080706050403020100A080706050403020100B C D F GPASSWORD********PASSWORD WSSWORD S**TRENDS FOR 2015TARGETING THE CORPORATE WORLDCONTENTS IntroductionPAGE 3 Evolution of APTsPAGE 5The Danger from APTsChanges in Cyber-attack StrategiesAPTs Keep the Door Open for Cyber-espionage APTs in the Forefront of Attacks on Companies for 2015 Point-of-Sale MalwarePAGE 9 The Objective is Information POS Malware and 2015 Vulnerabilities Impact and Challenges for 2015 PAGE 17 ConclusionPAGE 22 Internet of Things or Internet of Threats?PAGE 19 Home Automation Opens the Doors to New Threats More Connected Devices, More Online Threats IoT Security Concerns Threats Follow the Path of Technology Information LeakagePAG 13 What Can Be Done to Prevent Information Leakage? Why Should Companies Implement Two-Factor Authentication? Attacks and Their Numbers Incidents in the Last 5 years Breached Records in Millions Protection of Company Information in 2015 What Can a Company Do in 2015 to Protect Their Information?Introduction4 INTRODUCTIONThe"TrendsFor2015TargetingtheCorporate World"reportbytheESETLATAMResearchLab invitesyoutoreviewsomeofthemostsignicant casesthatafectedcomputersecurityin2014,and toconsiderandpresentthechallengesandthreats expected for 2015. This report will try to address the diferenttypesofthreatsandsecurityincidentswe have witnessed during the year classied by catego-ry in order to answer the following questions: what will we nd during 2015 in terms of IT security? And how,therefore,cancompaniesandindividualusers prepare themselves to get through next year in safe-ty?Throughouttheyear,wehavereadmanyposts aboutattacksinvolvingAPTs(AdvancedPersistent Threats). But what is an APT? What is its impact on acompany?Andwhydoweexpecttokeepseeing these kind of threats in 2015? These are some of the questionswewillanswerinthisdocument,aswe review the events of the last few years and prepare ourselves for the next.2014sawmanyimportanteventstakeplacein computersecurity:morethanoncewehavefound ourselvestalkingaboutdatabreaches,exploitation ofvulnerabilities,andtheappearanceofdiferent threats that compromised the data security and pri-vacy of individuals and companies.In our Trends 2014 article, we highlighted the impor-tance of privacy of users, and what they could do to browse safely on the Internet. However, related in-cidents involving leakage of users' photographs and videos only reinforced the importance of privacy, as well as emphasized the importance of the methods implementedbycloudservicesandvarioussocial networkstosafeguardinformation.Atthesame time,users'concernsabouttheprotectionoftheir online privacy continued and they complained when the services they had trusted became compromised. So, which methods to use to be safe online? And also, what are the challenges a company faces concerning privacy, both its own and that of its clients and em-ployees?Finally, we also stress that since the end of 2013 we have witnessed a new wave of threats that encrypt the information of their victims in order to demand that a ransom be paid for the recovery of their data. Ransomware with CryptoLocker leading the list becameaheadacheforcompaniesandusersalike, even afecting mobile devices. Is this a passing threat or a trend that is here to stay?Inshort,throughoutthisdocumentwewillre-viewmalwarethatencryptsusers'information, thedataleakageofmillionsofcreditanddebit cards put on sale by cybercriminals who attacked pointofsale(PoS)systems,thevulnerabilitiesin heavily-usedsystemsthatthreatenedthesecu-rityoflotsofcompaniesworldwideregardless of whether they were large corporations or SMBs. Lastbutnotleas,wewillcoverthetargetedat-tacks, all of which were included in the challenges companieshadtofaceduring2014,andthatwill mostlikelycontinueand,insomecases,even deepenin2015.Weinviteyoutoseewhat's aheadinITsecuritytrendsfor2015andthebest practices needed to prepare yourself to face those challenges,atthecorporatelevelaswellasfor home users.ESET LATAM Research LabEvolutionof APTsThe Danger from APTsChanges in Cyber-attack StrategiesAPTs Keep the Door Open for Cyber-espionage APTs in the Forefront of Attacks on Companies for 20156There is no doubt that in the last few years we have witnessedachangeinthewaycybercriminalsper-form their attacks. Even though "traditional threats" are still a signicant risk for organizations, there has beenatrendtowardsoneswehavealreadyseen throughout 2014: attacks that were tailor-made for particular victims.This type of attack is known as an Advanced Persistent Threat (APT). According to the US National Institute of Science and Technology (NIST), an APT is "An ad-versary that possesses sophisticated levels of exper-tise and signicant resources which allow it to cre-ateopportunitiestoachieveitsobjectivesbyusing multiple attack vectors (e.g., cyber, physical, and de-ception). These objectives typically include establish-ing and extending footholds within the information technology infrastructure of the targeted