By the numbers 2015: The year in security research

Security researchers were almost as busy as cybercriminals in 2015. Here are some of the noteworthy numbers of the past year.

Security in 2015
Credit: CSO
The year in security research

Security researchers were busy in 2015 — almost as busy as the criminals whose work they studied.

Among the notable numbers this year: Low tech 'visual hacking' proves to be successful nine times out of ten, most websites had at least one serious vulnerability for 150 or more days, click fraud costs businesses $6.3 billion a year in wasted ad money, and oh so much more!

Also on CSO:
- Data breaches will affect 1/4 of the world's population by 2020, IDC predicts
- Infosec jobs: 5 Ways to score an ace recruiter
- Top security stories of 2015

Java is the biggest security risk to US desktops
Credit: CSO
Desktop risk

Oracle's Java poses the single biggest security risk to US desktops, according to a report from Copenhagen-based security vendor Secunia ApS, because of its penetration rate, number of vulnerabilities, and patch status.

According to the report, 48 percent of users aren't running the latest, patched versions.

"This is not because Java is more difficult to patch, but the program has a high market share and a lot of the users neglect to patch the program, even though a patch is available," said Kasper Lingaard, the company's director of research and security.

There were 119 new vulnerabilities identified in Java over the past year and the software is installed on 65 percent of computers, according to the report.

Read more: Java is the biggest vulnerability for US computers

Researchers found sensitive corporate information just by looking around
Credit: CSO
Visual hacking

Researchers were able to get sensitive corporate information just by looking around corporate offices in 88 percent of attempts, according to a Ponemon Institute study.

Ponemon sent researchers to 43 offices belonging to seven large corporations who had previously agreed to participate in benchmarking research. The researchers had valid identification as temporary employees, and management knew they were coming -- though the office staff did not.

The researchers spent up to two hours in each office, wandering around, taking pictures of computer screens, and picking up documents marked "confidential" and putting them in their bags -- all deliberately within full view of the regular employees.

In the vast majority of the cases, the regular office staff did not ask any questions or confront the researcher in any way.

Read more: Low tech 'visual hacking' successful nine times out of ten

Average enterprise has 2,400 unsafe mobile apps
Credit: CSO
Unsafe apps

The average large global enterprise has about 2,400 unsafe apps on the mobile devices in its environment, according to a study from mobile security vendor Veracode.

The firm analyzed more than 400,000 of the most popular applications available in Apple and Google app stores and found that 14,000 of the, or about 3 percent, have security problems, including exposing sensitive data such as location, contacts, and text messages.

Read more: 2,400 unsafe apps on user phones in large firms

Average total compensation for CSOs rose 6.7%
Credit: CSO
CSO salary

According to Computerworld's annual IT Salary Survey for 2015, CSOs saw the highest average total compensation increase, with compensation rising 6.7% from 2014 to 2015. Information security managers saw the second highest increase at +5.3%.

Read more: Hottest jobs, industries and cities for IT pay in 2015

Most websites had at least one serious vulnerability for 150 or more days
Credit: CSO
Website vulnerabilities

In an analysis of more than 30,000 websites by WhiteHat Security, most had at least one serious vulnerability for 150 or more days last year.

Retail sites ranked second in the number of vulnerabilities, with 55 percent of the websites having at least one serious vulnerability every single day of the year.

The worst performers? Public administration websites, where 64 percent were vulnerable every day.

Read more: Majority of websites have serious, unfixed vulnerabilities

210,000 active click fraud malware infections per day
Credit: CSO
Clickfraud malware

Malware that secretly clicks on ads in order to defraud advertisers might seem generally harmless to infected machines, but can serve as a gateway to more serious infections, according to a report by security vendor Damballa.

Clickfraud malware has been showing up a lot this year, said Damballa CTO Stephen Newman, with about 32 million active infections spotted in the company's customer base during the first half of this year, or about 210,000 per day.

