By David Bannister

A 400 per cent increase in malware for mobile devices masks a security scene where many of the threats are much as they have been for several years – but where the volume of attacks means that firms should think in terms of when their defences will be penetrated, rather than if they will be.

They should also be more proactive in looking for breaches that may already have occurred: according to the latest Trustwave Global Security Report the average time from initial breach to detection was 210 days, more than 35 days longer than in 2011. Most victim organisations (64 per cent) took over 90 days to detect the intrusion, while five per cent took three or more years to identify the criminal activity.

“It is very difficult to detect a breach, and most victim organisations are not very good at self-detection,” said John Yeo, director of Trustwave’s SpiderLabs in the EMEA region.

For the same reason, the fact that the 400 per cent increase in malware smartphone applications is largely directed at the phone owner doesn’t mean that it hasn’t already happened. “It is a bit of a paradox,” said Yeo. “It is mostly targeted at the individual, for instance by setting up SMS reverse billing so that the user racks up a huge bill. We haven’t yet seen mobile malware penetrating the enterprise, but that is not to say it hasn’t happened, and we expect that we will see it sooner or later. Bring-your-own-device polices are becoming an issue, adding more potential entry points, so undoubtedly mobile will be an attack vector in the future.”

The vast majority of the mobile malware detected in 2012 was directed at Android-based devices, but Yeo cautioned users of Apple’s iOS devices not to be complacent. Most mobile app developers do not think in terms of security, and many of the Top 20 apps in Apple’s AppStore contain control weaknesses that could be exploited by malicious code.

Mobile developers are not alone in failing to have basic security considerations in mind: “There is a tendency for security managers to focus on the front door,” and not look at other points of entry, said Yeo. Web-based applications, for instance, greatly increase the number of points of weakness.

End users are notoriously poor – the most common end-user password is still “Password1” – but the user credentials compromised in most of Trustwave’s investigations were administrator credentials, usually as a result of leaving default settings in place and failing to update to the latest versions of operating systems and applications.

The proliferation of networked systems means that attackers are increasingly adopting the tactic of using a compromised device as a “beachhead” from which they can mount reconnaissance attacks on connected systems – starting with the assumption that the connected system is on the same release version of the operating system and using the same defaults often pays off.

Where the money is

Not surprisingly, the primary data type targeted by attackers in 2012, as in 2011, was cardholder data that can be fed into the well-established underground market for stolen payment card data; it is bought and sold quickly for use in fraudulent transactions.

Because of their reliance on card payments, the retail (45 per cent), food & beverage (24 per cent) and hospitality (nine per cent) sectors are the main victims of cybercriminals. This is not helped by a perception that they are not targets and they do not have a strong security focus, unlike banks and financial services firms who are naturally more security conscious.

In the financial services sector, there was a small increase in attacks, with attackers “continuing to look at central aggregation points like payment processors and merchant banks as viable targets”. The Payment Card Industry Data Security Standard has made comprehensive security controls more commonplace in larger organisations, so they are more difficult to compromise. “This by no means indicates that attackers have given up on these high-dollar targets, simply that they are better defended, presenting a bigger challenge to would-be intruders,” says the report.

Law enforcement agencies continue to struggle with the fact that cross-border prosecutions are difficult. Specific countries continue to appear on the list of sources of attack. In 2012 Rumania topped the list, with 33.4 per cent of attacks originating there, ahead of the 29 per cent that originated in the US.

SpiderLabs is a “white hat” or “ethical hacking” group set up by Trustwave, which has a background in payments systems. As well as services such as penetration testing to identify that can be exploited by hackers, it also has an incident response and forensics team that has investigated the largest and most high profile breaches in history.

“All of the data in the report comes from our real-world experience of actual attacks and breaches – this is not data from a survey of security manager’s perceptions, it is what is actually happening out there,” said Yeo.