Tag

pwnd

Browsing

List of data breaches and cyber attacks in October 2019 – 421 million records breached

In a month where security experts across Europe were boosting awareness of cyber security, organisations had mixed results in their own data protection practices.

On the one hand, the 421,103,896 data records that were confirmed to have been breached in October represents about 50% of the monthly average.

But on the other hand, there were a staggering 111 incidents, including several in which sensitive and financial information was compromised.

It was also a particularly bad month for the UK, with 9 confirmed breaches. As we have been doing for the past few months, we’ve listed UK-specific incidents in bold.

Cyber attacks

Ransomware

Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

Thanks to a whopping data breach from an unknown server exposing 419 million data records, our monthly total comes to 531,596,111 breached records.

This brings the total amount of breached records for the year so far to 10,331,579,614.

September may have had fewer incidents than August at only 75, but overall there was a massive 363% increase on records breached.

Cyber attacks

Ransomware

Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

At first glance, August has been a quiet month for data breaches, with a total of 114,686,290 breached records. That’s about 10 percent of the monthly average coming into the month.

But that figure comes from 95 incidents in total, which is the highest number of breaches we’ve had all year.

Let’s take a look at those breaches in full in our slightly tweaked monthly list. After a reader suggestion last month, we’re also listing the UK-specific incidents in bold. Let us know if you like that change or if you have any other suggestions for future months.

Cyber attacks

 

Ransomware

Data breaches

 

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

Remember after last month’s relatively serene cyber security scene we said this wasn’t the beginning of the GDPRevolution?

July was bound to be a bounce-back month, but we couldn’t have expected the frighteningly high total of 2,359,114,047 breached records.

Granted, a big chunk of those come from a single incident – a mammoth breach involving a Chinese smart tech supplier – but as unimaginative football commentators say, ‘they all count’.

Let’s take a look at the full list:

Cyber attacks


Ransomware


Data breaches

Financial information

Malicious insiders and miscellaneous incidents

Source: IT Governance

Capital One Financial Corp. announced late Monday that more than 100 million people had their personal information hacked.

The hacker got information including credit scores and balances, plus the Social Security numbers of about 140,000 customers and 80,000 bank-account numbers from credit-card customers, the bank said. It will offer free credit-monitoring services to those affected. The hack affected about 100 million people in the U.S. and 6 million in Canada.

Capital One couldn’t say for sure whether the leaked data was used for fraud. It first heard about the hack on July 19, but waited until July 29 to inform customers. Over that time, it sought help from law enforcement.

The hacker also stole the names, addresses, phone numbers, dates of birth, credit scores and other financial data, Capital One COF, -1.18%   said. The company couldn’t say for sure whether the leaked data was used for fraud. It first heard about the hack on July 19, but waited until July 29 to inform customers; it sought help from law enforcement to catch the alleged perpetrator.

Two years after Equifax EFX, +0.27%  revealed that hackers accessed the personal information of up to 147 million people, the credit bureau recently announced a settlement for up to $700 million, including $425 million in relief for those who have been affected, although there are some key requirementspeople should be aware of before they file a claim.

Last year, Facebook FB, -1.91%  announced that U.K.-based Cambridge Analytica improperly accessed 87 million Facebook users’ data. Facebook Chief Executive Mark Zuckerberg testified before Congress and vowed to do more to fix the problem, and help make sure that nothing like that happens again. Cambridge Analytica closed down in the wake of the scandal. Earlier this month, the Federal Trade Commission fined Facebook $5 billion.

Don’t miss: A worrying theory after Equifax and Facebook settlements — aggregated data is NOT enough to protect your privacy

WhatsApp, the messaging and audio app owned by Facebook, announced last May that hackers were able to install spyware on Android smartphones and AppleAAPL, +0.93%  iPhones. “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” it said at the time.

More than 57 million customers of Uber UBER, -1.44%  had their data exposed by a massive hack in October 2016. Uber fired its chief security officer, Joe Sullivan, and one of his deputies for concealing the hack, which included the email addresses of 50 million Uber riders around the world. The revelation was made a year after the attack. It also affected 7 million drivers.

