Zero-Day vulnerabilities highlighted by leading security company
Zero-day vulnerabilities have increased by 125% in the past twelve months according to Symantec, a leading security company. There are now 54 such problems occurring each year or one a week. The main problem is that such issues take at least 7 days to successfully patch. However, that is a) if they are discovered by the software vendor quickly enough and b) that the relevant patches are installed by the users straight away.
In it’s STR Report, the authors highlight six key areas.
- A new zero day vulnerability is discovered each week. (This is where the hole or ‘bug’ in the software is not known about by the vendor). Often the targeted software are popular packages used by millions of people. “Four of the five most exploited zero-day vulnerabilities in 2015 were Adobe Flash. Once discovered, the zero days are quickly added to cybercriminal toolkits and exploited. At this point, millions will be attacked and hundreds of thousands infected if a patch is not available, or if people have not moved quickly enough to apply the patch
- Over Half a Billion Personal Records Were Stolen or Lost in 2015 A total of 9 mega-breaches were reported in 2015. A mega-breach is one with over 10M records being accessed. However Symantec feel that this is just the tip of the iceberg and that many companies were choosing not to report breaches.
- Major Security Vulnerabilities in Three Quarters of Popular Websites Put Us All at Risk. There were over a million attacks on web users every day in 2015. These were not just on the sordid little sites we shouldn’t really be accessing but for legitimate, popular websites. “More than 75 percent of all legitimate websites have unpatched vulnerabilities. Fifteen percent of legitimate websites have vulnerabilities deemed ‘critical,’ which means it takes trivial effort for cybercriminals to gain access and manipulate these sites for their own purposes. ” say the authors
- Spear-Phishing Campaigns Targeting Employees Increased 55 Percent in 2015. In the past three years Symantec say they have seen a rise in attacks on smaller businesses – presumably as the large companies tighten their defences. They cite one company with only 35 employees which was targeted and had a virus hidden in its network for over two years stealing customer and pricing information
- Ransomware Increased 35 Percent in 2015. The latest form of ransomware, Crypto-Ransomware, which encrypts files and data is much more prevalent than the original screen locking ransomware
- Symantec Blocked 100 Million Fake Technical Support Scams in 2015. Symantec claim to have uncovered a growing security threat in terms of fake security threats using pop-up alerts.
GDPR is addressing areas of cyber breaches by requiring companies to report them within 3 days of discovery. Whilst this won’t actually help the issue, it is meant to ensure companies focus their attention on security.
Read the full report here