|
Part 2: Symantec releases Internet Security Threat Report
vol 6
20 September, 2004
by Dave Chappelle
On Monday, Symantec released a major four-part Internet Security
Threat Report with data gathered from clients around the world,
and indicating some trends that can only be described as alarming.
The Symantec Internet Security Threat Report covers the period
from January 1 through June 30, 2004. It combines data and
analysis from 500 managed security customers around the globe,
and over 20,000 registered sensors that gather data for analysis
from more than 180 countries.
Over 10,000 known vulnerabilities are in the database, and
statistics from more than 120 million client-server gateways,
be they home users or others.
The report is divided into four areas: Attack trends and
Vulnerability trends are discussed previously in Part1,; here
in Part 2 are Malware trends and Future watch.
Malware trends
Most significantly, Symantec documented 4496 new Win32 viruses
and worms.
"That's four and a half times more than the same period
in 2003," said Michael Murphy, Canadian General Manager,
Symantec.
"There's enough re-usable code for attackers out there;
that's why we are seeing more viruses and worms than we have
in previous periods."
The number of distinct variants of bots has also increased.
There were 994 in the first half of 2003, over 1700 for the
second half. The first half of this year has almost doubled
that of the entire last year.
MyDoom and its variants continued to be the most prolific
blended threat this period.
"The W32.Mydoom.W variant is the first to specifically
target an anti-virus vendor," said Murphy.
"P2P, network file sharing appears to be the most popular
vectors for malicious code. Various ports open to IRC, P2P,
file-sharing, and other are the most common vectors."
Spyware accounts for the top six positions, or 12 per cent,
of the top submissions.
Future watch
Spyware and ad-ware is a growing concern by volume, by threat,
and by sophistication.
In the past year US banks and credit card companies indicated
1.2 billion dollars in damages took place from phishing alone.
In the US, 1.8 million people have fallen victim to online
fraud as a result of a phishing attack.
With other crimes the number of incidents is often lower
because victims don't always file reports.
"Most individuals would report a phishing attack, because
it involves banking," said Murphy.
"I believe the numbers are accurate; I certainly don't
believe they are overstated."
The growth of hi-speed Internet access has increased the
opportunity for attackers. Small businesses and home still
have dialup-level protection in place even though they've
moved into broadband. Security practices haven't kept pace.
The acquisition of hardware absolutely ties into connectivity
and bandwidth.
"We're starting to see vulnerabilities and specifically
targeted personal routers and firewall devices, from causing
remote crashes to causing full resets that allow full access
and administration of those devices," said Murphy.
"Even if there was a patch, most users who have routers
in their houses wouldn't be capable of installing it. They
are not the easiest things to patch. I think the manufacturers
are going to have to develop those devices with security built
in."
The consumer presents a challenge for the channel to offer
some type of service offering.
"Renting or leasing the device is the only opportunity
to provide ongoing maintenance, and it isn't happening today,"
Murphy said. "More are selling devices and appliances."
There are benefits to supplying the after sales services
and support. With an average cost under $100 for inexpensive
models, hardware routers and modems comprise a discard-able
and point in time solution. Consumers might think, 'As threats
change it's only a hundred bucks, so I'll buy another one
in a couple of years.'
"I'm not sure consumers want to spend $500 on a quality
hardware-based solution or appliance," said Murphy.
"ISPs could be doing that. The challenge is how do the
make money off of it; how do they monetize? Hosted spyware,
anti-spam, and anti-virus could all be offered. Are customers
willing to pay? The price-sensitive ISP model today doesn't
indicate that they are."
There are perhaps 20 different vulnerabilities around a hardware
firewall device. Can a reseller monetize and offering or service
around those entry- level devices?
What's more telling are the medium-size devices that a small
organization would have. They cost more, have more sophistication,
and are true appliances.
"Here's an opportunity on a monthly basis to not just
provide management, but also to provide health checking, patch
management, and ensure that rules are updated and maintained,"
said Murphy. "Rule sets need to be tweaked and reconfigured
periodically."
Patterns between replications and variants speak specifically
to advancement, and propagation mechanisms that will quite
possibly render traditional anti- virus scanning products
ineffective.
"Even first-level heuristics aren't capable," said
Murphy. "Only those solutions that develop good behaviour
blocking and other characteristics will prevent them. Smaller
anti-virus only companies will likely not survive over time,
and either be absorbed by larger firms, or disappear."
Education and awareness are important aspects of security
that are missing today, for example, training employees how
to recognize the signs of a worm or attack. It's also imperative
to educate management on the importance of security, and not
look at security as an expense, but as an ability to modify
a return on investment.
|