Be on your toes after a major hack or data breach. Consumers should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One email address.

Be on your toes after a major hack or data breach. Consumers should never give out personal details over the telephone, even if the caller seems to represent Capital One or the email appears to be from a Capital One address. Consumers need to be careful whenever they are contacted by an unsolicited caller. Hang up and call the number on your card. “Phishing” scams — calls, emails or text messages that appear to offer protection — are actually trying to get more data from customers.

Security experts generally recommend never re-using security passwords and say people should use two-factor authentication on their phones, which requires a user to put a code sent to a phone or email into an app or website in order to log in from a new device or to change a password. They also say those affected by such hacks should freeze their credit report.

Don’t be pawned off by an offer of credit monitoring. Credit monitoring only looks for changes on a credit report, indicating that someone is using your personal information to open new accounts in your name. Here’s the bad news: Such security precautions would not help people protect against a data breach like the one Capital One announced Monday evening. Exposure of data that can’t be changed, such as Social Security numbers, are the hallmarks of particularly severe data breaches.

Here’s what else you should do now:

1. Check if your accounts have been affected

There still aren’t many formal ways to check if your data has been compromised in a breach. Often, the company will alert affected customers, but they aren’t required to. Some states, like California, have laws requiring companies to disclose data breaches that affect a certain number of customers, and the Federal Trade Commission has discussed proposing similar regulations. Consumers can also monitor their credit report to shut down fraudulent activity as quickly as possible.

2. Know the difference between a credit freeze and a lock

A freeze means that a consumer cannot take out a new loan or credit card without “unfreezing” the report first, but also prevents a hacker from taking out a loan in your name. Credit agencies also offer a service called credit “locking,” which offers the same protections as a freeze, but typically cost a monthly fee. Contact Equifax, Experian EXPN, +1.53%  and TransUnion TRU, -1.34%  to request a freeze.

3. Sign up for additional fraud protection

Those affected should sign up for services that go beyond typical credit freezing and alert services, such as LifelockEZ Shield and Identity Guard. The most basic version of Lifelock costs $9.99 per month and provides benefits including address change verification, help canceling or replacing lost credit cards, driver’s licenses, Social Security cards and insurance cards, plus a “restoration team” that helps correct any identity-theft issues and black-market website surveillance.

4. Know the difference between a hack and a breach

A breach is when data is unintentionally left unsecured and vulnerable to hacking, as a result of malicious activity or from negligence. A hack specifically refers to the activities of cyber attackers who purposely compromise IT infrastructure to steal information or to hold systems ransom; that’s what happened with Capital One. If your data was part of a breach, it’s possible it was just left exposed online and was not stolen.

Source: Market Watch

The cyber security story for May 2019 is much the same as it was last month, with one mammoth breach raising the monthly total.

The offender this time is the First American Financial Corp., which breached sixteen years’ worth of insurance data. That incident accounted for more than 60% of all of May’s breached records.

In total, at least 1,389,463,242 records were compromised. That brings the annual running total to 7.28 billion and reduces the monthly average to 1.44 billion.

Cyber attacks

Ransomware

Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governance

Below are solutions to most famous CTF challenges, comprising of detailed explanations, step-by-step reflection and proper documentation. These solutions have been compiled from authoritative penetration websites including hackingarticles.in, Hackthebox.eu, ctftime.org as well as open source search engines. Hack responsibly!Featured Solutions:

  • VulnHub
  • Hack The Box
  • CTF Time
  • Google CTFs
  • Gruyere
  • Root Me
  • Over The Wire

Born2Root: 2: Vulnhub Walkthrough

DC6-Lab Walkthrough

DC-3 Walkthrough

DC-2 Walkthrough

SP ike: Vulnhub Lab Walkthrough

Hack the Box : Irked Walkthrough

Hack the Box: Teacher Walkthrough

SP eric: Vulnhub Lab Walkthrough

Hack the Box Vault: Walkthrough

OverTheWire – Natas Walkthrough (0-11)


