The recently released Cyber Crime study released by Symantec captures the status of the Internet risks in 2014. Titled Internet Security Report (ISTR 20), the report with its annexures provides an indepth insight into the threats and vulnerabilities that most of us face on a day to day basis.
The first thing that any observer of Internet should note is that the study points out that in 2014, there were more than 317 million new pieces of malware created during the year meaning that there were nearly 1 million each day (leaving Sundays).
What is equally alarming is that the study points out that Symantec data base of vulnerabilities consist of 66400 recorded vulnerabilities from 21300 vendors representing over 62300 products.
With such a huge number of vulnerabilities in genuine software and the vast number of threats, the Cyber Risk poses an enormous challenge to everybody.
The report in fact marks that the year 2014 was notable because of the high profile “Vulnerabilities” such as “Heartbleed”, “ShellShock” and “Poodle”.
Another interesting observation that the study points out that apart from focussing on exploitation of Zero day Vulnerabilities, attackers moved much faster to exploit published vulnerabilities than the defenders moving in to release patches.
During the year 24 Zero Day vulnerabilities were discovered. Vendors took 204 days, 22 days and 53 days to release patches for the three top Zero day vulnerabilities. Top 5 Zero day vulnerabilities were used by attackers actively for a combined 295 days before patches were available. In 2013 this period on an average was only 4 days highlighting the increasing risk that the community faced during the year due to the inefficiency of the software industry.
These findings indicate that there is a lot of ground that the industry has lost to the Cyber Crime industry and this needs to be recovered.
We need to analyse the report in greater depth to understand how the growth of Mobile apps on the one hand and Cyber terrorism on the other has contributed to the growing insecurity in the Cyber world.
The findings of this report will inevitably have an impact on the Cyber Insurance industry which needs to take a re-look at its policies. premia etc.
(More details of the report would be discussed in the forthcoming articles)