organiza-tionsforpurposesofexltratinginformation,un-derminingorimpedingcriticalaspectsofamission, program, or organization; or positioning itself to car-ryouttheseobjectivesinthefuture.Theadvanced persistent threat: (i) pursues its objectives repeated-ly over an extended period of time; (ii) adapts to de-fenders eforts to resist it; and (iii) is determined to maintainthelevelofinteractionneededtoexecute its objectives."As can be seen in Chart 1, the number of analyses and studies concerning APTs has increased in the last ve years, even doubling the quantity seen in 2013 in just the rst ten months of 2014.However,theincreaseinvolumeofthesethreats doesnotmeantheyaremorewidelyused.Infact, theyarebecomingincreasinglydiscreet,sincethe attacker's objectives are to gain surreptitious access to information and clandestine control of the system. The implementation of APTs requires dedication and expertise in order to make attacks efective against a specic target and, as we have already mentioned, theideaistoremaininsidethenetworkaslongas possiblesoastoexltratethegreatestamountof information.The evolution in the frequency of the APTs does not showabehaviorpatternwithrespecttotheway theyshowup.AscanbeseeninChart2,theonly patternthatcanbeobservedintheappearanceof APTs is one of growth. In fact, if we analyze their fre-quencyofappearanceonamonthlybasis,wecan see the values increasing over the last ve years.Chart 1. Growth in the amount of analyzed APTs Growth of APTs each year53 EVOLUTION OF APTSChart 2. Evolution in the number of APTsOccurence of APTJanFebMarAprMayJunJulAugSepOctNovDec7The Danger from APTsBydevelopingAPTs,cybercriminalscreateathreat thatcanendureforalongtime,withtheabilityto changeitselfandtoinfestthegreatestnumberof systems possible within the same afected network.WeshouldaddthatAPTssometimesexploit0-day vulnerabilities, making them much more difcult to detect and thus causing their victims to sufer more substantial losses.Even though it is clear that attacks using APTs have becomemorefrequentoverthepastfewyears, somecaseshadabiggerimpactthanothers.One example is Flame, a threat that afected the Iranian OilMinistry,whichalsohaditspredecessorsDuqu andStuxnet,bothmaliciousprogramswhich,by exploiting0-dayvulnerabilities,managedtoaccess nuclear programs in the Middle East and cause sig-nicant damage.Even during 2014, as can be seen in Chart 3, threats liketheBlackEnergyfamilywereemployedforDis-tributed Denial of Service attacks, for distribution of spam, for bank fraud and even for targeted attacks, whichalldemonstratetheversatilefunctionality these threats ofer to cybercriminals.Wecouldwritealonglistofexamplesofthemost recent cases that would leave no room for the other issuesweneedtoaddressinthisdocument.How-ever,whatisreallyimportantistorememberthat, regardless of a companys specic core business, we shouldbeawareofthiskindofattackinorderto take the most efective protective measures.Changes in Cyber-attack StrategiesWhen we talk about cyberattacks, we usually mean campaignsthroughwhichthetechnologicalinfra-structure of companies is afected in order to exploit vulnerabilities and steal some kind of sensitive infor-mation that generates advantage for the attackers.ThediferencewithAPTsisthat,althoughthe-nalpurposeisusuallyverysimilartothetraditional attacks,westarttoseethatthesearelongercam-paigns, more specically targeted and stealthier, that seektogatheragreateramountofinformationto compromisesystemsinthelongtermorevento monitor what happens inside the victims' systems.Given these diferences, we nd more complex Social Engineeringcampaignsthatarenotlimitedtothe use of exploits and malicious codes, either generic or acquired on the black market.APTs Keep the Door Open for Cyber-espionageAfter talking about the diferences between the APTs andthemoretraditionalthreats,andgiventhatit isincreasinglycommontondmoreAPT-afected companies and entities, it is important not to forget that what attackers are looking for is to steal specif-icdataortocausespecicdamage.Sincetheyare lookingforveryimportantandsensitivedata,itis normalfortheseattackstolastseveralmonthsor evenyears,duringwhichtimetheattackeridenti-es vulnerabilities and assesses the security controls thatprotectthetargetsystemsinordertoacquire trusted access to privileged information and extract it without raising suspicions.Most relevant APT Camapaigns EVOLUTION OF APTSChart 3. Evolution of the APTs8For the last few years, the ESET Research Labs from all over the world have been announcing the discov-eryofattacksofthisnatureintheLatinAmerican region.Consider,forexample,thetargetedattack seekingtostealcondentialinformationfromPe-ruvian institutions and companies. The Medre oper-ationmanagedtocollectmorethan10,000lesof blueprintsandprojectscreatedwiththeAutodesk AutoCAD program.Casesworldwide,likethereappearanceofBlack-Energy in 2014, tell us this is a phenomenon we can ndatthegloballevel.Thistrojan,originallycreat-edtoperformDistributedDenialofService(DDoS) attacks,evolvedintosophisticatedmalwarewitha