The new edition of IBM X-Force Threat Intelligence Quarterly – a quarterly report from IBM® X-Force®’s R&D team into the latest security trends – has just been released. The report provides an overview of 2014’s major incidents and looks ahead to what 2015 has in store.
“Insane” number of data records breached
Leaked data records continue to increase in number at an alarming rate (IBM describes 2013’s figures as epic and unprecedented, and 2014’s as insane), and, unsurprisingly, the first quarter of 2015 followed the pattern established last year.
Poor password use continues to provide hackers with an easy way in to otherwise secure systems, “old” malware continues to be adapted and refined to attack new targets, and so-called “designer vulns” – critical vulnerabilities so widespread and with such broad attack vectors that they’re branded with names and logos, such as Heartbleed, Shellshock and POODLE in 2014, and, in 2015, Ghost and FREAK – continue to cause “cracks in the foundation” of many websites that share “the same operating systems, open-source libraries and content management system (CMS) software.”
ISO 27001 and penetration testing
As the IBM X-Force report acknowledges, “2014 was… unique in that the underlying libraries that handle cryptographic functionality on nearly every common web platform – including Microsoft Windows, Mac OS X and Linux – were found to be vulnerable to fairly trivial remote exploitations capable of stealing critical data.”
It is small and medium-sized organisations in particular that are vulnerable to such threats because of their dependence on these vulnerable platforms. However, an information security management system (ISMS) addressing people, processes and technology, as set out in the international standard ISO 27001, allows all organisations to establish an information security culture that will protect the entire enterprise.
One essential component of an ISMS is regular penetration testing to assess the vulnerabilities in networks and applications. Penetration testing involves the simulation of a malicious attack (either from outsiders or your own staff) on your organisation’s information security arrangements. If you’re concerned about the threats you face, a penetration test will show you exactly where your weaknesses lie, enabling you to take remedial action before you’re attacked.