Key highlights from the 2017 Trustwave Global Security Report include:
- Intrusion detection gets better, especially when breaches are self-detected: The median number of days from an intrusion to detection of a compromise decreased to 49 days in 2016 from 80.5 days in 2015, with values ranging from zero days to almost 2,000 days (more than five years). For internally detected incident the median was 16 days, while 65 was the median number of days for externally detected incidents.
- Once detected, victims contain breaches relatively quickly: The median number of days from detection to containment was 2.5 in 2016 with values ranging from −360 days, meaning the intrusion ended 360 days before detection, to 289 days. In cases where containment occurred after detection, the median duration was 13 days from detection to containment.
- Intrusion containment remains stagnant: The median number of days from an intrusion to containment of a compromise stayed relatively the same at 62 days in 2016 compared to 63 days in 2015.
- North America and retail lead in data breaches: Similar to previous years, 49% of data breaches investigated by Trustwave were in North America, while 21% were in Asia-Pacific, 20% in Europe, Middle East and Africa, and 10% in Latin America. The largest single share of incidents involved the retail industry, at 22%, followed closely by the food and beverage industry, at nearly 20%.
- POS breaches increase: Environments most breached in 2016 again consisted of corporate and internal networks, at 43%. Incidents affecting POS systems increased to 31% in 2016, from 22% in 2015, while incidents affecting e-commerce environments fell to 26% from 38%. Incidents involving POS environments were most common in North America, which has been slower than much of the world to adopt the EMV payment card standard.
- Payment card data most at risk: More than half of the incidents investigated targeted payment card data: Card track (also called magnetic stripe) data, at 33% of incidents, primarily came from POS environments. Card-not-present (CNP) data, at 30%, mostly came from e-commerce transactions. Financial credentials, including account names and passwords for banks and other financial institutions, accounted for 18% of incidents, followed by other targets.
- Attackers seek stiff prices for their zero-day vulnerabilities: In 2016, Trustwave discovered an alleged undisclosed Windows zero-day vulnerability and accompanying exploit code on sale for an initial price of $95,000.
- Exploit market disruption: The most common exploit kits in the world — Angler, Magnitude and Nuclear — disappeared or went private in 2016, leading to a shakeup of the exploit kit market.
- Malvertisements get dirt cheap: In 2016, the estimated cost for cybercriminals to infect 1,000 vulnerable computers with malvertisements was only $5 -- less than $.01 per vulnerable machine. Malicious advertising remains the number one source of traffic to exploit kit landing pages.
- Malware tries to hide itself: 83% of malware samples Trustwave examined in 2016 used obfuscation, while 36% used encryption.
- Malware-laden spam creeps up: In 2016, 35% of spam messages contained malware, up from 3% in 2015. Meanwhile, 60% of all inbound email was spam, up from 54% in 2015.
- Database flaws increase: Database vendors patched 170 vulnerabilities in the most common database products in 2016, up from 139 vulnerabilities in 2015.
- Applications are almost always vulnerable: 99.7% of web applications Trustwave application scanning services tested in 2016 included at least one vulnerability, with the mean number of vulnerabilities detected being 11 per application.
Trustwave experts gathered real-world data from hundreds of breach investigations the company conducted in 2016 across 21 countries. This data was added to billions of security and compliance events logged each day across the global network of Trustwave Advanced Security Operations Centers, along with data from tens of millions of network vulnerability scans, thousands of web application security scans, tens of millions of web transactions, tens of billions of email messages, millions of malicious websites, penetration tests, telemetry from security technologies distributed across the globe and industry-leading security research.
To download a complimentary copy of the 2017 Trustwave Global Security Report, visit: https://www.trustwave.com/gsr/.