Targeted Attacks, Weak Passwords Top IT Security Risks in 2013

Companies should hunt down systems with default passwords and beware that more sophisticated attacks will seek to fool employees, predict two security firms.

The biggest security threats to companies in 2013 will depend on who is attacking the business: Opportunistic criminals will continue scanning for accounts with default or weak passwords, while targeted attackers will refine their attempts to fool employees, business services firm Verizon and security software firm McAfee stated in separate reports.

In the past year, about 90 percent of successful breaches analyzed by Verizon started with a weak or default password, or a stolen and reused credential, which is a trend that will continue, said Wade Baker, managing principal for the company's RISK team. The company analyzed data gathered from incidents it investigated in 2012 to identify the causes of data breaches.

"Taking all the attacks that happened to larger corporations and government, about 90 percent had weak or stolen credentials," Baker said. "We see no reason that that trend will change in 2013."

A year ago, an analysis of the breach of global-intelligence firm Stratfor found that many of the site's customers had selected weak passwords for their accounts, with one analysis breaking about 10 percent of the passwords in five hours. Other analyses of leaked passwords have found similarly poor password choices, as well as the reuse of passwords across sites.

Malware shows a different trend. Cyber-crime campaigns aimed at compromising specific businesses will become more refined, while broader campaigns will focus on narrower subsets of victims, said Ryan Sherstobitoff, a threat researcher with software-security firm McAfee.

He pointed to the Citadel Trojan as a good example. In October, the creators of Citadel released a new version—dubbed the "Rain Edition"—which allows botnet operators to customize attacks for specific victims. Citadel is a variant of the infamous Zeus banking Trojan, created after the Zeus code base was leaked to the Internet in 2011. In one case, a campaign using Citadel targeted victims that lived in Madrid.

"Things are becoming more targeted and more detailed: They are targeting specific populations and specific users," Sherstobitoff said.

The tools are becoming more user-friendly for criminals as well. Citadel, for example, allows support, has a customer relationship management (CRM) tool and has a trouble-ticketing system.

The Citadel botnet is not just used for bank theft. In August, the FBI warned about criminals using the Citadel Trojan for ransomware attacks, where a victim's system freezes unless they pay money.

While bad passwords and targeted attacks will be problems for companies and their employees, businesses should also look to their Websites. About three-quarters of all attacks also used a Web exploit to gain access to sensitive data, Verizon's Baker said.

Mobile malware, however, continues to pose a minimal threat, at least in the United States, he said. While companies are worried about employees bringing compromised devices inside the network, so far that threat has not materialized, said Baker.

"Consumers are very rapidly adopting their mobile devices," he said. "Enterprises are going to be a bit more risk-adverse than the typical consumer, however."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...