Internet Security Threat Report Volume 9. 2 Internet Security Threat Report Volume 9 – Spokesperson Training Internet Security Threat Report VI What the

Internet Security Threat Report Volume 9

2Internet Security Threat Report Volume 9 – Spokesperson Training

Internet Security Threat Report VI

What the Symantec Internet Security Threat Report is…

Information that: Provides a comprehensive analysis of Internet security activities and

trends

Compiled every six months

Offers a complete view of today’s Internet security landscape

Identifies and analyzes attacker methods and preferences

Details the latest trends and information

• Internet attacks

• Vulnerabilities that have been discovered and exploited

• Malicious code

• Additional Security Risks - Adware, Spyware, Phishing, and Spam

Provides a complete view of the state of the Internet



Key Data Points - What makes the ISTR unique?

Based on one of the world’s largest sources of security data. 500 Symantec Managed Security Services customers

40,000 sensors worldwide monitoring network activity in 180 countries

120 million client, server, and gateway antivirus systems

13,000-entry vulnerability database, 30,000 technologies, 4000 vendors.

Symantec Probe Network with over 2,000,000 decoy accounts attracting spam and phishing email from 20 different countries from around the world

The Symantec™ Global Intelligence Network.



Today’s Threat Landscape

Cybercrimes such as online fraud and the theft of confidential information are dominating the public’s consciousness .

Bots, bot networks and customizable or ‘modular’ malicious code are the preferred methods of attack.

Web applications and web browsers increasingly becoming the focal point of attacks.

Continued decline in noisy Category 3 & 4 threats and a corresponding increase in quieter, stealthier Category 1 and 2 threats.



Important Messaging

Cybercrime - Fraud and theft. As the rewards get more attractive, attackers will continue to improve their methods.

Traditional perimeter defenses are not enough. With the rise in client side attacks and web application attacks, attackers are constantly finding new ways into the network.

The volume and severity of attacks continues to rise. A short patch window, increasing numbers of malicious code variants and stealthy, silent attacks.

Internet Security Threat Report Volume 9



Attack Trends – Bot Infection Statistics

From July 1 - December 31, 2005 bot network activity decreased slightly. On average we saw 9,163 unique bot network machines per day, down from 10,347.

The United States increased its percentage of known bot-infected computers by 7% to 26% of the global total.



Attack Trends – Denial of Service

During the current reporting period, Denial of Service attacks grew by more than 51%% to an average of 1402 per day, up from 927 per day in the last reporting period.



Attack Trends – Top Targeted Industries

• As predicted, the rise in online fraud and the shift towards financial motivation has moved Financial services to the top of targeted industries in the last half of 2005.



Attack Trends – Top Originating Countries

The United States remains the top source country for attacks with 31%.

China’s 1% increase corresponds to a 153% increase in the volume of attacks originating from within the PRC.



Attack Trends – Time To Compromise - Servers

Server operating systems in a web sever role



Attack Trends – Time To Compromise - Desktops

Desktop systems NOT behind a firewall.



Attack Trends – Additional Data Points

Slammer was the Top Attack for the 5th reporting period in a row accounting for 45% of all attacks. Generic HTTP Directory Transversal Attack and the Generic ICMP Flood Attack were 2nd and 3rd respectively.

UDP port 1026 was the top attacked port with 17% of all attacks. Ports 445 and 443 were 2nd and 3rd respectively.

Daily attack rate has fallen from 57 to 39 attacks per day.



Vulnerability Trends – Volume - 2001 - 2005

Between July 1 - December 31, 2005, the total number of vulnerabilities grew by 1% over the previous reporting period and 34% over the same period last year. The total number of vulnerabilities reported this period is the highest ever recorded.



Vulnerability Trends – Web Applications

In the last 6 months of 2005, 69% of all vulnerabilities reported to Symantec were web application vulnerabilities an increase of 15% over the previous reporting period.



Vulnerability Trends –Web Browsers (Vendor and Non-vendor confirmed)

Internet Explorer had the largest total of combined vulnerabilities with 24, the same amount as the previous reporting period.

Firefox had the second highest total of combined vulnerabilities with 17, a decrease of 15 vulnerabilities from the previous reporting period.



Vulnerability Trends – Window of Exposure

From July 1 - December 31st 2005, the average Exploit development time was 6.8 days, almost a full day more than the previous reporting period.