Hack the Box Curling: Walkthrough

Hack the Box Frolic: Walkthrough

Hack the Box Carrier: Walkthrough

Web Developer: 1: Vulnhub Lab Walkthrough

HackInOS:1: Vulnhub Lab Walkthrough

unknowndevice64: 1: Vulnhub Lab Walkthrough

Casino Royale: 1 Vulnhub Walkthrough

DC-1: Vulnhub Walkthrough


Replay: 1: Vulnhub Lab Walkthrough

Hack the Box Access: Walkthrough

W34kn3ss 1: Vulnhub Lab Walkthrough

Matrix 2: Vulnhub Lab Walkthrough

Vulnhub: Kuya: 1 Walkthrough

Vulnhub: RootThis: 1 Walkthrough

Hack the Box Zipper: Walkthrough

Hack the Box: Giddy Walkthrough

Hack the Box: Dab Walkthrough

Hack the Box: Ypuffy Walkthrough

Hack the Box: SecNotes Walkthrough

Hack the Box: Fighter Walkthrough


Hack the Box: Mischief Walkthrough

Hack the Box: Nightmare Walkthrough

Hack the Box: Waldo Walkthrough

KFIOFan:1 Vulnhub Walkthrough

Hack the Box: Active Walkthrough

Moonraker:1 Vulnhub Walkthrough

Hack the Box: Hawk Walkthrough

Typhoon: 1.02 Vulnhub Walkthrough

Hack the Box: TartarSauce Walkthrough


Mercy: Vulnhub Walkthrough

FourAndSix: 2 Vulnhub Walkthrough

Raven 2: Vulnhub Walkthrough

Fowsniff: 1 Vulnhub Walkthrough

Hack the Box: Jerry Walkthrough

Matrix: 1 Vulnhub Walkthrough

Hack the Raven: Walkthrough (CTF Challenge)


Hack the Box: Dropzone Walkthrough

Hack the Box: Bounty Walkthrough

Hack the Box: DevOops Walkthrough

Hack the Box: Olympus Walkthrough

Hack the Box: Sunday Walkthrough

Hack the Gemini inc:2 (CTF Challenge)

Hack the Box Challenge: Canape Walkthrough

Hack the MinU: 1 (CTF Challenge)

Hack the ROP Primer: 1.0.1 (CTF Challenge)

Hack the Box: Fulcrum Walkthrough

Hack the Box: Poison Walkthrough


Hack the /dev/random: K2 VM (boot2root Challenge)

Hack the Box: Stratosphere Walkthrough

Hack the Box: Celestial Walkthrough

Hack the Android4: Walkthrough (CTF Challenge)

Hack the Box: Minion Walkthrough

Hack the ch4inrulz: 1.0.1 (CTF Challenge)

Hack the Wakanda: 1 (CTF Challenge)

Hack the WinterMute: 1 (CTF Challenge)


Hack the Box: Holiday Walkthrough

Hack the Box: Silo Walkthrough

Hack the Lampião: 1 (CTF Challenge)

Hack the Bulldog:2 (CTF Challenge)

Overthewire – Bandit Walkthrough (21-34)

Hack the Box: Bart Walkthrough

Hack the Box: Valentine Walkthrough

Hack the Box: Aragog Walkthrough


Hack the Jarbas: 1 (CTF Challenge)

OverTheWire – Bandit Walkthrough (14-21)

Hack the Temple of Doom (CTF Challenge)

Hack the Golden Eye:1 (CTF Challenge)

Hack the FourAndSix (CTF Challenge)

Hack the Blacklight: 1 (CTF Challenge)

Hack the Basic Pentesting:2 VM (CTF Challenge)

Hack the Billu Box2 VM (Boot to Root)

Hack the Lin.Security VM (Boot to Root)

Hack The Toppo:1 VM (CTF Challenge)


Hack the Box Challenge: Ariekei Walkthrough

Hack the Violator (CTF Challenge)

OverTheWire – Bandit Walkthrough (1-14)

Hack the Teuchter VM (CTF Challenge)

Hack the Box Challenge: Enterprises Walkthrough

Hack the Box Challenge: Falafel Walkthrough

Hack the Box Challenge: Charon Walkthrough

Hack the PinkyPalace VM (CTF Challenge)

