Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT Technology

Zero-Days Doubled In 2015, More Companies Hiding Breach Data, Says Symantec (csoonline.com) 59

Reader itwbennett writes: According to a new report by security firm Symantec, 54 zero-day vulnerabilities were discovered in 2015, more than twice as many as in 2014, and the number of breaches -- 10 million records -- also hit a record high. Driving this is a new professionalism in the market. "People figured out that they could make money by finding zero-day vulnerabilities and selling them to attackers," said Kevin Haley, director of security response at Symantec. "So there became a marketplace, and these things started to have value, and people started to hunt for them." At the same time, 2015 saw another disturbing trend: The number of companies choosing not to report the number of records they have lost rose by 85 percent (from 61 in 2014 to 113 in 2015). "More and more companies aren't actually revealing what was breached," said Haley. 'They will say attackers came and stole from us, but not saying how many records were lost."
This discussion has been archived. No new comments can be posted.

Zero-Days Doubled In 2015, More Companies Hiding Breach Data, Says Symantec

Comments Filter:
  • by messymerry ( 2172422 ) on Tuesday April 12, 2016 @11:13AM (#51892671)
    The dog ate it...
  • by Anonymous Coward

    Pass laws and international treaties agreeing that people who exploit zero days will be punished severely enough to deter criminals from carrying out their attacks. I recommend they be executed for their crimes. The best approach might be a combination of crucifixion and being burned at the stake.

    • Deter criminals? You mean like how the death penalty has stopped anyone from ever murdering again? oh wait.......
      • Death Penalty isn't to deter crimes, though that may actually e a side benefit. It is actually a form of punishment. However, as sparingly used as it is, you might as well do away with it. Since often takes 20 years (or more) to get though the process of the death penalty it actually doesn't serve as punishment either, so you might as well do away with it. Since there are quite a number of people who have been convicted of crimes they didn't actually commit, you OUGHT to do away with it.

        I do believe in the

      • You mean like how the death penalty has stopped anyone from ever murdering again?

        Yep, that's the thing...most people who commit crimes don't think they're going to be caught. Dire consequences like the death penalty don't seem to deter people, even from premeditated murder, which you would think would be the kind of murder that people would be prevented from committing.

        (Or, maybe it does in some cases, but we don't hear about murders that weren't committed because of the law. How would we know?)

        But yeah, in general it doesn't seem to be much of a deterrent.

      • I'd say the death penalty has been 100% successful at stopping a murderer (of whom the death penalty was applied) from murdering other people.
    • As I see it, they should in general apply the same rules.

      If you got in without permission, but you didn't break anything. Trespassing.
      If you got in and broke the server/software. Breaking and Entering
      If you stole data, theft (based on the value of the data)
      If you sold the data corporate espionage.

      In general it would be the same laws of old if you entered a building and started sifting threw the paper files, or changing data etc....

      Now if a shop locked their door, but they broke in due to a known but unrepor

    • by swb ( 14022 )

      It won't work because criminal activity is either part of the shadow economy or part of the security services or both in most places.

      I'd guess Western Europe, North America and parts of Asia-Pacific already have laws like this and will generally play ball with each other's law enforcement systems. In "important" cases, some non-aligned states may vulnerable to diplomatic pressure.

      But by and large, China and its client states and Russia and its client states will never agree to this, as will the US in most

  • More and more ill equipped and security unconscious duds collecting any and all kinds of data while having not the foggiest clue about securing it adequately.

    And this will not change. Mostly because the only one who could, the government, by issuing laws that break the idiots' backs if they are too stupid to secure what they collect, have no interest in breaking their OWN back.

    • This will change when people who have their data exposed can sue both those that exposed the data, and those that buy/use it. We should quit trying to stop these assholes, and just try to take the profit out of their side of the equation.

      • This will not happen. The governments are among the biggest data collectors and they have just recently shown just how good they are at protecting it.

        You think they will make a law that essentially cuts them the most? Really?

        • The governments are among the biggest data collectors and they have just recently shown just how good they are at protecting it.

          And this is tyranny. Nothing less. And yet, many people continue to support it. Something about the devil you know vs the devil you don't.

  • What's going on with Slashdot stories that get posted and then deleted?

  • by JustAnotherOldGuy ( 4145623 ) on Tuesday April 12, 2016 @11:34AM (#51892853) Journal

    The number of zero-day exploits should be trending down, not up.

    Supposedly software and development tools are becoming more mature and programmers are gaining more experience (ostensibly reducing the amount of code that's susceptible to zero-day exploits), but this is obviously not the case.

    As for prevention via the law, I doubt any penalty could or would be severe enough to dissuade anyone from using a zero-day exploit they found or bought, so I don't think a legal solution (i.e. prosecution, jail time, etc) is ever going to work.

    I doubt even the threat of the death penalty would do it, because most people who commit crimes don't think they're going to be caught.

    • Well customers are demanding more Cloud/Remote hosted systems than systems that they can install on their internal network or their own PC's. A lot of these Mature Programmers are use to making applications based on Local systems access, where backdoors are just part of the design. They will rarely plan out the entire process. Sure the New tools may prevent buffer overflows, and SQL injections... However that feature that needs to solve a problem, just may open a door open to an attack. An improperly c

      • > A lot of these Mature Programmers are use to making applications based on Local systems access ...
        > Also most of these apps are based on Older Code sets, Taking a PC App and just changing the UI to be Web Based.

        Yep, many programmers are reasonably competent for desktop programming, where the user is trying to make the program work correctly. They are trained in and don't think with the mindset that "users" are attacking the software daily, trying to find ways to make it fail. Because Windows is th

    • The number of zero-day exploits should be trending down, not up.

      Let me rephrase the article headline for you: "You need X! Says seller of X"

      • Let me rephrase the article headline for you: "You need X! Says seller of X"

        Where can I buy this wonderful "X", it sounds like I need it ASAP!!

    • If the number of users, the number of devices and the amount of software were kept constant I'd be closer to agreeing with you. But there's growth in all three. Combine that with all three are designed and built by humans and thus have bugs means growth. Plus read the story about education (or lack of) and you are beginning to get the picture,
    • and programmers are gaining more experience

      But there's a constant influx of new programmers with no experience.

      • But there's a constant influx of new programmers with no experience.

        Damn...what can we do to stop all these goddamn &#$@! newbies from polluting our pristine pool of programmers??

    • 54 serious vulnerabilities is such a small subset of the total number of vulnerabilities that as a sample it is useless for anything.

      At best it might show that more people are looking for vulnerabilities.
  • by idbeholda ( 2405958 ) on Tuesday April 12, 2016 @11:54AM (#51893017) Journal
    Coming from a company known for, and having a long, colorful, illustrious history of rolling out notoriously insecure products. The number one spot belongs to all versions of Windows and Outbreak Express. Just saying.
    • Yeah. It might be more accurate to say that Symantec has 54 zero days in its products, but it might be higher than that. At least they didn't leave their debugging server turned on.
  • They're just hiding it from you.

  • by Gravis Zero ( 934156 ) on Tuesday April 12, 2016 @12:49PM (#51893485)

    It seems to be in the interest of the general good that companies be legally compelled to disclose when they have been breached as well as the extent of the breach. If nothing else, this will enhance the "Free Market" by driving people away from companies that are irresponsible.

    Therefore, I predict a number of marionettes-err-congress critters-err-politicians will be against this idea.

    • They'll fight that tooth and nail due to the tendency of stock holders to sue them whenever this happens.
      Maybe if you included a clause that they can't get sued for repercussions of revealing that information...

You are always doing something marginal when the boss drops by your desk.

Working...