modular architecture: a tool just as capable of send-ingspamandcommittingbankfraudsonlineasof performing targeted attacks.Also in 2014, the ESET Research Lab reported a cam-paigntitledOperationWindigo,whichmanaged toafectmorethan25,000LinuxandUnixservers duringthepasttwoyears,sendingspamandredi-recting people visiting infected websites to malicious content.InthecaseofWindigo,itisimportanttohighlight that over 25,000 servers have been afected over the last two years, and 10,000 of them were still infect-ed at publication time. Moreover, if we consider that each one of these systems has access to considerable bandwidth, storage, computing power and memory, it is not surprising that this single operation was re-sponsible for sending an average of 35 million spam messages on a daily basis, and that more than half a million visitors to legitimate websites hosted on in-fected servers were redirected to an exploit package daily.APTs in the Forefront of Attacks on Companies for 2015Aswehavereviewedinprevioussection,itisclear that the growth of APTs over the last ve years has ledtothedevelopmentofnewattacks.Therefore, for 2015 we can expect that more companies will re-port having sufered the consequences of ever more complexandevolvedAPTs,whichwillexploitthe constantly appearing security vulnerabilities, leaving the door open for even more data exltration.Weshouldremember,giventhenatureofthese threats, that most of the cases that will be reported in 2015 will probably have been perpetrated in 2014. Unfortunately,thesecasesofinfectionareonlyre-ported and known after the company has been com-promised.Therefore,itisofutmostimportanceto takeallprecautionarymeasurestoavoidbecoming a victim of this kind of attacks, both through the im-plementation of technology, and also by user educa-tionandproperInformationSecurityManagement on part of the company.Atthesametime,itisimportanttonotethatal-though the largest companies can seem to be a more interestingtargetforattackers,thetruthisthatno organizationisimmunetoattacksofthisnature, giventhattheattackerlooksforvaluableinforma-tion something that every company, organization or entity has. Therefore, it is a challenge for compa-nies of all sizes to adopt the necessary security mea-sures so that they do not become victims.Finally, we have already seen companies afected by APTs;thoughweexpectthatin2015(andhence-forth)thiskindofattackwillbecomemorepreva-lent, as has already happened with other threats that originallyweremorecommoninsomeregionsand shortly after have spread more globally. EVOLUTION OF APTSPoint-of-Sale Malware The Objective is Information POS Malware and 201510Sincetheendof2013,therehavebeenmultiplere-portsreachingthenewsthatdealtwithpointsof saleterminalsoflargeretailchainsbeingcompro-misedbymaliciouscode.Itsoonbecameclearthat thiswasanewwaveofattackswhich,inbarelya few months, passed millions of credit and debit card recordstothehandsofcybercriminals.Inthenext few paragraphs we will share with you some of the mostimportantfactsabouttheseattacksanddis-cuss why in 2015 companies will have to pay atten-tion to this kind of threat.Point-of-Sale Malware or PoS Malware, as it is usu-allycalled,referstodiferentmalwarefamiliesthat compromise Point-of-Sale terminals in order to steal credit- or debit-card data while the user is making a purchase. To reach this objective, the cybercriminals notonlyneedtoinfectthemachinesusedtoread theusers'magnetic-bandcards,buttheyalsoneed to bypass all of the security levels of the POS systems. Large companies like Target, Home Depot, and UPS, among many others, fell victim to this type of attack inspiteofthecontrolstheyhadimplemented.One characteristicthatboththeTargetandtheHome Depot attacks shared is that the malicious code used tostealthecarddatafromthepointsofsalewere BlackPOSvariants.Thecodeofthismalwarefam-ilywasleakedin2012and,ashappenedwithZeus, thiscouldhavegeneratedmultiplevariants.Even theHomelandSecuritysNationalCybersecurity and Communications Integration Center (NCCIC) in partnershipwiththeUnitedStatesSecretsService (USSS)issuedawarningonsomePoSmalwareat-tacks with a technical report of the threat.Theinformationthefthappensdirectlyatthepoint ofsale,wheremalwarefamiliessuchasJacksPos, Dexter,BlackPOSandotherthreatsdetectedby ESETproductsasWin32/BrutPOSorWin32/POS-CardStealer extract the credit card data from RAM. While for some the process may seem simple, the cy-bercriminalsinfacthadtobypassmanyadditional securitycontrolsand,eventoday,howtheyman-agedtoaccesstheterminalstoinfecttheminthe rstplaceremainsunknownorwasnotdisclosed. Itismorethanclearthatwearefacingcomplex large-scale attacks, similar to the APTs presented in aprevioussectionofthisreport;however,thenal objective in this case is the theft of credit card infor-mationandnotthecondentialdataofcompanies or governments.The Objective is InformationCredit cards have magnetic bands that store their in-formation.Thenecessarydatatomakeapurchase, suchasthecreditcardnumber,thecardholder,the