2014 has been dubbed the Year of the Data Breach, and it turns out that it has quantifiably earned the title. At least 1 billion records of personally identifiable information (PII) were leaked over the course of the year.
The IBM X-Force Threat Intelligence Quarterly report shows that the total number of records breached in 2014 was nearly 20% higher than in 2013 (when 800 million records were leaked). And at 74.5%, the number of incidents in the United States is far higher than in other countries.
“If the year 2014 felt to you like a never-ending roller coaster ride of thrills and excitement within the world of internet security, you wouldn’t be the only one,” said Leslie Hornacek, an IBM X-Force threat response manager, in a blog. “We witnessed…attackers applying creative new approaches to fundamental attack types such as SQLi, malware and DDoS.”
She added, “While each breached record doesn’t necessarily denote an individual user, it is still likely that a significant percentage of the Internet-connected population experienced some form of loss as a result of security incidents in 2014.”
The main culprit is a rise in unpatched vulnerabilities: IBM cataloged more than 9,200 new security vulnerabilities affecting over 2,600 unique vendors in the fourth quarter alone, which represents a 9.8% increase over 2013 and is the highest single year total in the 18-year history of X-Force reporting.
Critical vulnerabilities disclosed across several foundational systems (operating systems, open-source libraries and content management software) resulted in many exploited websites. And, underlying libraries that handle cryptographic functionality on nearly every common Web platform—including Microsoft Windows, Mac OS X and Linux—were vulnerable to fairly trivial remote exploitations capable of stealing critical data.
The report also shows the rise of ‘designer’ vulnerabilities, ones that are increasingly lethal and highly recognizable. These vulnerabilities revealed easily exploitable cracks in the foundational systems and underlying libraries that support nearly every common web platform and content management system.
“These designer vulns appeared within long-held foundational frameworks used by the majority of websites, and they continued throughout 2014, garnering catchy name after catchy name: Heartbleed, Shellshock, POODLE and, into 2015, Ghost and FREAK,” said Hornacek. “We began to discuss vulnerability disclosures with the ease of a branded name and logo rather than boring old CVE identifiers like CVE-2014-1060.”
Meanwhile, it’s worth noting that a US-CERT disclosure of a class of vulnerabilities affecting thousands of Android applications that improperly validate SSL certificates provides nearly 15% of the total for the year, inching the final count to a new historical peak.
“The [Tapioca] effort has (so far) produced literally thousands of disclosures of individual applications vulnerable to MitM attacks,” said Hornacek. “In other words, these reports represent the same fundamental vulnerability affecting a wide variety of individual applications. They do not represent thousands of unique methods of attacking different applications; they represent one way of attacking thousands of applications.”
IBM also pointed out that there appears to be an increasing security apathy among developers, who have been slow to patch applications despite warnings and increasing awareness of vulnerabilities. In fact, 10 of the 17 (59%) of banking applications using Apache Cordova initially tracked in October 2014 were still vulnerable in January of this year, IBM said.