Hack the Box Challenge: Jail Walkthrough


Hack the Box Challenge: Nibble Walkthrough

Hack The Blackmarket VM (CTF Challenge)

Hack the Box: October Walkthrough

Hack The Box : Nineveh Walkthrough

Hack The Gemini Inc (CTF Challenge)

Hack The Vulnhub Pentester Lab: S2-052

Hack the Box Challenge: Sneaky Walkthrough

Hack the Box Challenge: Chatterbox Walkthrough

Hack the Box Challenge: Crimestoppers Walkthrough

Hack the Box Challenge: Jeeves Walkthrough

Hack the Trollcave VM (Boot to Root)


Hack the Box Challenge: Fluxcapacitor Walkthrough

Hack the Box Challenge: Tally Walkthrough

Hack the Box Challenge: Inception Walkthrough

Hack the Box Challenge Bashed Walkthrough

Hack the Box Challenge Kotarak Walkthrough

Hack the Box Challenge Lazy Walkthrough

Hack the Box Challenge: Optimum Walkthrough

Hack the Box Challenge: Brainfuck Walkthrough


Hack the Box Challenge: Europa Walkthrough

Hack the Box Challenge: Calamity Walkthrough

Hack the Box Challenge: Shrek Walkthrough

Hack the Box Challenge: Bank Walkthrough

Hack the BSides Vancouver:2018 VM (Boot2Root Challenge)

Hack the Box Challenge: Mantis Walkthrough

Hack the Box Challenge: Shocker Walkthrough

Hack the Box Challenge: Devel Walkthrough

Hack the Box Challenge: Granny Walkthrough

Hack the Box Challenge: Node Walkthrough

Hack the Box Challenge: Haircut Walkthrough


Hack the Box Challenge: Arctic Walkthrough

Hack the Box Challenge: Tenten Walkthrough

Hack the Box Challenge: Joker Walkthrough

Hack the Box Challenge: Popcorn Walkthrough

Hack the Box Challenge: Cronos Walkthrough

Hack the Box Challenge: Beep Walkthrough

Hack the Bob: 1.0.1 VM (CTF Challenge)

Hack the Box Challenge: Legacy Walkthrough

Hack the Box Challenge: Sense Walkthrough

Hack the Box Challenge: Solid State Walkthrough


Hack the Box Challenge: Apocalyst Walkthrough

Hack the Box Challenge: Mirai Walkthrough

Hack the Box Challenge: Grandpa Walkthrough

Hack the Box Challenge: Blue Walkthrough

Hack the Box Challenge: Lame Walkthrough

Hack the Box Challenge: Blocky Walkthrough

Hack the W1R3S.inc VM (CTF Challenge)

Hack the Vulnupload VM (CTF Challenge)

Hack the DerpNStink VM (CTF Challenge)

Hack the Game of Thrones VM (CTF Challenge)


Hack the C0m80 VM (Boot2root Challenge)

Hack the Bsides London VM 2017(Boot2Root)

Hack the USV: 2017 (CTF Challenge)

Hack the Cyberry: 1 VM( Boot2Root Challenge)

Hack the Basic Penetration VM (Boot2Root Challenge)

Hack The Ether: EvilScience VM (CTF Challenge)

Hack the Depth VM (CTF Challenge)

Hack the G0rmint VM (CTF Challenge)

Hack the Covfefe VM (CTF Challenge)

Hack the Born2Root VM (CTF Challenge)


Hack the dina VM (CTF Challenge)

Hack the H.A.S.T.E. VM Challenge

Hack the RickdiculouslyEasy VM (CTF Challenge)

Hack the BTRSys1 VM (Boot2Root Challenge)

Hack the BTRSys: v2.1 VM (Boot2Root Challenge)

Hack the Bulldog VM (Boot2Root Challenge)

Hack the Lazysysadmin VM (CTF Challenge)

Hack the Zico2 VM (CTF Challenge)

Hack the Primer VM (CTF Challenge)

Hack the thewall VM (CTF Challenge)


