|By Peter Silva||
|September 10, 2013 11:43 AM EDT||
A couple weeks ago McAfee Labs released the McAfee Threats Report: Second Quarter 2013, which found that Android-based malware marked a 35% growth rate not seen since early 2012. They also found twice as many new ransomware offerings in Q2 as in Q1, bringing the 2013 ransomware count higher than the total found in all previous periods combined. Everything was in play – SMS stealing bank malware, infected legitimate apps, malicious apps in sheep’s clothing, along with fake dating and entertainments apps. A lot of areas that we spend a good portion of our mobile time.
In addition to mobile threats, Q2 also saw a 16% uptick in suspicious URLs and a 50% increase in digitally-signed malware samples. Attackers are showing that they can adapt to the criminal opportunities and continue to infiltrate the ever changing infrastructure. Ransomware, a very popular and profitable scheme, where pop-ups or other messages threaten the user unless they pay a ransom, doubled from Q1 to Q2. Hey, if it works, might as well. Malware signed with legitimate certificates increased 50% to 1.2 million samples. You think you’re getting the safe code due to the certificate’s authentication but that cozy blanket gets cold quick. Malware also continues to find life with infected URLs according to McAfee. The total number of suspect URLs found reached 74.7 million or a 16% increase over Q1. The Indexed Web is at least 3.82 billion pages so around 2% of the web but still. I might suggest, ‘watch what you type, don’t click suspicious links, avoid porn sites,’ and other rather obvious actions but these days it could be delivered through an ad loading on a popular news site. Almost no one is immune. SPAM continues to hog email servers accounting for almost 70% of all global email volume. That’s nuts. Think about it all the legitimate email we send over a month and it only accounts for 30% of all email?!? What a waste of resources. Other highlights included cyber espionage campaigns and attacks on digital currency.
These threats come at a time where there seems to be a disconnect between executives and their technical teams.
The Ponemon Institute’s most recent research shows that when it comes to locking down enterprise infrastructure, the application layer is responsible for more than 90% of all security vulnerabilities, yet more than 80% of IT security spending continues to be at the network and endpoint layer. According to Ponemon, ‘Most Organizations are Woefully Behind in Application Security.’ For it’s ‘Current State of Application Security Report‘ , they asked 642 IT professionals (both executive & engineering) 20 questions concerning tools usage, development team knowledge and security best practices to better understand the maturity of an organization’s application security program in comparison to the core competencies of high-performing organizations. They found that a much higher percentage of executive-level respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes. For instance, 71% of executives interviewed believe that application security training is available and up to date but only 20% of technical staff felt the same. Around 67% of execs feel they have a mature application security program, compared to 33% of technical staff and 75% of executives believe that a secure architecture exists in their organization verses 23% of technical staff. Someone is either not communicating or many organizations do not yet consider the need to proactively do something about application security or even attempt to understand application security risks.
What is troublesome is that even with all the media attention and the afore mentioned malware stats, most organizations are not building nor testing their applications for security. According to the Ponemon report, only 43% of respondents say they have a process in place to test for vulnerabilities prior to release, and only 41% are using automated scanning tools to test applications during development. And just to pile on, only 42% push their applications to manual penetration testing by internal teams or from a third party.
So, threats are increasing (I feel like I say this multiple times a year) and it seems that organizations’ response to them are decreasing…or at least not taking them seriously enough. In many ways, it is kinda like the real world. We think, feel, believe that we’re safe until something happens…then we take all the precautions. Many organizations need to do that yesterday.
- McAfee Labs Q2 Report Finds Mobile Threats Rebound
- The Ponemon Institute: Most Organizations are Woefully Behind in Application Security
- Web Applications Attacked 26 Times Per Minute
- Cyber Weapons: The New Arms Race
- The Problem with ‘Quitting’ the Internet
- Nostalgia for yesterday’s technology
- The Exec-Disconnect on IT Security
- WebRTC Summit at Cloud Expo Agenda Announced
- Google’s Enterprise Problem
- Building Video Calling with PubNub and WebRTC
- DataStax Announces New Startup Programme Offering Free Software, As Well As Free Training Courses For Cassandra Users And New Developer Tool
- Evaluation Report on Virtual Backup Software
- Get Ready to Think Out (C)loud With Cloud Sherpas’ Upcoming Webinar Series
- Series: Exchange 2013 and Lync 2013 Integration with AsteriskNOW PBX Pt. 1
- New PubNub App Template for WebRTC
- Strategic Enough to Matter, Code Halos and Mobile Apps
- GAMA : Quatre acteurs clefs, quatre stratégies différentes !
- Box and NSI Partnership Brings the Cloud to Businesses in the Middle East
- 7 Christmas Gifts For Your Business
- WebRTC Summit at Cloud Expo Agenda Announced
- OneLogin Raises $13M to Power Expansion
- Cloud Security Alliance Releases Cloud Controls Matrix, Version 3.0
- Survey Finds Large Enterprises Adopting WebRTC
- WebRTC Summit | WebRTC: Test then Disrupt
- WebRTC Summit Speaker Submissions Open
- WSO2 Expands Identity Management Capabilities Across Cloud, Mobile and Web Applications With the Launch of WSO2 Identity Server 4.5
- BMC Software to Exhibit at Cloud Expo Silicon Valley
- Twilio and LiveOps to Deliver WebRTC Deployments
- Oracle Demonstrates WebRTC Solution with CounterPath's Bria
- OpenStack for the Enterprise – Showcasing the OpenStack Ecosystem
- XIRSYS Launches WebRTC Hosting Service
- Where Are RIA Technologies Headed in 2008?
- The Top 250 Players in the Cloud Computing Ecosystem
- Dolphin Announces Open API With Over 50 Add-ons Including Dropbox and Wikipedia
- Personal Branding Checklist
- AJAXWorld 2006 West Power Panel with Google's Adam Bosworth
- Why Microsoft Loves Google's Android
- Google's OpenSocial: A Technical Overview and Critique
- Cloud Expo New York Call for Papers Now Open
- Wal-Mart To Sell $399 Ubuntu Linux-based Laptop with Google Operating System
- i-Technology Blog: Google Trends on Java, McNealy, AJAX, and SOA Give Pause For Thought
- i-Technology Blog: Is There Life Beyond Google?
- Android: Who Hates Google Over the Phone?