Two new reports have just been released dealing with the state of Internet security; one is from Microsoft, and the other from Verizon. If you are interested in security, I recommend both reports as interesting, if sometimes rather depressing, reading.
Since 2008, Verizon’s RISK Team has published an annual report summarizing security and data breach incidents, and categorizing them on various criteria (e.g., who did it? how was it done?). The 2013 Data Breach Investigations Report [PDF] analyzes data from more than 47,000 security incidents, and 621 confirmed data breaches. This year, the report attempts to assess the prevalence and origins of “espionage” attacks: those whose primary motivation was not mischief, or financial gain, but theft of trade secrets and other intellectual property. There is also an Executive Summary [PDF] available.
Microsoft’s Security Intelligence Report (Vol. 14) [PDF], which covers the period July through December, 2012, is (as you might expect) more focused on software security issues. The report looks at the software security vulnerabilities that have been disclosed, and the exploits that have been detected, and attempts to identify particular problem areas and trends. As has been true for some time, the most common type of exploit is one involving HTML and JavaScript; document-based and Java-based exploits, two other hardy perennials, showed a significant increase in the second half of 2012. There is also a Key Findings [PDF] summary of this report.
I have not had a chance to read these reports yet, but will post further comments here when I have. An essential part of any sensible security analysis is an evaluation of the threats one is guarding against. These reports should provide some information useful in that exercise.
Posted by Rich 
Random Walks 