expirationdateandthesecuritycodearestoredin thethreetracksthatmakeupthemagneticband. Themomentweswipeourcardthroughthemag-netic stripe reader, all this information is loaded into the point-of-sale system to validate the purchase.Duetosafetyregulations,allcommunicationbe-tweenthecreditcardcompanyandtheretailstore where the purchase is made has to be encrypted, as is any stored data. However, there is a small window of exposure in which the card data are not encrypted this is the moment when they are read and stored in the computer's RAM. This is the point when threats like Dexter come into play and read the memory of the process corresponding to the payment system so that they can extract the card data afterwards. Once the card data have been extracted, the next step for the malicious code is to send the credentials and, ac-cordingtodiferentinvestigations,thisstepcanbe very varied: in some cases, the information was sent viaHTTPorFTP;inothers,thecollecteddatawere storedononeofthetargetedorganizationsown servers, to be accessed later on by the cybercriminals for extraction.Atthe2014VirusBulletinconference,oneofthe most important in the antivirus industry, we had the chance to attend the talk "Swipe away we're watch-ing you" by Hong Kei Chan and Liang Huang, where theauthorspresentedadetaileddescriptionofthe mechanisms implemented by the most widely used families in these kinds of attacks to read the memory of processes and extract information from the credit cards, as well as the mechanisms used to send data to attackers. POINT-OF-SALE MALWARE 11Itisimportanttounderstandhowseriousthese threatsare.Theywereresponsiblefor40million credit-anddebit-cardleaksintheTargetcase,an eventthatledtotheresignationofitsCEO.One ofthemostfamouscaseswasthatofUPS,where almost105,000transactionswithcreditanddebit cardswererecorded.Finally,oneofthecasesthat afected the most people due to the amount of data leakedwastheoneofHomeDepot,wheredata were stolen relating to 56 million cards. In this case, the afected stores were not only located in the US, but also in Canada. The Home Depot incident is the largestrelatingtoend-usernancialinformation leakage yet reported.Oneofthecriticalpointsregardingthesekindsof attackisthetimethatittakestonoticethatthe corporatenetworkshavebeencompromised.This is one of the greatest challenges for companies and, inparticular,fortheirsecurityteams.Accordingto data from Verizons 2013 Data Breach Investigations Report,ittookmonthsfor66%ofthecompanies that were victims of data theft in 2012 to realize they had been breached. In one of his articles, Brian Krebs notes that in the case of Target, the rst card leakage recordsgobacktoNovember27th,2013,givingthe attackers months to operate without being noticed. AccordingtothedeclarationsbytheCEOofTar-get,theincidentwasdetectedaftersecurityforces warnedthemaboutthisthreat,onDecember15th, 2013.In the case of the data theft at Neiman Marcus, out ofatotalnumberof1,100,000records,theinvesti-gations determined that the real number of afected credit and debit cards was 350,000, from July 16th to October 30th, 2013. Of these afected accounts, ap-proximately9,200weresubsequentlyusedtoshop fraudulently.SpecicallyregardingthecaseofHomeDepot,be-tween the month of April when the breach is be-lievedtohaverstoccurredandthepublication of the press release acknowledging the existence of the incident (on Tuesday, September 2nd), 56 million records were leaked through the company network.Thus,becomingavictimofthreatsasinthesecas-esisamatterforseriousconcern,giventhatmany timesaservervulnerabilityandlackofcontrolsin the software update processes could open a breach compromisingacompanyswholepoint-of-sale network.With a view to protecting points of sale, there are some things that companies should consider to minimize the exposure risk against this kind of incidents.Use a Strong PasswordIngeneralitisimportanttonoticethatmanyofthebrea-chedmachinesuseddefaultpasswordsorsimplevariantsof the PoS vendor's name. For example, the three most common passwords were "aloha12345", "micros" and "pos12345." It is a be-tter compromise between security and convenience to use a password phrase instead of a simple word, since a phrase can beeasilyrememberedanditwouldstilltaketoomuchtime tobedeciphered,givenitslength.Defaultpasswordsshould never be used on PoS software.Limit the Logon AttemptsA common strategy is to block people after the 3rd to 5th in-correct attempts. This drastically reduces the efectiveness of Brute Force attacks, because the attacker will not be able to trytheamountofincorrectpasswordsheneedsinorderto guess it.Limit the AccessLimitaccesswheneveryoucan.Forexample,ifyoudonot needtoaccessthemachineremotely,donotenableRDP.If you need to, make sure it is safe.Review the Update ProcessesAmong the PoS security measures, among other security solu-tions, it is possible to nd tools that only allow whitelisted pro-cesses and applications to run, which means they permit only