Hack the IMF VM (CTF Challenge)

Hack the 6days VM (CTF Challenge)

Hack the 64base VM (CTF Challenge)

Hack the EW Skuzzy VM (CTF Challenge)

Hack the Analougepond VM (CTF Challenge)

Hack the Moria: 1.1 (CTF Challenge)

Hack the DonkeyDocker (CTF Challenge)

Hack the d0not5top VM (CTF Challenge)

Hack the Super Mario (CTF Challenge)


Hack the Defense Space VM (CTF Challenge)

Hack the billu: b0x VM (Boot2root Challenge)

Hack the Orcus VM CTF Challenge

Hack the Nightmare VM (CTF Challenge)

Hack the Bot challenge: Dexter (Boot2Root Challenge)

Hack the Fartknocker VM (CTF Challenge)

Hack the Pluck VM (CTF Challenge)

Hack the Sedna VM (CTF Challenge)

Hack the Quaoar VM (CTF Challenge)

Hack the Gibson VM (CTF Challenge)

Hack the Pipe VM (CTF Challenge)

Hack the USV VM (CTF Challenge)


Hack the Pentester Lab: from SQL injection to Shell II (Blind SQL Injection)

Hack the Pentester Lab: from SQL injection to Shell VM

Hack the Padding Oracle Lab

Hack the Fortress VM (CTF Challenge)

Hack the Zorz VM (CTF Challenge)

Hack the Freshly VM (CTF Challenge)

Hack the Hackday Albania VM (CTF Challenge)

Hack the Necromancer VM (CTF Challenge)

Hack the Billy Madison VM (CTF Challenge)

Hack the Seattle VM (CTF Challenge)

Hack the SkyDog Con CTF 2016 – Catch Me If You Can VM


Hack Acid Reloaded VM (CTF Challenge)

Hack the Breach 2.1 VM (CTF Challenge)

Hack the Lord of the Root VM (CTF Challenge)

Hack the Acid VM (CTF Challenge)

Hack the SpyderSec VM (CTF Challenge)

Hack the VulnOS 2.0 VM (CTF Challenge)


Hack the VulnOS: 1 (CTF Challenge)

Hack the Fristileaks VM (CTF Challenge)

Hack the NullByte VM (CTF Challenge)

Hack the Minotaur VM (CTF Challenge)

Hack the TommyBoy VM (CTF Challenge)

Hack the Breach 1.0 VM (CTF Challenge)

Hack the SkyDog VM (CTF Challenge)

Hack the Milnet VM (CTF Challenge)

Hack the Kevgir VM (CTF Challenge)

Hack the Simple VM (CTF Challenge)

Hack the SickOS 1.2 VM (CTF Challenge)


Hack the SickOS 1.1 VM (CTF Challenge)

Hack the Sidney VM (CTF Challenge)

Hack the Stapler VM (CTF Challenge)

Hack the Droopy VM (CTF Challenge)

Hack the Mr. Robot VM (CTF Challenge)

Penetration Testing in PwnLab (CTF Challenge)

Hack the SecOS:1 (CTF Challenge)

Hack the Skytower (CTF Challenge)

Hack the Kioptrix 5 (CTF Challenge)

Hack The Kioptrix Level-1.3 (Boot2Root Challenge)


Hack the Kioptrix Level-1.2 (Boot2Root Challenge)

Hack The Kioptrix Level-1.1 (Boot2Root Challenge)

Hack The Kioptrix Level-1

Hack the 21LTR: Scene 1 VM (Boot to Root)

Hack the Tr0ll 2 (Boot2Root)

Hack the Troll-1 VM (Boot to Root)

Hack the Hackademic-RTB2 (Boot2Root)

Hack the Hackademic-RTB1 VM (Boot to Root)

Hack the De-ICE: S1.140 (Boot to Root)

Hack the De-Ice S1.130 (Boot2Root Challenge)

Hack the De-ICE: S1.120 VM (Boot to Root)


Hack the pWnOS: 2.0 (Boot 2 Root Challenge)

Hack the pWnOS-1.0 (Boot To Root)

Xerxes: 1 Vulnhub Walkthrough

Hack the Holynix: v1 (Boot 2 Root Challenge)

Hack the LAMPSecurity: CTF8 (CTF Challenge)

Hack the LAMPSecurity: CTF 7 (CTF Challenge)

Hack the LAMPSecurity: CTF 5 (CTF Challenge)

Hack the LAMPSecurity: CTF4 (CTF Challenge)

We would’ve been talking about an extraordinarily low number of breached records this month if it hadn’t been for a string of incidents in India, another Facebook gaffe and a massive blunder in China, in which a series of companies exposed almost 600 million citizens’ CVs.

