We've gone a little Halloween-crazy this year over here at Rapid7 Towers. Check out this week's Whiteboard Wednesday video to hear how organizations are like the protagonists of horror movies; making decisions that may ultimately make them vulnerable to attack. In addition, while we were carving our pumpkins and sewing our costumes, we got to thinking about one of the most horrifying realities in information security: many organizations keep falling victim to the same tricks they've seen in the past. We saw this reflected in Verizon's 2013 Breach Investigations report, which revealed that a terrifying 78% of initial intrusions were rated as low difficulty, while 75% were considered opportunistic attacks.
So we looked into a number of specific threats and security concerns and found a huge amount of data that highlighted the issue, both from our own original research, and from 3rd parties in the industry. For example, 55% of people are still reusing passwords across multiple sites (source), despite the number of high-profile breaches that compromised credentials in the past few years [Life's a Breach, for example]. This is particularly chilling given that 76% of network intrusions in 2012 exploited weak or stolen credentials (again, according to Verizon's brilliant breach report).
We compiled some of the stats we found into a Halloween-inspired infographic, below. This includes a sneak peak at some upcoming mobile risk research, which updates the research conducted last year. We'll be publishing the full report soon, but in the meantime, check out this Halloween infographic.
When it comes to learning the lessons and mitigating known threats, one of the biggest challenges security professionals face is the awareness and interest of users. It's incredibly challenging for security professionals to mitigate the risk represented by users, who are frequently unaware of the threats, or don't take them seriously, as the passwords stats above, and many others in the infographic highlight. We've been trying to help tackle this throughout October – which is National Cyber Security Awareness Month – with a series of short primer emails you can send around your organization to help you educate users on major threats they may face. You can check them out as follows: Phishing, Mobile Devices, Password Hygiene, and Cloud Security.
So this Halloween, instead of just telling yourself it's only a dream, or that there's no way the calls are coming from inside the house, why not take a look at your organization, and see what you can do to exorcise these security daemons.