indo-us cyber security seminar - internet threats
TRANSCRIPT
Indo-US Cyber Security Seminar - Internet ThreatsDean Turner, Executive Editor, Symantec Internet Security Threat Report Symantec Security ResponseApril 21, 2005
2Indo-US Cyber Security Seminar
Internet Security Threat Report VI
The Symantec Internet Security Threat Report Information that:
Provides a comprehensive analysis of Internet security activities and trendsCompiled every six monthsOffers a complete view of today’s Internet security landscapeIdentifies and analyzes attacker methods and preferencesDetails the latest trends and information• Internet attacks• Vulnerabilities that have been discovered and exploited• Malicious code• Additional Security Risks - Adware, Spyware, Phishing, and Spam• Future Watch - Reasoned speculation on future trends
3Indo-US Cyber Security Seminar
Internet Security Threat Report VI
What Makes the Internet Security Threat Report Unique?
Based on one of the world’s largest sources of security data.
500 Symantec Managed Security Services customers20,000 sensors worldwide monitoring network activity in 180 countries120 million client, server, and gateway antivirus systems11,000-entry vulnerability databaseSymantec Probe Network with over 2,000,000 decoy accounts attracting spam and phishing email from 20 different countries from around the worldProvides a comprehensive view of what the state of Internet security looks like today
4Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Today’s Threat LandscapeRecent outbreaks validate data in the Symantec Internet Security Threat Report.Attack rates are up along with the severity of those attacks.More and more attacks are designed with a financial motive in mind.Attacks are becoming increasingly sophisticated and difficult todefend against.Attacks targeting Web Applications and Web Browsers continue to rise.
Internet Security Trends
6Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Attack Trends – Bot Infection Statistics Global
Japan
South Korea
Taiwan
Germany
France
Spain
Canada
China
United States
United Kingdom
Country
10
9
8
7
6
5
4
3
2
1
Rank
2.6%
3.0%
3.1%
3.5%
3.6%
3.8%
4.9%
7.8%
24.6%
25.2%
Percent of botinfected
computers
Statistics are based on the number of computers worldwide that are known to be infected with bots and what percentage are situated in each country.The rapid growth of broadband connections in the U.K. along with associated increase in infrastructure and support costs may slow the response of ISPs to reports of network abuse and infection.
7Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Attack Trends – Bot Infection Statistics India
Statistics are based on the number of computers in India that are known to be infected with bots and what percentage are situated in each city.
Top Bot Network Cities - India
Rank City Percentage of Indian Bot Infected Computers
1 New Delhi / Delhi 41% 2 Mumbai 29% 3 Chennai 10% 4 Bangalore 6% 5 Hyderabad 3% 6 Bhopal 2% 7 Ahmedabad 2% 8 Pune 2% 9 Noida 1% 10 Surat 1%
8Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Attack Trends – Severe Events By Industry
16
11
98
54
3 3 32
0
6
12
18
FinancialServices
Manufacturing Transportation Media/Entertainment
Telecom High Tech Nonprofit Power &Energy
Healthcare BusinessServices
Industry
Seve
re e
vent
s / 1
0,00
0 ev
ent
• Severe attacks pose the greatest threat to organizations as they can result in serious damage and compromise of the targeted network and as such, may indicate the risk to which that industry is exposed.
• With the growth in phishing and other financial motivated attacks, the rise in severe events in financial services is inline with our current and future predictions.
9Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Attack Trends – Attack Type
45%
17% 12%
13%
49%47%
42%34%
41%
0%
25%
50%
75%
100%
July-Dec 2003 (ISTR V) Jan-June 2004 (ISTR VI) July-Dec 2004 (Current)
Period (ISTR version)
Perc
ent o
f all
atta
cks
Worm attacks Probes Non-worm attacks
Worm attacks continue to decline from a high of 59% in the first half of 2003.Probe activity remains high as scanning for back door services on high-level ports increases.
10Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Attack Trends – Top Source Countries
NA
3%
NA
4%
4%
6%
3%
5%
6%
37%
Jan-June 2004percent of events
2%
3%
3%
3%
4%
4%
4%
8%
8%
30%
Currentpercent of events
NR
8
NR
7
6
3
9
5
2
1
Jan-June 2004Rank
10
9
8
7
6
5
4
3
2
1
CurrentRank
Italy
Spain
Japan
France
Great Britain
Canada
South Korea
Germany
China
United States
Country
11Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Vulnerability Trends – Total Volume
680780
1,285 1,310
1,480
1,1801,237
1,403
0
400
800
1,200
1,600
Jan-June 2001 July-Dec 2001 Jan-June 2002 July-Dec 2002 Jan-June 2003 July-Dec 2003 Jan-June 2004 July-Dec 2004
Period
Doc
umen
ted
vuln
erab
ilitie
s
Between July 1st and December 31st, 2004, the total number of vulnerabilities grew by 13% over the previous reporting period and is the 3rd consecutive period in which the number of vulnerabilities has increased.
12Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Vulnerability Trends – Web Applications
491
670
369
0
200
400
600
800
July-Dec 2003 Jan-June 2004 July-Dec 2004
Period
Doc
umen
ted
vuln
erab
ilitie
s
48% of the total number of vulnerabilities disclosed between July 1st and December 31st, 2004 were Web Application vulnerabilities. This is a 16 point increase over the same reporting period in 2003.
13Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Vulnerability Trends – Exploit Development Time
0
2
4
6
8
10
January March May July September November
Month
Between July 1st and December 31st, 2004, the average time between the disclosure of a vulnerability and the publication of its associated exploit was 6.4 days. This represents an increase of less than one day over the previous reporting period.
14Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Vulnerability Trends – Severity
517 568696
635 618
667
40
5128
0
200
400
600
800
1,000
1,200
1,400
1,600
July-Dec 2003 Jan-June 2004 July-Dec 2004
Period
Docu
men
ted
vuln
erab
ilitie
s
High severity vulnerabilities continue to rise representing nearly 50% of the total number of vulnerabilities. When combined with medium severity vulnerabilities, over 97% of the total number of vulnerabilities discovered in this period result in a partial or complete compromise.
15Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Malicious Code Trends – Win32 Variants
445 687994
1,702
4,496
7,360
0
2,000
4,000
6,000
8,000
Jan-Jun 2002 July-Dec 2002 Jan-Jun 2003 July-Dec 2003 Jan-Jun 2004 July-Dec 2004
Date
Tota
l viru
ses
and
wor
ms
During the current reporting period more than 7,360 new virus and worm variants were discovered representing a 64% increase over the previous reporting period and a 332% increase over the same period last year.As of December 31st, 2004, the total number of Win32 variants is approaching 17,500.
16Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Malicious Code Trends – Confidential Information
44%
54%
36%
0%
20%
40%
60%
July-Dec 2003 Jan-June 2004 July-Dec 2004
Period
Perc
ent o
f top
50
repo
rts
Threats to confidential information continue to increase with 54% of the Top 50 reported malicious code having the potential to expose confidential information.
17Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Malicious Code Trends – P2P/IM/IRC/CIFS
32%36%
50%
0%
20%
40%
60%
July-Dec 2003 Jan-June 2004 July-Dec 2004
Period
Perc
ent o
f top
50
repo
rts
The number of threats using P2P, IM, IRC, and CIFS within Symantec’s top 50 malicious code reports has increased by 39% over the previous six-month period and currently represent 50% of the Top 50 Threats reported to Symantec.Variants of Netsky, Beagle, and Mydoom continue to be predominant threats during the current reporting period and all use P2P to spread.
18Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Additional Security Risks – Phishing
0.0%
0.1%
0.2%
0.3%
0.4%
0.5%
0.6%
0.7%
0.8%
0.9%
1.0%
1.1%
1.2%
1.3%
1.4%
1.5%
Perc
ent
Aug
15,
200
4
Sep
1, 2
004
Sep
15,
200
4
Oct
1, 2
004
Oct
15,
200
4
Nov
1, 2
004
Nov
15,
200
4
Dec
1, 2
004
Dec
15,
200
4
Dec
31,
200
4
Aug
1, 2
004
Date
Between July 1st and December 31st, 2004, the volume of Phishing messages as a percentage of email grew from an average of 1 Million a day to 4.5 Million.During peak days during this period over 9 Million Phishing messages were observed.
19Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Additional Security Risks – Spam
0
5
10
15
20
7/1/
04
7/15
/04
7/29
/04
8/12
/04
8/26
/04
9/9/
04
9/23
/04
10/7
/04
10/2
1/04
11/4
/04
11/1
8/04
12/2
/04
12/1
6/04
12/3
0/04
Date
Total messagesTotal spam
Based on data returned from the Symantec Probe Network, 60% of all email traffic between July 1st and December 31st, 2004 was considered Spam.During the current reporting period there was a 77% growth in the amount of Spam that Symantec saw in the companies it monitored.
20Indo-US Cyber Security Seminar
Internet Security Threat Report VI
Future WatchViruses and Worms targeting Client Side exploits are expected to increase over the next six months to a year. Bots and Bot Networks being used for financial gain. In conjunction with more sophisticated phishing and malicious code attacks Symantec expects to see an increase in the number of reports of bots and bot networks being used for financial gain.More damaging mobile device malicious code is expected to appear over the next six months. The release of the Cabir worm source code in December is an indication of things to come.Embedded malicious code in Audio and Video images. In September Microsoft announced a vulnerability in its implementation of the JFIF image file format that could potentially allow image files displayed on a host system to execute malicious code.
21Indo-US Cyber Security Seminar
Internet Security Threat Report VI
ConclusionsAttackers are increasingly motivated by financial gain. As the rewards get more attractive, attackers will continue to improve their methods.Traditional perimeter defenses are not enough. With the rise in client side attacks and web application attacks, attackers are finding new ways into the network. The volume and severity of attacks continues to rise. A short patch window, increasing numbers of malicious code variants and more daily attacks.
Thank You