the execution of processes marked as safe. In some incidents, the threats were installed during software updates which, ba-sed on the number of machines that will be updated, may re-main from a couple of weeks to several months. POINT-OF-SALE MALWARE 12POS Malware and 2015It is clear that since the end of 2013 and throughout the whole of 2014, the most important attacks have targetedtheretailmarket.However,asfarasnext year is concerned, we may see now as yet unknown attacks.Cybercriminalshavebeenabletondvul-nerabilities in the networks or infrastructure of some ofthemostimportantretailchainsworldwide.Itis crucialforcompaniestorethinkthewaytheypro-tect their Point of Sale systems and the entire infra-structure associated with them.Protectionoflargevolumesofinformationrequires theimplementationofthemostrigorouscontrols andteststhatcanbeimagined.Eventhoughsome ofthecaseswementionedinpreviousparagraphs seemtohavebeenperpetratedbydiferentgroups acting against the USA, there is plenty of evidence to showthatotherretailchainsorstoresoutsidethis countryarealsobeingattackedbyBlackPOSvari-ants.In2015,securityteamsinchargeofpoint-of-sale systemsmustreviewthewaytheyareprotecting and isolating them to limit breaches such as we saw in the last 12 months. Information leakage of this na-ture is a direct blow to the business that companies can ill aford, due to both the economic impact and to the damage to the company's reputation and the trust of its clients.Thatiswhy,aftertheTargetandNeimanMarcus incidents, companies like VISA, MasterCard and Eu-ropay have made an open invitation through VISA's CEO, to reinforce the security measures in the pay-ment systems and wherever the use of mobile devic-es could be a solution to pay, or else, a new problem for next year. POINT-OF-SALE MALWARE Information Leakage What Can be Done to Prevent Information Leakage? Why Should Companies Implement Two-Factor Authentication? Attacks and Their Numbers Incidents in the Last 5 years Breached Records in Millions Protection of Company Information in 2015 What Can a Company Do in 2015 to Protect Their Information?14Over the past few years, newsworthy cases of infor-mationleakagefromcompanies,governmentsand otherentitieshavehadanimpactonthousandsor even millions of users. 2014 was no exception there weremajorinformationleakagecasesandsomeof that stolen data appeared on diferent cybercriminal underground forums.We began 2014 with the piece of news that a retail companyssecurityhadbeenbreachedinthelast months of the previous year, leaving data from more than40millioncreditanddebitcardsinthehands of attackers. Although PoS systems were one of the mainvictimsofinformationleakage,theywerenot the only victims.Companies like eBay and Yahoo! had to notify thou-sandsormillionsofusersthattheirpasswordshad beenbreachedduringanattack.Unfortunately, thesebreacheswerenotenoughofawarningsign togetbusinesstotakeaction.Instead,companies continuedtobeafectedeitherdirectlyorthrough third-partytools,andthelistgoesonwithnames such as KickStarter, Spotify, Bitstamp, Snapchat, and Dropbox,amongothers.Oneofthelastcasesre-ported in 2014 involved Sony once again like in 2011. Cybercriminalsmanagedtoexploittheirsystems andamongthelosseswerefullversionsofmovies yet to be released.What Can Be Done to Prevent Information Leakage?Inourpreviousreport"Trendsfor2014:TheChal-lengeofInternetPrivacy,"westressedtheneedfor a two-factor authentication tool to improve security during user logon. According to the data revealed by Risk Based Security, during the rst half of 2014, 70% ofsecuritybreachesinvolvedpasswordexposure. Thisgurepointstooncemoretheimportancefor companies to have a two-factor authentication sys-tem,achallengethattheywillhavetofaceduring 2015.If we consider the services and sites that introduced two factor authentication to protect their users, we ndcompanieslikeGoogle,Facebook,Twitter,and Github, among others. The incorporation of a second authenticationfactorthrough,forinstanceanOTP (One-Time-Password)enhancessecurityduring userlogonanditalsosafeguardsdataintheevent that users' passwords are stolen or leaked, either by means of a malware infection in their own systems or through a security incident on the companys net-work.Why Should Companies Implement Two-Factor Authentication?Implementingtwo-factorauthenticationforcon-nectiontothecorporateVPN,CRMorotherWeb services is not merely protection for employees, but alsoavalue-addedservicethatcanbeoferedto clients and providers who interact with the compa-ny. In order to face all the challenges of information leaksandotherattacksthatcanafectcompanies, implementation of a two-factor authentication sys-tem will help protect them in 2015.Attacks and Their NumbersManyofthesecurityincidentsthisyearhavehad nancialorpointofsalesystemsastargets,asyou willbeabletoseeinthecorrespondingsectionof thisreport;nonetheless,otherindustrieswerealso afected.OneofthesecasesistheUSCommunity Health System (CHS), which became the victim of a data breach