In the distant past (2009, 2010, 2011) I have written about the annual security reports that companies publish. We should applaud these organizations who are spending a vast amount of time compiling and publishing these reports on what is happening in terms of Internet security. There were a whole host of "security SNAFUs" (as Ellen Messmer calls them) in 2014 and 2013 and we should all try to learn from these incidents. In the last 6 to 12 months, many organizations have published some very good reports on the state of Internet security.
This article will list and review many of the recently published security reports. By reading these reports and sharing this type of knowledge with our colleagues we can strive for better security practices. We can read these reports to anticipate what attack types may become prevalent in the new year, to get an idea of the threats our organizations are currently facing, and how we should configure our security systems to have maximum effectiveness.
Verizon Data Breach Investigations Report (DBIR) 2014
Every springtime since 2008, Verizon has published its Data Breach Investigations Report (DBIR). This is one of the best annual security reports because it anonymously compiles information from 63,000 actual security incidents. This year's report covered all incidents, even if data records were not leaked, unlike previous year's reports that covered only confirmed information breaches. This year's report identified nine common attack patterns represent the vast majority of cyber-attacks. This report breaks down these nine attack types and covers which attack types are common in specific industries.
Of all the statistics revealed in the DBIR, the one that continues to amaze us is the duration between a security incident occurring and when the organization actually discovers the compromise. In some cases, it takes organizations over a hundred days to discover a breach has occurred. Often times, an organization discovers the break from another outside person or company identifies that information has been leaked.
The 2014 breach report actually covers information gathered during 2013 so by this time in the year, this information can be at least 18 months old. In several months we are likely to receive the 2015 DBIR that will cover data from 2014.
Cisco Systems Annual Security Report (ASR)
Cisco publishes their Annual Security Report (ASR) on the state of Internet security twice a year. There is a midyear security report which covers threat intelligence from the first half of the year, and an annual security report which covers what occurred the whole previous year. The report is a combination of threat intelligence from Talos, Cisco's threat research team, and examining cybersecurity trends.
The Cisco 2014 Annual Security Report covered information from the 2013 year. This report covered how attacks are now targeting manufacturing and agricultural targets, but retail and point-of-sale systems are still financially lucrative targets. Even though spam volumes are down, breaking news spam, spear phishing and "watering hole" attacks are on the rise. Their report revealed that 99% of all mobile malware was directed toward Android OS devices. Java was the leading Indicator of Compromise (IoC) ahead of Flash exploits and PDF issues.