Highlights from the 2016 Global Security Report by Trustwave

Rob Olmos
Vice President, CTO

Trustwave recently produced their 2016 Global Security Report available here: https://www2.trustwave.com/GSR2016.html

Applying Magento and WordPress updates as soon as possible after they’re released is what helps prevent your site from being hacked. The reason is because when an update is released hackers also become aware of where the vulnerability exists. At that point it becomes a race between applying the patch before hackers develop the exploit and target your site. Trustwave highlights that same thing in their report:

“Depressingly – but predictably – most of the affected systems were not fully up to date with security patches, with some being behind by more than 12 months. With so much attention being paid to zero-day vulnerabilities, it’s vital to remember that it doesn’t matter how fast a vendor releases a patch if the patch is never applied.”

The following statistics highlight the importance of application security. Keep in mind that slow or even absent applying of patches is a significant contributor to these Trustwave statistics:

  • 85% of compromised e-commerce systems used the Magento open-source platform
  • 60% of breaches targeted payment card data
  • 71% of web attacks observed by Trustwave targeted WordPress
  • 97% of applications tested by Trustwave had one or more security vulnerabilities
  • 22% of incidents involved POS systems

If you run a e-commerce POS system, the system and environment security is just as important as your website.

Questions to ask yourself:

  • Do you know if your POS, website and hosting server have all of the available security patches applied?
  • How are you notified when a new patch is available? How long does it take to apply that new patch?

Two highlights regarding the time between detection and containment (clean up):

  • 126 days between when an intrusion was detected, and when it was cleaned up when the intrusion was not detected by the victim
  • 10 days between when an intrusion was detected, and when it was cleaned up when the victim detected the intrusion

Questions to ask yourself:

  • Do you know if your hosting provider has software installed to assist with detecting an intrusion?
  • Do you utilize any managed security services to assist with preventing and detecting an intrusion?

An ounce of prevention is worth a pound of cure:

“The cost and effort of securing a network against data compromise pales in comparison to the cost and effort of cleaning up after a breach.”

This is an important concept to keep in mind. Not only is there the cost of investigating and cleaning up a breach, but also the cost of that efforts impact on existing development, website downtime, and customer perception when they are notified that their data was breached.  In addition, should there be a compromise of credit card data, the card associations such as Visa, Mastercard, etc. may require you to increase your PCI DSS compliance level to continue accepting credit cards, which is expensive and labor-intensive to achieve.

Questions to ask yourself:

  • If your website is involved with credit cards, do you know what your PCI compliance scope is?
  • Is credit card information passing through your hosting environment and unnecessarily increasing your PCI scope and risk?

If you’re having trouble answering any of those questions, we strongly suggest you contact us to assist you in confidently answer them because the security of your online presence and business depend on them.

Trustwave’s report has many other interesting facts such as breakdowns of the systems breached by business sector, the method of intrusion, and commonly detected security vulnerabilities, to name a few. We appreciate Trustwave for producing and freely sharing their report.

- Rob OlmosVice President, CTO | 

Filed under: <CloudE-commerce>