involving 4.5 million healthcare records. According to a statement made by the institution, its systems fell victim to an APT attack originating from China, based on the results of the investigation con-ducted by the company and Mandiant.TheCHScasewasnottheonlyonetargetingthe healthcareindustry.Accordingtoareportcarried outbytheUSIdentityTheftResourceCenter,asof December2014,therewere304reportsofsecurity breaches in medical institutions, representing 42.2% ofthetotalincidents.Eventhoughthisreportindi-catesthatthegreatestnumberofattackstargeted healthcareinstitutions,around80%ofthedataac-tuallybreachedcorrespondstothebusinesssector, whereinformationleakageaccountfor3outof10 cases. INFORMATION LEAKAGE 15TheinformationcontainedintheITRFCreportac-counted for a lower number of attacks if we consid-ertheRiskBasedSecurityreport.Accordingtothe securityrm,attacksduringtherstsixmonthsof 2014 were fewer than in previous years. However, in spite of having recorded half the number of incidents seenin2013,during2014therewere60%moreof information leaks as compared to the previous year, making the point that "more attacks" does not nec-essarily mean "more data leakage."Protection of Company Information in 2015Safeguarding information is an increasingly import-ant requirement for companies, as well as a guaran-tee for the continuity of the business. Based on the mainsecurityincidentswitnessedthroughout2014 and on the methodologies used to breach corporate defenses,wecanexpectthatthisyearcorporateIT teamswillhavetofacemorecomplexandstealthy attacks. The evolution in the complexity of attacks is, like the actors taking part in this process, a constant challengeforcorporatesecurity,sincethecompa-nies not only have to pay attention to the vulnerabil-ities the attackers are trying to exploit, but they also need to understand the reasons why their business-es might become a target for attackers.IndustryNumber of breaches(% of the total amount)Stolen records (% of the total amount)Banking/Credit/Financial 41 (5.7%) 1,182,492 (1.4%)Business 237 (32.9%) 64,731,975 (79.3%)Education 54 (7.5%) 1,243,622 (1.5%)Government/Military 84 (11.7%) 6,494,683 (8%)Medical/Healthcare 304 (42.2%) 7,944,713 (9.7%)Total 720 81,597,485 INFORMATION LEAKAGE Table 1Chart 4. Incidents in the Last 5 years Chart 5. Breached Records in Millions16What Can a Company Do in 2015 to Protect Their Information?The implementation of data encryption on mobile devices, corporate servers, laptops or other endpoints minimizes the chance of exposing corporate information due to a malware attack, the loss of equipment, or an unauthorized intrusion. In addition, a well-implemented two-factor authentication solution increases the security of company systems during logon. According to the data in the 2014 Risk Based Security report, 57% of the breaches during the rst half of 2014 involved usernames, email addresses and user passwords. In 2015, companies in Latin America and the rest of the world will be able to enhance their system and infrastructure security through the implementation of two-factor authentication, which ensures securelycontrolled access to corporate information. INFORMATION LEAKAGE Vulnerabilities Impact and Challengesfor 201518The year 2014 was a critical one regarding software vulnerabilities,notonlyduetotheirimpactonthe afected systems, but also due to the large number of systems involved. If we merely mentioned the cases ofHeartbleed,ShellshockandPoodle,aswellas the impact they had in the media and in the course of action taken by security teams it would be more than enough. However, though these may have been some of the vulnerabilities with the greatest recent impact,theywerenottheonlyones.Withthecre-ationofunknownvulnerabilitiesthatexploitsoft-warebugs,cybercriminalshavemanagedtocom-promisethesystemsofcompanies,government entities, and more.The potential impact of a critical vulnerability is ex-tremelyimportant,especiallywhenitafectstwo thirdsofInternetservers,ashappenedwiththe Heartbleedcase.ThisvulnerabilityinOpenSSLaf-fectedthousandsofserversworldwide,becauseit allowedtheattackertoreadamemoryspacethat couldhosttheaccesscredentialsorthekeysused fordataencryption.Asaresult,theFreeSoftware communityrespondedtotheincidentbyissuinga vulnerability patch and also created LibreSSL, a new projectdevelopedasanalternativetoOpenBSD groupsOpenSSL.Atthesametime,manyservices andserverskeptonusingvulnerableversionsof OpenSSL, enabling various cases of information leak-age that led to arrests.Another vulnerability was Shellshock, an error in the most widely used command-line interpreter of GNU/LinuxandotherUNIX-basedsystems,suchasAn-droid and Mac OS X. This bug allowed remote code execution, so that an attacker could take control of a system afected by this vulnerability. Shellshock was the second vulnerability reported in 2014 that afect-ed a large number of systems. Once again, the Open Source community responded quickly, so system ad-ministrators were able to install