Targeted Attacks, Weak Passwords Top IT Security Risks in 2013
Companies should hunt down systems with default passwords and beware that more sophisticated attacks will seek to fool employees, predict two security firms.The biggest security threats to companies in 2013 will depend on who is attacking the business: Opportunistic criminals will continue scanning for accounts with default or weak passwords, while targeted attackers will refine their attempts to fool employees, business services firm Verizon and security software firm McAfee stated in separate reports. In the past year, about 90 percent of successful breaches analyzed by Verizon started with a weak or default password, or a stolen and reused credential, which is a trend that will continue, said Wade Baker, managing principal for the company's RISK team. The company analyzed data gathered from incidents it investigated in 2012 to identify the causes of data breaches. "Taking all the attacks that happened to larger corporations and government, about 90 percent had weak or stolen credentials," Baker said. "We see no reason that that trend will change in 2013." A year ago, an analysis of the breach of global-intelligence firm Stratfor found that many of the site's customers had selected weak passwords for their accounts, with one analysis breaking about 10 percent of the passwords in five hours. Other analyses of leaked passwords have found similarly poor password choices, as well as the reuse of passwords across sites.
Malware shows a different trend. Cyber-crime campaigns aimed at compromising specific businesses will become more refined, while broader campaigns will focus on narrower subsets of victims, said Ryan Sherstobitoff, a threat researcher with software-security firm McAfee.