leveraging Social Networks
70% of social media scams were manually shared and spread rapidly. They are lucrative because people are more likely to click something posted by a friend.
Mobile Ripe for Attack
17% of Android apps (1 million) are malware in disguise. 36% of mobile apps are “grayware,” which is not malicious but does annoying and harmful things, such as trick user behavior.
Point-of-Sale Attacks
Point-of-sale systems, ATMs and home routers continue to be attacked in 2014, demonstrating that more than our PCs are at risk. Cyber-attacks against cars and medical equipment should remain a concern, according to the report.
Smartphones Exacerbate IoT Risks
52% of health apps, many of which connect wearable devices, do not have privacy policies. 20% of personal information, logins and passwords online are in clear text.
Zero-Day Vulnerabilities at Record High
There was a record high of 24 zero-day vulnerabilities in 2014. It took vendors an average of 59 days to create and rollout patches, an increase from four days in 2013.
Recommendations
Use advanced threat intelligence solutions to find signs of compromise and respond faster. Implement multilayered endpoint security, network security, encryption, strong authentication and reputation-based technologies
Prepare for the Worst
Incident management optimizes your security and ensures that it is measurable and repeatable. Lessons learned improve your position on security. Retain a third-party expert to help manage crises.
Educate and Train
Regularly assess internal investigation teams and run practice drills. Establish guidelines, policies and procedures to protect sensitive data.