the security patch-es. Nonetheless, some cases were reported in which this vulnerability was used for malware propagation because some systems were not patched promptly.Apartfromlookingforcritical0-dayvulnerabilities, attackers generally use diferent exploits to perform thesekindsofattacks.ESETslabshavereported manycaseswherecybercriminalsexploitedspecic vulnerabilities to bypass security measures. Notable exploited vulnerabilities include those that feature in theBlackEnergycampaignsthattargetedUkraine andPoland,acasewherecybercriminalschoseMi-crosoftWordexploits(CVE-2014-1761)orMicrosoft PowerPoint exploits (CVE-2014-4114) to compromise diferenttargets.Inotherinstances,therewerere-portsaboutwebsitesthat,onceinltratedbyat-tackers,wereusedtoexploitvulnerabilitiesonthe systemsoftheuserswhovisitedthepages.One exampleisWin32/Aibatook,abankingtrojanthat propagatedthroughadultwebsitesinJapan;this particularcaseusedaJavavulnerabilitydiscovered in 2013.Software vulnerabilities are hard to predict, but once theyshowup,cybercriminalsstartexploitingthem over time, either for targeted attacks as part of an APTattackorbyincludingitinanExploitKitor for malware propagation through a hacked website. Theirusesaremanyandtheyareachallengeboth forsecurityteamsandforhomeusers.Thus,mini-mizingoreradicatingthewindowofexposuretoa vulnerability is one of the most important factors to enhance the security of a system, either in corporate or in home environments.Throughout 2015, vulnerabilities will play an import-ant role in corporate security, given that they always representarisk.Thosecompaniesthatdecideto play a proactive role will not only be one step ahead ofpossibleattacks,butwillalsohaveavailablethe latesttechniquestoprotecttheirsystemsandin-formation. Dening the proper security policies, im-plementingsecuritysolutionsthatallowdetection of exploitation attempts, and having varied security measuresarethemainweaponstocounterthese attacks.Someofthechallengesbroughtaboutby softwarevulnerabilitiescanbemitigatedwiththe installationofsecuritypatchesandOS/application updates. In the case of unknown threats i.e., 0-day threats they are much more complex, and having a well-trained, proactive security team is one of the best defenses against them. VULNERABILITIES IMPACT AND CHALLENGES FOR 2015Internet of Things or Internet of Threats? Home Automation Opens the Doors to New Threats More Connected Devices, More Online Threats IoT Security Concerns Threats Follow the Path of Technology20ThephraseInternetofThings(IoT)hasbeengoing around for a few years and it refers to the network of physical devices that have the necessary technology to communicate and interact, through the Internet, with other devices or human beings to afect the en-vironment that surrounds them.Nowadays, we can nd examples of these devices in some cars, lighting systems, refrigerators, home se-curitysystems,televisionsandtelephones.Though these may be the most common devices today, the list is much longer and can even include the corpo-rate environment if we consider, for instance, SCADA systems or any other industrial control systems.Their widespread use has reached the attackers' ra-dar and, given the fact that in 2014 we have started to see some proof-of-concept threats for these de-vices,in2015,itwillbeinterestingtoseehowmay IoTvendorsactuallystartaddressingthesesecurity concerns. Home Automation Opens the Doors to New ThreatsTherearemanyhouseholdappliancesthathave evolvedtothepointthatthemostrecentgenera-tionsallowforconnectivitytotheInternetinorder to consume content or share information that might be sensitive.Throughout2014wewerealreadyseeingsome proof-of-conceptthreats.Forinstance,wehave witnessedvulnerabilitiesfoundinSmartTVsthat would allow mass wireless attacks.Even in the rst months of 2014, more than 300,000 routers were attacked globally and some online con-tentservicesfellvictimstopasswordleaksaswell. This proves not only that the machines used are vul-nerabletotheseattacks,butalsothattheservices themselves are becoming more attractive to attack-ers.Furthermore,theLizardSquadDDoS-for-hire service, which was powered by thousands of hacked routers, has even been hacked itself.More Connected Devices, More Online ThreatsHowever,thedomesticappliancesarenottheonly afecteddevices.SmartTVs,forinstancewereone oftherstdevicesforwhichwebegantoseeat-tacksandvulnerabilities,giventhattheyarethe most widely spread. But there are also other devices that are becoming more and more widely used and forwhichwearealsowitnessingsomeexploitable vulnerabilities.Just like in 2013 we saw some proof-of-concept at-tacksforSmartTVs,during2014wewitnessedthe rst spyware samples for Google Glass, which aired concerns about wearable devices and privacy.IoT Security ConcernsTheideaofbeinginincreasinglyautonomousen-vironmentsthatmakelifeeasierforusmayseem tempting for many people. But the need for vendors to address security issues is real.Justassomecarmanufacturersbeganin2014to