Still, April 2019 saw a not completely disastrous 1,334,488,724 breached records. That’s better than last month, bringing the annual total to 5.64 billion and reducing the monthly average to 1.46 billion.

Here’s the list in full:

Cyber attacks

Ransomware

Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

Source: IT Governanace

Cybersecurity issues are becoming a day-to-day struggle for businesses. Trends show a huge increase in hacked and breached data from sources that are increasingly common in the workplace, like mobile and IoT devices.

Additionally, recent research suggests that most companies have unprotected data and poor cybersecurity practices in place, making them vulnerable to data loss.

We’ve compiled 60 cybersecurity statistics to give you a better idea of the current state of overall security, and paint a picture of how potentially dire leaving your company unsecure can be.

Data Breaches by the Numbers

The increasing amount of large-scale, well-publicized breaches suggests that not only are the number of security breaches going up — they’re increasing in severity, as well.

  1. In 2016, 3 billion Yahoo accounts were hacked in one of the biggest breaches of all time. (Oath.com)
  2. In 2016, Uber reported that hackers stole the information of over 57 million riders and drivers. (Uber)
  3. In 2017, 412 million user accounts were stolen from Friendfinder’s sites. (LeakedSource)
  4. In 2017, 147.9 million consumers were affected by the Equifax Breach. (Equifax)
  5. According to 2017 statistics, there are over 130 large-scale, targeted breaches in the U.S. per year, and that number is growing by 27 percent per year. (Accenture)
  6. Thirty-one percent of organizations have experienced cyber attacks on operational technology infrastructure. (Cisco)
  7. 100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. (Malware Tech Blog)
  8. Attacks involving cryptojacking increased by 8,500 percent in 2017. (Symantec)
  9. In 2017, 5.4 billion attacks by the WannaCry virus were blocked. (Symantec)
  10. There are around 24,000 malicious mobile apps blocked every day. (Symantec)
  11. In 2017, the average number of breached records by country was 24,089. The nation with the most breaches annually was India with over 33k files; the US had 28.5k. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  12. In 2018, Under Armor reported that its “My Fitness Pal” was hacked, affecting 150 million users. (Under Armor)
  13. Between January 1, 2005 and April 18, 2018 there have been 8,854 recorded breaches. (ID Theft Resource Center)

Cybersecurity Costs

Average expenditures on cybercrime are increasing dramatically, and costs associated with these crimes can be crippling to companies who have not made cybersecurity part of their regular budget.

  1. In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7 million. (Accenture)
  2. The average cost of a malware attack on a company is $2.4 million. (Accenture)
  3. The average cost in time of a malware attack is 50 days. (Accenture)
  4. From 2016 to 2017 there was an 22.7 percentage increase in cybersecurity costs. (Accenture)
  5. The average global cost of cyber crime increased by over 27 percent in 2017. (Accenture)
  6. The most expensive component of a cyber attack is information loss, which represents 43 percent of costs. (Accenture)
  7. Ransomware damage costs exceed $5 billion in 2017, 15 times the cost in 2015. (CSO Online)
  8. The Equifax breach cost the company over $4 billion in total. (Time Magazine)
  9. The average cost per lost or stolen records per individual is $141 — but that cost varies per country. Breaches are most expensive in the United States ($225) and Canada ($190). (Ponemon Institute’s 2017 Cost of Data Breach Study)
  10. In companies with over 50k compromised records, the average cost of a data breach is $6.3 million. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  11. Including turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill the cost of lost business globally was highest for U.S. companies at $4.13 million per company. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  12. Damage related to cybercrime is projected to hit $6 trillion annually by 2021. (Cybersecurity Ventures)

Cybersecurity Facts and Figures

It’s crucial to have a grasp on the general landscape of metrics surrounding cybersecurity issues, including what the most common types of attacks are and where they come from.

