A Smattering of Security Statistics

This page is dedicated to reporting security statistics as they are reported from the numerous outlets around the market. This page will continue to be updated as new reports arise.

“36% of vulnerabilities went unlatched in 2011.” -X-Force Trend and Risk Report 2011
“India accounted for roughly 14% of all spam registered today.” -X-Force Trend and Risk Report 2011
“41% of vulnerabilities disclosed are web application vulnerabilities.” -X-Force Trend and Risk Report 2011
“11% of vulnerabilities disclosed in 2011 had an associated public exploit released.” -X-Force Trend and Risk Report 2011
“28% of web applications tested had CSRF vulnerabilities.” -X-Force Trend and Risk Report 2011
“40% of web applications tested had XSS vulnerabilities.” -X-Force Trend and Risk Report 2011
“.tk and .com domains represented more than 70 percent of all new anonymous proxies.” -X-Force Trend and Risk Report 2011

“174 million records were compromised across 855 incidents researched” -DBIR
“98% of breaches stemmed from external agents” -DBIR
“58% of all data theft tied to activist group” -DBIR
“81% utilized some form of hacking” – DBIR
“69% of breaches incorporated malware” – DBIR
“79% of victims were targets of opportunities.” -DBIR
“96% of attacks were not highly difficult” -DBIR
“94% of all data compromised involved servers” -DBIR
“85% of breaches took weeks or more to discover” -DBIR
“92% of incidents were discovered by third parties” – DBIR
“97% of breaches were avoidable through simple or intermediate controls” -DBIR
“96% of victims subject to PCI DSS had not achieved compliance” -DBIR
“69% of all breaches there was good evidence of the breach in the organizations log files, but such evidence is rarely found due to data overload.” -DBIR

“Attackers used valid credentials in 100% of cases.” -M-Treends
“77% of Advanced threats investigated used publicly-available malware” – M-Trends
“At median it took 416 days from the time attackers were present on a victims network before their presence was detected (in investigated incidents).” M-Trends
“Searching for malware identifies only 54% of systems compromised in an incident.” – M-Trends
“Attackers are once again using passive backdoors to evade network- and host-based detection methods” -M-Trends

“Customer records remained a valuable target for attackers, making up 89% of breached data investigated.” – 2012 Global Security Report

“In 76% of incident response investigations, a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies.” Trustwave 2012 Global Security Report
“Law enforcement detected more breaches in 2011 – up from 7% in 2010 to 33% in 2011.” -Trustwave 2012 Global Security Report
“Anti-virus detected less than 12% of the targeted malware samples collected during 2011 investigations.” -Trustwave 2012 Global Security Report
“For Web-based attacks, SQL injection remains the number one attack method for the fourth year in a row.” -Trustwave 2012 Global Security Report
“The most common password used by global businesses is “Password1″ because it satisfies the default MS Active Directory complexity setting.” -Trustwave 2012 Global Security Report
“89% of attacks were focused on obtaining PII” -Trustwave 2012 Global Security Report
“80% of breaches propagated via use of weak administrative credentials.” -Trustwave 2012 Global Security Report
“28% of Apache Tomcat installations with an accessible administrative interface have default credentials.” -Trustwave 2012 Global Security Report

“Through 2016, 75% of CISOs who experience publicly disclosed security breaches and lack documented, tested response plans will be fired.” Strategic Planning Assumption (Gartner Seven Steps to Creating an Effective Computer Security Incident Response Team)

“Two-thirds of security leaders expect spending on information security to rise over the next two years. Of those 90% anticipate double-digit growth. One in ten expects increases of 50% or more.” – IBM CISO Study

“Over 6,000 new pieces of malware are released every month.” -Unknown found on ANsonAlex.com

“Web based attacks increased by 36% with over 4,500 new attacks each day.” -Symantec Internet Security Threat Report, Volume 17
“403 million new variants of malware were created in 2011, a 41% increase of 2010″ -Symantec Internet Security Threat Report, Volume 17
“39% of malware attacks via email used a link to a web page.” -Symantec Internet Security Threat Report, Volume 17
“Mobile vulnerabilities continued to rise, with 315 discovered in 2011″ -Symantec Internet Security Threat Report, Volume 17
“It is estimated that there were 42 billion pieces of span sent per day in 2011″ -Symantec Internet Security Threat Report, Volume 17
“42% of all mailboxes targed for attack are high-level executives, senior managers and people in R&D.” -Symantec Internet Security Threat Report, Volume 17
“403 million unique variants of malware in 2011″ -Symantec Internet Security Threat Report, Volume 17
“55,294 unique malicious web domains in 2011″ -Symantec Internet Security Threat Report, Volume 17
“1 in 239 E-mails contains a virus.” -Symantec Internet Security Threat Report, Volume 17

“5% of websites have had at least 1 SQL Injection vulnerability without needing to login.” -WhiteHat Security Statistics Winter 2011
“71% of Education, 58% of Social Networking, and 51% of Retail websites were exposed to a serious* vulnerability every day of 2010.” -WhiteHat Security Statistics Winter 2011
“During 2010, the average website had 230 serious vulnerabilities.” -WhiteHat Security Statistics Winter 2011
“In 2010, 64% of websites had at least one Information Leakage vulnerability, which overtook Cross-Site Scripting as the most prevalent vulnerability by a tenths of a percent.” -WhiteHat Security Statistics Winter 2011

“70% of security professionals surveyed do not believe their organizations (allocate) sufficient resources to secure and protect critical Web applications.” -Ponemon Institute State of Web Application Security
“34% of urgent vulnerabilities are not fixed.” -Ponemon Institute State of Web Application Security
“38% believe it would take more than 20 hours of developer time to fix one vulnerability.” -Ponemon Institute State of Web Application Security
“55% of respondents believe developers are too busy to respond to security issues.” -Ponemon Institute State of Web Application Security
“Proactive organizations spend more than twice the amount on application security than non-proactive organizations (25% vs 12% of the total IT security budget)” -Ponemon Institute State of Web Application Security

Leave a comment