There is never a shortage of bad news when it comes to cybersecurity, with a seemingly endless stream of vulnerabilities and exploits. The 2019 Trustwave Global Security Report, released on April 25, has its’ fair share of bad news as multiple types of attacks have grown and attackers have continued to increase levels of sophistication. The 76-page report also however provides insight into some positive trends about how organizations are actually doing the right things to improve cybersecurity. For example, Trustwave found that threat response time improved, with the time from intrusion to detection falling from 67 days in 2017 to 27 days in 2018.
Data Point No. 1: Cryptojacking is not dead.
Un-authorized cryptocurrency mining, commonly referred to as cryptojacking grew exponentially in 2018. In 2017, Trustwave reported that only 0.2 percent of malware was coin mining related, which grew to 3.0 percent in 2018.
“The most surprising story for me was the massive increase of coin-mining malware in 2018 compared to 2017,” Karl Sigler, Threat Intelligence Manager at Trustwave SpiderLabs , told eWEEK. “While the rising trend of cryptojacking web scripts was expected, after the crash of the Bitcoin market toward the end of 2018, I was surprised to see that attackers were still interested in placing coin-mining malware on compromised systems.”
Data Point No. 2: All web applications are vulnerable.
Among the most startling findings in the report is that 100% of web applications tested by Trustwave had at least one vulnerability.
- The median number of vulnerabilities in web applications tested by Trustwave grew to 15, up from 11 in 2017.
- 80% of the vulnerabilities discovered by Trustwave penetration testers were classified as low risk, with the remaining 20% rated medium to critical.
Data Point No. 3: Social engineering is the top method of compromise.
While vulnerabilities are a risk, the top method by which attackers got into various organizations was by way of tricking users in some way, in an attack commonly referred to as social engineering.
