You can download a copy of the report (Free) at: http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014
From the Executive Summary of the report, below are some of the "positives and negatives" of today's cyber threat landscape from ENISA's point of view.
Many of the changes in the top threats can be attributed to successful law enforcement operations and mobilisation of the cyber-security community (bolding by Ernie Hayden):
- The take down of GameOver Zeus botnet has almost immediately stopped infection campaigns and Command and Control communication with infected machines.
- Last year’s arrest of the developers of Blackhole has shown its effect in 2014 when use of the exploit kit has been massively reduced.
- NTP-based reflection within DDoS attacks are declining as a result of a reduction of infected servers. This in turn was due to awareness raising efforts within the security community.
- SQL injection, one of the main tools used to compromise web sites, is on the decline due to a broader understanding of the issue in the web development community.
- Taking off-line Silk Road 2 and another 400 hidden services in the dark net has created a shock in TOR community, both at the attackers and TOR users ends.
But there is a dark side of the threat landscape of 2014:
- SSL and TLS, the core security protocols of the internet have been under massive stress, after a number of incidents have unveiled significant flaws in their implementation .
- 2014 can be called the year of data breach. The massive data breaches that have been identified demonstrate how effectively cyber threat agents abuse security weaknesses of businesses and governments.
- A vulnerability found in the BASH shell may have a long term impact on a large number of components using older versions, often implemented as embedded software.
- Privacy violations, revealed through media reports on surveillance practices have weakened the trust of users in the internet and e-services in general.
- Increased sophistication and advances in targeted campaigns have demonstrated new qualities of attacks, thus increasing efficiency and evasion through security defences.