During the same period, there was an average of 49 days between vulnerability publication and the release of patch by a vendor. This down sharply from the 64 days in the previous reporting period.



Vulnerability Trends – Severity & Ease of Exploitation

When including remotely exploitable criteria, 97% of the vulnerabilities documented by Symantec were rated High or Moderate Severity and 84% were remotely exploitable.

79% of the total number of vulnerabilities were classified as easy to exploit, an increase of 5 percentage points over the previous reporting period.



Malicious Code Trends – Threats to Confidential Information

Threats to confidential information continue to increase over the past three reporting periods with 80% of the Top 50 reported malicious code in this period, having the potential to expose confidential information. An increase of 6 percentage points over the previous reporting period.

Primarily due to the number of Mytob variants - 5 of the top ten and 13 of the top 50.



Malicious Code Trends – Modular Malicious Code

Modular malicious code is malicious code that initially possesses limited functionality, but that, once installed on a target host can download other pieces (or modules) of code with different, usually malicious, functionalities. Initially low in risk but possibly increasing to higher risk levels.

Modular malicious code account for 88% of the top 50 malicious code in the current reporting period, a 14% increase over the 77% in the previous report.



Malicious Code Trends – Top Ten Malicious Code & Propagation

8 of the top ten malicious code propagated via mass-mailing techniques. In the previous reporting period only 2 propagated via this method.

All of the top ten malicious code have the potential to be used for fraud and cybercrime.



Malicious Code Trends – Instant Messaging Threats

New metric for this report.

Worms constituted 91% of IM-related malicious code activity, a 10% increase over the 83% observed during the first half of 2005. Trojans accounted for 9% and Viruses less than 1% during the current reporting period.



Additional Security Risks – Phishing

The number of phishing attempts blocked rose from 1.04 billion to 1.45, a 44% increase.

Symantec saw an average of 7.92 million phishing attempts per day up from the 5.7 million observed during the last reporting period. Peak activity during the current reporting period saw 17 million phishing attempts per day.



Additional Security Risks – Spam

Between January 1st and June 30th, 2005, the average percentage of email that is Spam was 50%, an 11 percentage point decrease from the last reporting period. Monthly totals over the period show a decline from a high of 54% in January to 50% in June.

On average, 56% of all Spam received worldwide originated in the United States. Over the course of the reporting period, the United States exhibited a 5% increase while China grew by 7%.



Additional Security Risks – Adware/Spyware

Adware and Spyware are not categorized by Symantec as ‘Malicious Code’ but rather as potential security risks.

The most reported Adware from July 1 - December 31 2005 was Websearch (19%).

9 of the top ten were installed by rouge affiliates.

7 of the top ten carried a risk rating of High or Medium.

5 of the top ten employed some form of anti-removal technique, were installed via drive-by downloading and updated themselves more than once a day. Aurora updated itself over 13 times per day.

The most reported Spyware from January 1st - June 30th, 2005 was CometCursor (42%).



Future Watch

Increase in malicious code utilizing stealth capabilities.

Increased commercialization of vulnerability research.

Non-traditional platform threats expected to emerge.

A ‘Boom’ cycle for bots and bot networks.

Increase in phishing messages and malicious code distributed through instant messaging.

Mac OS X



Employ Defense-in-Depth practices which emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection methodology. This should include the deployment of antivirus, firewalls, intrusion detection and intrusion protection systems on client systems.

Turn off and remove unneeded services.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Enforce a password policy.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR files.

Isolate infected computers quickly to prevent further compromising your organization.

Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses.

Ensure emergency response procedures are in place. This includes having a backup and restore solution in place in order to restore lost or compromised data in the event of successful attack or catastrophic data loss.

Educate management on security budgeting needs.

Test security to ensure that adequate controls are in place.

Both spyware and adware can be automatically installed on systems along with file-sharing programs, free downloads, and freeware and shareware versions of software, or by clicking on links or attachments in e-mail messages, or via instant messaging clients. Ensure that only applications approved by your organization are deployed on the desktop.

Enterprise Best Practices

Documents

Internet Security Threat Report Volume 9. 2 Internet Security Threat Report Volume 9 – Spokesperson Training Internet Security Threat Report VI What the