Making malware pays – TrustWave Global Security Report 2015

Crime pays, and writing malware pays off big, Trustwave found in its new report calculating the return on investment (ROI) on cybercrime.

The average return for a corporate malware attack—creating and distributing the malware—was a stunning 1,425 percent, Trustwave found. That’s over $70,000 in revenue for every $5,000 invested. In comparison, a standard savings account will net you just over 1 percent—even the S&P 500 has only gained an average of 8.5 percent annually since 1985.

The Trustwave report chronicled “the dark and seedy criminal underground” and is an essential read for anyone concerned with internet security. It mixes the shocking—the 1,452 percent ROI figure—with the depressingly predictable—Password1234, anyone? Here are a few of the important findings and takeaways from ther report:

12345 Is a Poor Password

According to Trustwave, the most popular password in use last year was Password1. While the problems with passwords like abcd1234 and Password1 are obvious, the report also emphasized the importance of avoiding 8-character passwords, no matter how complex.

To combat password vulnerability, Trustwave recommended enabling two-factor authentication, which combines “something you know” (a password) with “something you possess” (e.g. a phone) to increase security. Where this technique is unavailable, complex, random passwords of 10 characters or more will provide the best buffer against a break-in.

Weak Application Security

Though human error was rampant, Trustwave had no trouble finding flaws in enterprise software. Incredibly, the median number of vulnerabilities in tested applications actually increased by over 40 percent year-on-year, and a full 98 percent of applications tested had at least one vulnerability. The maximum number found in a single application? Seven hundred and forty seven.

The key takeaway? Make sure your business’s software is always being updated. The danger can be minimized by always installing the latest patches.

DIY Breach Detection

Trustwave also emphasized the importance of self-detection and data breaches. If the organization uncovered its own breach, the time between intrusion and containment was just over a fortnight, on average. When a third party detected the break-in, however, the time lapsed was a full 154 days. Granted, this makes intuitive sense, but the findings highlight the risk of over-relying on external security managers.

You need to make sure you have processes and systems in place to continually assess and monitor your environment, to find the issues sooner.

All Spammed Out
Though often bleak, the Trustwave report had some good news. In 2008, spam made up over 90 percent of all inbound mail, but in 2013 that same figure had fallen to just 69 percent. The trend continued into 2014, as spam’s total fell again, to just 60 percent. Unfortunately, this drop likely has less to do with spammers giving up and turning to legitimate activity, and more to the decline in the relative profitability of spam compared to other criminal activities.

The Trustwave report is brimming with further insights and recommendations. At 110 pages, it covers everything from e-commerce transaction data to web-server breaches, and breaks down information into simple infographics. Yet for all this data, the report’s most critical single piece of advice is as simple and essential as ever: fix those passwords.

Via PC Mag