oferrewardstosecurityresearcherswhodetecta securityproblemintheirnewgenerationofauto-mobiles,in2015wewouldstarttoseetheseissues becoming more and more relevant.Thereisanadditionalfactorregardingthesecurity of these IoT devices. Computers had enough time to develop before they began to communicate through complexcommunicationnetworks,andwhenthey did,theseenvironmentswerestable,sothattech-nology had its space to develop. For the new devices, the environment in which they interact is much more hostile and, therefore, they need to be designed to be secure from the very beginning. INTERNET OF THINGS OR INTERNET OF THREATS?21 Threats Follow the Path of TechnologyThe possibility that the IoT becomes more of an "In-ternetofThreats"willdependmostlyontwofun-damental factors: vendors and users. So far, threats havefocusedondeviceswiththegreatestnumber of users. As this is not likely to change, security must depend on other factors.Therefore,themainsecurityconsiderationsthat should be considered for 2015 are among the follow-ing:ConnectivityThemaincharacteristicofthesedevicesistoallow interactionwiththeInternet;therefore,protecting the way they connect and share information is fun-damental.Easy updatesDue to the fact that this is an emerging and develop-ing technology, it will be common to nd vulnerabili-ties that will have to be resolved once the device is in the hands of its new owner. Consequently, the speed and ease of update deployment will be important if vendors are to win the race against the attackers.AuthenticationSince these devices will be connected to the Internet allthetime,itwillbeimportanttoguaranteethat thosepeopleinteractingwiththeinformationare reallywhotheyclaimtobe,soastoavoidleaksof sensitive information. Trustworthy applicationsThe specic features and manifestations of this tech-nology open up many possibilities to develop every-day tasks automatically. To build trust in using these devices, it will be necessary to guarantee that this is not exploited via maliciously modied applications. Data encryptionGiven the fact that these devices handle condential information,theyhavetodoitsafelyandsecurely. Therefore, encrypting this information is a good op-tion so that third parties cannot access it in order to change or steal it. INTERNET OF THINGS OR INTERNET OF THREATS? Conclusion23Throughoutthisdocumentonthetrendsfor2015, wehavereviewedsomeofthemostimportantse-curity incidents of 2014. We discussed the role of the APTsincomputerattacksandtherisktheyrepre-sent for companies, we recalled how more than 100 millioncreditanddebitcardswereleakedinretail marketattacks,andwehavealsomentionedthat ransomwaremanagedtoencryptinformationfrom usersandcompanies,inordertoattempttoextort money.Butistherearelationshipbetweentheat-tacks? Who is afected? What are the complications this brought about throughout the year?Asyearsgoby,cybercriminalskeeponimproving their persuasive and deceptive modi operandi, either todeceiveusersthroughSocialEngineeringorto use vulnerabilities to bypass protection mechanisms. Theappearanceofcriticalvulnerabilities,program-ming bugs and massive cases of information leakage continued to have an impact on the corporate world. Companies are protecting their information to try to protect business continuity, since corporate valuable informationisoneofthecybercriminals'maintar-gets.Withinthisframeworkofvaluableinformation, the challenge for companies in 2015 lies in the way they will protect their data, their business, and in particular how they will manage to convince em-ployees to become invested in their security pro-grams. In a world where we are increasingly con-nected and interconnected, where our online lives are inextricably bound to our physical lives, where theBring-Your-Own-Devicepolicyhasbecome commonplace in so many places, users will have to live with a prole for work, and for outside work. Thisuser'sdoubleprolemeansthatpeoplecan be users of diferent online services such as email accounts,socialnetworks,cloudstorage,andso on,andatthesametimemanyofthemdevelop professionally and have access to classied infor-mation.Theymaysometimesevenbetheones responsible for protecting the data at companies, governments or other organizations.Fromwhatwehaveseeninthelastfewyearsre-garding targeted attacks, information leakage cases, andtheevolutionofcybercriminalstohijackusers' and companies' data, we could certainly expect that 2015willbeayearfullofchallengesforITsecurity. TheITsecurityteamsofcompaniesandgovern-mentswillhavetoadoptamoreproactiverolein termsofdefenses,usingdiferenttoolstoforesee and forestall the possible attacks and rely on educa-tion as a means of defense. Beyond the probabilities ofwhatcanbepredicted,itsclearthatbusinesses willcontinuetobeoneofthecybercriminals'main targets,butthatisjustoneofthethreatswewill need to manage in 2015. CONCLUSIONABOUT ESETSince 1987, ESET has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional ofces in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter. www.eset.com