Symantec to CISOs: Watch for the 'mega-breach'

Company releases 2013 Internet Security Threat Report, warning organizations that phishing and watering hole attacks can bury them

Symantec has declared 2013 the year of the "mega-breach," placing security pros on notice that they stand to lose big from phishing, spear-phishing and watering-hole attacks.

The company released Tuesday its Internet Security Threat Report for 2013, which found that eight breaches exposed the personal information of more than 10 million identities each. By comparison, 2012 had only one breach that size and in 2011 there were five.

The number of massive data breaches in 2013 made it the "year of the mega-breach," Symantec said. Information stolen included credit card information, government ID numbers, medical records, passwords and other personal data.

Adding to last year's notoriety was the fact that the number of data breaches rose 62 percent from 2012. That amounted to 552 million identities exposed, an increase of 368 percent.

The increasing threat of having computer systems compromised has drawn attention within an organization to the chief information security officer (CISO) and the security team, Edward Ferrara, analyst for Forrester research said. He has advised CISOs to see this as a "big opportunity" to raise their profiles to the level of other high-level executives.

However, the higher exposure will carry huge risks.

"Security incidents, managed well, can actually enhance customer perceptions of a company; managed poorly, they can be devastating," Ferrara wrote in a recent blog post. "If customers lose trust in a company because of the way the business handles personal data and privacy, they will easily take their business elsewhere."

Symantec found that targeted attacks continued to increase, while watering-hole attacks also rose in popularity, a trend that started in 2012. A watering-hole attack is when malware is embedded inside a Web page and downloaded when the victim visits the site.

Spear phishing remained a favorite among hackers, with the number of campaigns soaring by 91 percent, the report found. The campaigns also ran three times longer last year than in 2012.

At the same time, attackers used fewer email in targeting fewer companies, an indication that cybercriminals were taking a "low and slow" approach, Symantec said.

Organizations found most at risk of cyberattacks were governments and mining and manufacturing companies. Their odds of being attacked were 1 in 2.7, 1 in 3.1 and 1 in 3.2, respectively.

Mining and manufacturing companies are typically at a disadvantage in defending against attacks, because they often lack an "IT savvy workforce and appropriate budgets to fund cybersecurity efforts," Rohyt Belani, chief executive of security firm PhishMe, said.

"Traditionally, manufacturing and mining companies have not had to worry about information security threats as much as say, financial services, as the primary adversaries were cybercriminals," Belani said. "However, with the rise of the nation-state actors these industries are under constant attack as the proverbial pot of gold of proprietary information and intellectual property is very lucrative."

Along with honing their campaigns, attackers used exploits against more zero-day vulnerabilities than ever before. The 23 zero-day vulnerabilities discovered by Symantec represented a 61 percent increase over 2012 and were more than the previous two years combined.

Tags softwareapplicationssymantecspear-phishingwatering hole attacksInternet Security Threat Report 2013mega breach

Show Comments