  1. Ransomware detections have been more dominant in countries with higher numbers of internet-connected populations. The United States ranks highest with 18.2 percent of all ransomware attacks. (Symantec)
  2. Trojan horse virus Ramnit largely affected the financial sector in 2017, accounting for 53 percent of attacks. (Cisco)
  3. Most malicious domains, about 60 percent, are associated with spam campaigns. (Cisco)
  4. Seventy-four percent of companies have over 1,000 stale sensitive files. (Varonis)
  5. Malware and web-based attacks are the two most costly attack types — companies spent an average of US $2.4 million in defense. (Accenture)
  6. The financial services industry takes in the highest cost from cyber crime at an average of $18.3m per company surveyed. (Accenture)
  7. Microsoft Office formats such as Word, PowerPoint and Excel make up the most prevalent group of malicious file extensions at 38 percent of the total. (Cisco)
  8. About 20 percent of malicious domains are very new and used around 1 week after they are registered. (Cisco)
  9. Over 20 percent of cyber attacks in 2017 came from China, 11 percent from the US and 6 percent from the Russian Federation. (Symantec)
  10. The app categories with most cybersecurity issues are lifestyle apps, which account for 27 percent of malicious apps. Music and audio apps account for 20 percent. (Symantec)
  11. The information that apps most often leak are phone numbers (63 percent) and device location (37 percent). (Symantec)
  12. In 2017, spear-phishing emails were the most widely used infection vector, employed by 71 percent of those groups that staged cyber attacks. (Symantec)
  13. Between 2015 and 2017, the U.S. was the country most affected by targeted cyber attacks with 303 known large-scale attacks. (Symantec)
  14. In 2017, overall malware variants were up by 88 percent. (Symantec)
  15. Among the top 10 malware detections were Heur.AdvML.C 23,335,068 27.5 2 Heur.AdvML.B 10,408,782 12.3 3 and JS.Downloader 2,645,965 3.1 (Symantec)
  16. By 2020, the estimated number of passwords used by humans and machines worldwide will grow to 300 billion. (Cybersecurity Media)

Cybersecurity Risks

With new threats emerging every day, the risks of not securing files is more dangerous than ever, especially for companies.

  1. 21 percent of all files are not protected in any way. (Varonis)
  2. 41 percent of companies have over 1,000 sensitive files including credit card numbers and health records left unprotected. (Varonis)
  3. 70 percent of organizations say that they believe their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  4. 69 percent of organizations don’t believe the threats they’re seeing can be blocked by their anti-virus software. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  5. Nearly half of the security risk that organizations face stems from having multiple security vendors and products. (Cisco)
  6. 7 out of 10 organizations say their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  7. 65 percent of companies have over 500 users who never are never prompted to change their passwords. (Varonis)
  8. Ransomware attacks are growing more than 350 percent annually. (Cisco)
  9. IoT attacks were up 600 percent in 2017. (Symantec)
  10. The industry with the highest number of attacks by ransomware is the healthcare industry. Attacks will quadruple by 2020. (CSO Online)
  11. 61 percent of breach victims in 2017 were businesses with under 1,000 employees. (Verizon)
  12. Ransomware damage costs will rise to $11.5 billion in 2019 and a business will fall victim to a ransomware attack every 14 seconds at that time. (Cybersecurity Ventures)
  13. Variants of mobile malware increased by 54 percent in 2017. (Symantec)
  14. Today, 1 in 13 web requests lead to malware (Up 3 percent from 2016). (Symantec)
  15. 2017 represented an 80 percent increase in new malware on Mac computers. (Symantec)
  16. In 2017 there was a 13 percent overall increase in reported system vulnerabilities. (Symantec)
  17. 2017 brought a 29 percent Increase in industrial control system–related vulnerabilities. (Symantec)
  18. By 2020, we expect IT analysts covering cybersecurity will be predicting five-year spending forecasts (to 2025) at well over $1 trillion. (Cybersecurity Ventures)
  19. The United States and the Middle East spend the most on post-data breach response. Costs in the U.S. were $1.56 million and $1.43 million in the Middle East. (Ponemon Institute’s 2017 Cost of Data Breach Study)

There’s no question that the situation with cybercrime is dire. Luckily, by assessing your business’s cybersecurity risk, making with company-wide changes and improving overall security behavior, it’s possible to protect your business from most data breaches.

