IBM’s X-Force Research and Development team just released its IBM X-Force Threat Intelligence Quarterly, which found at least 1 billion records of personally identifiable information (PII) were leaked in 2014. The 2015 report, which highlights findings from the last quarter of 2014, cataloged more than 9,200 new security vulnerabilities affecting over 2,600 unique vendors, which represents a 9.8% increase over 2013 and is the highest single year total in the 18-year history of X-Force reporting.
Additional key findings include:
· The total number of records breached in 2014 was nearly 20% higher than in 2013 (when 800 million records were leaked).
· At 74.5%, the number of incidents in the United States is far higher than in other countries.
· A majority, 40.2%, of the most common attack types were undisclosed, with malware and DDoS tying for second at 17.2% each.
· The US-CERT disclosure of a class of vulnerabilities affecting thousands of Android applications that improperly validate SSL certificates provides nearly 15% of the total for the year, inching the final count to a new historical peak.
Researchers attribute these growth numbers largely in part to increasing security apathy amongst developers, who have been slow to patch applications despite warnings and increasing awareness of vulnerabilities. In fact, 10 of the 17 (59%) of banking applications using Apache Cordova initially tracked in October 2014 were still vulnerable in January of this year.
The report also shows the rise of ‘designer’ vulnerabilities, ones that are increasingly lethal, highly recognizable and tagged with catchy names and logos (think: Heartbleed and Shellshock) that would forever identify the disclosure. These vulnerabilities revealed easily exploitable cracks in the foundational systems and underlying libraries that support nearly every common web platform and content management system.
IBM X-Force will also launch the IBM X-Force Interactive Security Incident website to help users gain in-depth understanding of security breaches publicly disclosed over time. The website can be found at: http://ibm.co/1GARvPe.