According to the Association of National Advertisers, it costs US businesses about $6.3 billion a year in wasted ad money.

Read more: Report: Clickfraud malware a gateway to other threats

76& more concerned about information security risks
Credit: CSO
2015 State of Cybercrime

After years of effort and attention to information security, most organizations’ ability to respond to cyberattacks has stalled. That fact is just one of the notable takeaways from CSO's 2015 US State of Cybercrime Survey of more than 500 respondents including US business executives, law enforcement services, and government agencies.

According to this year’s survey, the number of respondents who reported being more concerned about information security risks spiked to 76%, up from 59% in the same survey one year ago.

Read more: 2015 State of Cybercrime: Enterprise fight is stuck in stall

Healthcare systems compromised by cyber-attacks
Credit: CSO
Healthcare IT

For its Healthcare Cybersecurity Survey, KPMG polled 223 U.S.-based healthcare IT executives, all with revenues of at least $500 million. Four-fifths of those surveyed said that their information technology has been compromised by cyber-attacks. The executives said that external attackers (65%) and sharing data with third-parties (48%) are their top vulnerabilities. The top threats are malware (67%) and HIPAA violations (57%).

Read more: More than 80% of healthcare IT leaders say their systems have been compromised

Certificate outages cost $15 million
Credit: CSO
Expired certificates

The average global 5,000 company spends about $15 million to recover from the loss of business due to a certificate outage -- and faces another $25 million in potential compliance impact.

These estimates, based on a Ponemon survey of about 2,400 global respondents, include remediation costs, loss of productivity, lost revenues, and brand image damage.

Read more: Expired certificates cost businesses $15 million per outage

Less than 24 hours to patch
Credit: CSO
Time to patch

On Thursday, October 22, 2015 the developers of Joomla released version 3.4.5 of the popular content management system in order to fix a SQL injection vulnerability that allowed attackers to gain administrative privileges by hijacking an active administrator session.

Less than four hours after the update's release and the publishing of a technical overview by security researchers at Trustwave, attackers were already exploiting the flaw. Within 24 hours there were already Internet-wide scans probing for the flaw and the number of attacks continued to increase over the weekend.

Based on this incident, the administrator of an average website has a time window of less than 24 hours to patch following a serious vulnerability disclosure. If the website is a highly popular one, the reaction time should be within a few hours.

Read more: Webmasters have only hours to deploy patches, Joomla incident shows

CSFA certification earned its holders 16% pay premium
Credit: CSO
Certifications that pay

According to Foote Partners' "IT Skills and Certifications Pay Index," the CyberSecurity Forensic Analyst (CSFA) certification earned its holders a 16% median pay premium in 2015. In addition, the certification saw a 23% increase in market value in the past 12 months.

"What's sustaining that is so many companies are thinking cybersecurity. They never have before but they are now. They've always had IT security but now they are thinking they can be hacked for any reason," said David Foote, co-founder, chief analyst and research officer with Foote Partners.

Read more: IT certifications that paid off the most in 2015

Murder for hire sites make up 1% of North American underground
Credit: CSO
Cyber criminal underground

In the early 2000s, the FBI and other law enforcement agencies pretty much dismantled the U.S. cyber criminal underground, said Tom Kellermann, chief cybersecurity officer at Trend Micro, but it's made a resurgence in the past three years and there are now more participants than there were in 2000.

"It's larger because it's providing a wider multiplicity of goods and services," Kellermann said. "They're there for the drugs, weapons, passports, stolen cards, and murder for hire. It's a one-stop shop for criminals to facilitate their conspiracies, to bypass traditional security, and to launder money."

Drugs are the hottest commodity, accounting for 62 percent of all sites. Stolen data dumps account for 16 percent of all sites, fake documents for 4 percent, and weapons for 2 percent. Murder for hire sites account for 1 percent of the North American underground sites, according to Trend Micro.

Read more: US cyber criminal underground a shopping free-for-all