Make sure you’ve done everything you can do to avoid your company becoming a victim to an attack. The time to change the culture toward improved cybersecurity is now.

Source: Varonis

What just happened?

Yesterday, it emerged that more than a billion unique email address and password combinations had been posted to a hacking forum for anyone to see in a mega-breach dubbed Collection #1.

The breach was revealed by security researcher Troy Hunt, who runs the service allowing users to see if they’ve been hacked called Have I been Pwned. He has now loaded the unique email addresses totalling 772,904,991 onto the site.

The data includes more than a billion unique email and password combinations – which hackers can use over a range of sites to compromise your services. They will do so by utilizing so-called credential stuffing attacks, seeing bots automatically testing millions of email and password combinations on a whole range of website login pages.

The data originally appeared briefly on cloud service MEGA and was later posted to a popular hacking forum. The Collection #1 folder is comprised of more than 12,000 files weighing in at 87 gigabytes.

Most concerningly, the protective hashing of the stolen passwords had been cracked. This means they are easy to use because they are available in plain text rather than being cryptographically hashed as they often are when sites are breached.

Should I be worried?

In a word: Yes. It’s a massive concern, not least because scale of this breach is huge: Yahoo’s breaches saw 1 billion and 3 billion users affected but the stolen data hasn’t actually resurfaced yet.

And unlike other huge hacks such as Yahoo and Equifax, this breach cannot be tied down to one site. Instead it appears to comprise multiple breaches across a number of services including 2,000 databases.

Hunt says there are many legitimate breaches in the directory listing, but he cannot yet verify this further. “This number makes it the single largest breach ever to be loaded into HIBP,” he adds in a blog.

What’s more, his own personal data is in there “and it’s accurate”, he says. “Right email address and a password I used many years ago. Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public.”

Finding out if you’re affected

If you are one of the 2.2 million people that already use the Have I Been Pwned site, you should have received a notification: Nearly half of the site’s users – or 768,000 – are caught up in this breach.

If you aren’t already a member, you need to visit Have I Been Pwned now. Once on the site, you simply need to type in your email address and search, then scroll down to the bottom of the page. The site will let you know if your email address is affected by this breach – and while you are there, you can see if your details were stolen in any others too.

To find out if your password has been compromised, you separately need to check Pwned Passwords– a feature built into the site recently. This feature also helps you to use strong passwords: if yours is on there, it’s safe to assume others are using it and your accounts could be easily breached.

What if my details are there?

Hunt says in his blog: “Whilst I can’t tell you precisely what password was against your own record in the breach, I can tell you if any password you’re interested in has appeared in previous breaches Pwned Passwords has indexed. If one of yours shows up there, you really want to stop using it on any service you care about.”

If you have a bunch of passwords, checking all of them could be time-consuming. In this case, Hunt suggests 1Password’s Watchtower feature which can take all your stored passwords and check them against Pwned Passwords in one go.

Most importantly, if your password is on the list, do not ignore it as it can be used in credential stuffing attacks mentioned earlier. Hunt says: “People take lists like these that contain our email addresses and passwords then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services.”

More generally, as the number of breaches and their sheer scale increases, it’s time to clean up your password practices. In addition to using two-factor authentication, passwords should be complex – such as a phrase from a favourite book or a line from a song. At the same time, security experts don’t rule out analogue books containing your password – as long as these are not stored on your device or with it.

If you take these measures into account you should be able to avoid using the same password across multiple sites. Ideally, start using a password manager to ensure you can remember these.

Source: Forbes