There were more software vulnerabilities discovered in 2014 than ever before, and a record number of security breaches impacting 2 in 5 companies including Home Depot, eBay, and Apple. Get a recap of the biggest breaches of the year.
3. Now there’s a thriving black market in
software vulnerabilities driven by:
NATION
STATES
TERROR
GROUPS
ORGANIZED
CRIME
4. SECURITY VULNERABILITIES HIT
AN ALL-TIME HIGH IN 2014
Security Vulnerabilities By Year (Includes code execution, gain information, XSS, SQL Injection, etc)
2010
8,000
6,000
4,000
2011 2012 2013 2014
Source: National Institute of Standards & Technology
(NIST) Vulnerability Database
5. of vulnerabilities
discovered in 2014
were defined as
HIGH SEVERITY
Source: National Institute of Standards & Technology
(NIST) Vulnerability Database
24%
7. Heartbleed
CVE-2014-0160
Heartbleed makes the SSL layer used by millions of
websites and thousands of cloud providers vulnerable.
DISCOVERED:
April 2014
SEVERITY LEVEL:
Medium
ATTACK VECTOR:
OpenSSL
VITAL STATS
8. Heartbleed
CVE-2014-0160 DEFENSE CHECKLIST
Check which services
are vulnerable
Change your passwords
Use an encryption
gateway
368
Number of cloud providers still vulnerable
24 hours after Heartbleed was reported
9. Shellshock
CVE-2014-6271
Shellshock exposes a vulnerability in Bash, the widely-used
shell for Unix-based operating systems such as Linux and OS X.
DISCOVERED:
September 2014
SEVERITY LEVEL:
High
ATTACK VECTOR:
Bourne Again Shell
(Bash)
VITAL STATS
10. Shellshock
CVE-2014-6271
90%
Percentage of top IaaS providers
vulnerable to Bash
DEFENSE CHECKLIST
Check for Bash
vulnerabilities
Update to the latest
version of Bash
Deploy a web
application firewall
11. Sandworm
CVE-2014-4114
Sandworm impacts all supported versions of Windows,
allowing attackers to embed OLE files from external sources
and download malware on target computers.
DISCOVERED:
October 2014
SEVERITY LEVEL:
High
ATTACK VECTOR:
Microsoft Windows
VITAL STATS
12. Sandworm
CVE-2014-4114 DEFENSE CHECKLIST
Source: Net Application “Desktop Operating
System Market Share”
Apply the official patch
from Microsoft
Update antivirus definitions
Don’t open suspicious
70% email attachments
Percentage of computers running a
vulnerable version of Windows
13. POODLE
CVE-2014-3566
POODLE lets attackers decrypt SSLv3 connections and hijack
the cookie session that identifies you to a service, allowing
them to control your account without needing your password.
DISCOVERED:
September 2014
SEVERITY LEVEL:
Medium
ATTACK VECTOR:
SSLv3
VITAL STATS
14. POODLE
CVE-2014-3566
61%
Percentage of cloud services still vulnerable
24 hours after POODLE was reported
DEFENSE CHECKLIST
Disable SSLv3 on
all services
Rely on TLS version 1.0
or greater
Likewise for browsers
and forward proxies
15. The sheer number of vulnerabilities
can make it difficult for companies to
protect against breaches
16. 2013
33%
2014
43%
More than 2 in 5 companies experienced
a breach of confidential data in 2014
Source: Ponemon Institute “Is Your Company Ready for A Big Data Breach?”
17. Michael’s
3 MILLION
TOP 5 DATA BREACHES OF 2014
eBay
145 MILLION
Home Depot
56 MILLION
Sony
47,000
Apple
iCloud
100
2014
18. MICHAEL’S
January 2014
WHAT WAS STOLEN:
3 Million
Customer Credit &
Debit Card Numbers
ROOT CAUSE:
Malware
19. EBAY
May 2014
WHAT WAS STOLEN:
145 Million
Users’ Login Credentials &
Personal Information (Name,
Address, Data of Birth)
ROOT CAUSE:
Cyber Attack
20. WHAT WAS STOLEN:
100+
Nude Photos Of Celebrities
ROOT CAUSE:
Social
APPLE ICLOUD Engineering
August 2014
21. WHAT WAS STOLEN:
56 Million
Payment Cards & 53 Million
Email Addresses
ROOT CAUSE:
BlackPOS
Malware
HOME DEPOT
September 2014
22. SONY PICTURES
ENTERTAINMENT
November 2014
WHAT WAS STOLEN:
47,000
Social Security Numbers of
Employees and Celebrities,
Scripts, Unreleased Movies
ROOT CAUSE:
Malware
SONY PICTURES ENTERTAINMENT
23. Tip: To learn what cloud apps
are in use at your company, get
a complimentary cloud audit
REQUEST COMPLIMENTARY
CLOUD AUDIT
http://bit.ly/ComplimentaryCloudAudit
“With Skyhigh we discovered a wide range of services,
allowing us to understand their associated risks and
put in place policies to protect corporate data.”
Steve Martino
VP Information Security