Last year was a brutal one for enterprise security, according to the latest IBM X-Force Threat Intelligence report for the first quarter of 2015. IBM reports that in 2014 at least one billion records with personally identifiable information (PII) were leaked or stolen.
The new report, which looks at data from the last quarter of 2014, found more vulnerabilities disclosed in 2014 than at any other point in the 18 years that X-Force has been analyzing security data. In total, over 9,200 new security vulnerabilities were disclosed, a 9.8 percent increase over 2013.
The big vulnerability and record leakage totals were not the biggest surprises in the report for Leslie Horacek, X-Force threat response manager. Instead Horacek cited the disclosure announcement by the CERT/CC of a class of vulnerabilities affecting thousands of Android applications that improperly validate SSL certificates.
Horacek noted that in the IBM X-Force Threat Intelligence Quarterly 3Q 2014, IBM reported a potential downturn in the number of vulnerability disclosures that could result in the total yearly vulnerabilities dropping below 8,000 for the first time since 2011. However, the forecast drastically shifted in September when a researcher at CERT/CC made a landmark disclosure about Android vulnerabilities.
“This is the largest anomaly we have seen in the 18-year history that we have been tracking vulnerabilities,” Horacek said. “This tabulation provides nearly 15 percent of the total vulnerability count for the year and helped inch the final numbers into a new historical peak.”
Citadel Malware and More
For Horacek, a second surprising event was the shift of the malware Citadel targeting APT-style attacks toward enterprises instead of financial institutions.
“In the past, several variants of financial malware have targeted non-financial institutions, including e-commerce sites, airlines, hotels, healthcare organizations and online gaming companies,” Horacek said. “Now a variant of Citadel targets petrochemical sellers and suppliers, as well as password management software — with the apparent goal of giving attackers access to sensitive corporate intellectual property rather than financial data.”
While the IBM report provides insight into a wide range of threat data, there is one particularly strange outlier. Sitting atop the listing of the most common attack types is “undisclosed” at 40.2 percent of incidents.
“All incidents that you see in the report and the interactive website are coming from publicly disclosed incidents/breaches,” Horacek explained. “As such, the attack type is not always known or discussed through this reported channel.”
While an enterprise may disclose publicly the fact that they were breached or infiltrated, they do not always want to disclose how the infiltration occurred as they fix those areas of concern, Horacek added.
While 2014 was a tough year for security, looking into 2015, it’s not yet clear if the number of vulnerabilities will once again increase.
“IBM X-Force can’t predict the future, but so far in 2015 our research teams have recorded continued, vigorous attack activity,” Horacek said. “We will have to wait until the end of the year to have a definitive answer.”
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.