Trustwave Global Security Report 2014

Cross posted from where I am a regular author.

The Trustwave Global Security Report for 2014 was recently released.  There are a number of very useful and insightful statistics in this report, which we can corroborate, based on our assessments of numerous organizations’ networks.  We wanted to highlight a few of these statistics below:

Top 10 Internal Network Penetration Test Vulnerabilities
which include weak passwords, shared accounts, and unencrypted storage


Top 10 External Network Penetration Test Vulnerabilities
– which include default SNMP strings and weak passwords:


Top 10 Web Application Vulnerabilities
– including path traversal, authentication bypass, SQL injection, unencrypted pages and XSS, just showing that the OWASP top 10 is alive and well


Passwords were the cause of a compromise 31% of the time
– it’s time to start upping the requirements for password length and complexity

Criminals relied most heavily on
Java applets as a malware delivery method
– Java and Adobe often have the top number of vulnerabilities when we assess an organization. Patch schedules for these products are essential.

71% of victims did not detect a breach themselves
– who wants their client notifying them of a breach. It’s time to implement defense in depth strategies with IDS/IPS protection and SIEM solutions

67% of victimes were able to contain a breach within 10 days upon discovery, however, the median number of days
from intrusion to detection was 87
– organizations just need to know it happened; in general they can handle the situation well once they know

Top Intrusion Indicators Include:
anomalous account activity, unexplained or suspicious outbound data, new and/or suspicious files dropped, geographic anomalies in logins, registry changes, log tampering, anti-virus tampering, services added/stopped/paused and more
– learning to recognize these signs or implementing tools that correlate these types of events can help in self detection

Over 13 client side zero-day vulnerabilities
were actively exploited in 2013
– again, it is essential to have a patching procedure
for third party plugins and apps

78% of detected exploits were Java related

Botnet analysis showed a continuing trend of using common and compromised passwords across multiple sites

Microsoft SQL Server was the only database that did not experience any known vulnerabilities in 2013

Android and iOS both had a number of vulnerabilities 
– don’t assume that something is more secure based on social stigma, make sure all of your mobile devices are managed
In conclusion, I suggest everyone take a look at this report and take note of some of the recurring elements in any of these reports.  Organizations need stronger passwords and they need to patch their stuff.  Those two steps alone will mitigate a number of risks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.