Summary of key findings
Adversaries continue to innovate
Attack volumes increased across all industries between 2018 and 2019. Due to the overwhelming success of the
use of tools such as web shells, exploit kits, and targeted ransomware, adversaries are still developing effective
multifunction attack tools and capabilities. The most common techniques observed globally were remote code
execution (15%) and injection (14%) attacks. In most cases, these attacks continue to be effective due to organizations
poor practices related to network, operating system, and application configuration, testing, security controls and
overall security hygiene. Adversaries are also leveraging artificial intelligence, machine learning, and investing in the
automation of attacks. 21% of malware detected was in the form of a vulnerability scanner which also supports the
premise that automation is key focus point of attackers.
Old vulnerabilities still a prime target
As with previous year’s reports, attackers are still focusing on leveraging vulnerabilities which are several years old,
have patches available, but are still not being addressed by organization’s patch and configuration management
programs. 258 new vulnerabilities were identified in Apache frameworks and software, such as Struts and Tomcat,
over the last two years. Additionally, Apache software was the third most targeted in 2019, accounting for over 15% of
all attacks observed.
IoT weaponization: IoT devices continue to be compromised
The re-emergence of Mirai and variants has helped widen the spread of IoT attacks. Botnets such as Mirai, IoTroop,
and Echobot have advanced their propagation capabilities by investing in automation. IoTroop remains a persistent
threat, accounting for 87% of botnet activity detected in Japan.
Technology leads top attacked industries
Technology was the most attacked industry in 2019, accounting for 25% of all attacks observed. Significant increases
in application-specific and DoS/DDoS attacks, along with weaponization of IoT attacks against technology contributed
to technology becoming the most attacked industry. Technology was previously the second most attacked industry in
2017 and 2018 and had the highest occurrence of ransomware activity at 9%, while no other industry showed higher
detections of ransomware than 4%. Government activity driven by geo-political activity accounted for 16% of activity
this year, compared to 9% in 2019. The technology industry also had the lowest performance of application security,
with an average of 12 serious vulnerabilities per web application.
Content management systems heavily targeted
Malicious actors leverage compromised web servers to steal valuable data and use these powerful resources to
conduct additional cyber-attacks. Some of the most dominant activity during the past year was related to attacks
against popular content management systems (CMS), malware activity, and web-application attacks. Popular CMS
platforms such as Joomla!, Drupal, and noneCMS account for the majority of CMS market share. They also represent
being the target of approximately 20% of all observed attacks globally. Additionally, nearly 55% of all attacks were
application-specific (33%) and web-application (22%) attacks.
2019 a year of enforcement: GRC continues to become more complex
More data privacy professionals are influencing the digital agenda. At the current rate of increasing governance, risk,
and compliance (GRC) initiatives globally, being complacent with compliance will likely continue to create challenges
for organizations. The regulatory landscape is continuing to make dynamic shifts and globalization of third-party
vendors and suppliers compounds complexity. Several acts and laws are influencing how organizations handle data
and privacy, including the California Consumer Privacy Act, Brazilian General Data Protection Law, India’s Personal Data
Protection Bill, and Singapore Personal Data Protection Act.
Although we provide multiple recommendations throughout the report, we believe the following principles can be
valuable to consider as you move towards your information security and data protection goals.
...