indo-us cyber security seminar - internet threats

Indo-US Cyber Security Seminar - Internet ThreatsDean Turner, Executive Editor, Symantec Internet Security Threat Report Symantec Security ResponseApril 21, 2005

2Indo-US Cyber Security Seminar

Internet Security Threat Report VI

The Symantec Internet Security Threat Report Information that:

Provides a comprehensive analysis of Internet security activities and trendsCompiled every six monthsOffers a complete view of today’s Internet security landscapeIdentifies and analyzes attacker methods and preferencesDetails the latest trends and information• Internet attacks• Vulnerabilities that have been discovered and exploited• Malicious code• Additional Security Risks - Adware, Spyware, Phishing, and Spam• Future Watch - Reasoned speculation on future trends



What Makes the Internet Security Threat Report Unique?

Based on one of the world’s largest sources of security data.

500 Symantec Managed Security Services customers20,000 sensors worldwide monitoring network activity in 180 countries120 million client, server, and gateway antivirus systems11,000-entry vulnerability databaseSymantec Probe Network with over 2,000,000 decoy accounts attracting spam and phishing email from 20 different countries from around the worldProvides a comprehensive view of what the state of Internet security looks like today



Today’s Threat LandscapeRecent outbreaks validate data in the Symantec Internet Security Threat Report.Attack rates are up along with the severity of those attacks.More and more attacks are designed with a financial motive in mind.Attacks are becoming increasingly sophisticated and difficult todefend against.Attacks targeting Web Applications and Web Browsers continue to rise.

Internet Security Trends



Attack Trends – Bot Infection Statistics Global

Japan

South Korea

Taiwan

Germany

France

Spain

Canada

China

United States

United Kingdom

Country

10

9

8

7

6

5

4

3

2

1

Rank

2.6%

3.0%

3.1%

3.5%

3.6%

3.8%

4.9%

7.8%

24.6%

25.2%

Percent of botinfected

computers

Statistics are based on the number of computers worldwide that are known to be infected with bots and what percentage are situated in each country.The rapid growth of broadband connections in the U.K. along with associated increase in infrastructure and support costs may slow the response of ISPs to reports of network abuse and infection.



Attack Trends – Bot Infection Statistics India

Statistics are based on the number of computers in India that are known to be infected with bots and what percentage are situated in each city.

Top Bot Network Cities - India

Rank City Percentage of Indian Bot Infected Computers

1 New Delhi / Delhi 41% 2 Mumbai 29% 3 Chennai 10% 4 Bangalore 6% 5 Hyderabad 3% 6 Bhopal 2% 7 Ahmedabad 2% 8 Pune 2% 9 Noida 1% 10 Surat 1%



Attack Trends – Severe Events By Industry

16

11

98

54

3 3 32

0

6

12

18

FinancialServices

Manufacturing Transportation Media/Entertainment

Telecom High Tech Nonprofit Power &Energy

Healthcare BusinessServices

Industry

Seve

re e

vent

s / 1

0,00

0 ev

ent

• Severe attacks pose the greatest threat to organizations as they can result in serious damage and compromise of the targeted network and as such, may indicate the risk to which that industry is exposed.

• With the growth in phishing and other financial motivated attacks, the rise in severe events in financial services is inline with our current and future predictions.



Attack Trends – Attack Type

45%

17% 12%

13%

49%47%

42%34%

41%

0%

25%

50%

75%

100%

July-Dec 2003 (ISTR V) Jan-June 2004 (ISTR VI) July-Dec 2004 (Current)

Period (ISTR version)

Perc

ent o

f all

atta

cks

Worm attacks Probes Non-worm attacks

Worm attacks continue to decline from a high of 59% in the first half of 2003.Probe activity remains high as scanning for back door services on high-level ports increases.



Attack Trends – Top Source Countries

NA

3%

NA

4%

4%

6%

3%

5%

6%

37%

Jan-June 2004percent of events

2%

3%

3%

3%

4%

4%

4%

8%

8%

30%

Currentpercent of events

NR

8

NR

7

6

3

9

5

2

1

Jan-June 2004Rank

10

9

8

7

6

5

4

3

2

1

CurrentRank

Italy

Spain

Japan

France

Great Britain

Canada

South Korea

Germany

China

United States

Country



Vulnerability Trends – Total Volume

680780

1,285 1,310

1,480

1,1801,237

1,403

0

400

800

1,200

1,600

Jan-June 2001 July-Dec 2001 Jan-June 2002 July-Dec 2002 Jan-June 2003 July-Dec 2003 Jan-June 2004 July-Dec 2004

Period

Doc

umen

ted

vuln

erab

ilitie

s

Between July 1st and December 31st, 2004, the total number of vulnerabilities grew by 13% over the previous reporting period and is the 3rd consecutive period in which the number of vulnerabilities has increased.



Vulnerability Trends – Web Applications

491

670

369

0

200

400

600

800

July-Dec 2003 Jan-June 2004 July-Dec 2004

Period

Doc

umen

ted

vuln

erab

ilitie

s

48% of the total number of vulnerabilities disclosed between July 1st and December 31st, 2004 were Web Application vulnerabilities. This is a 16 point increase over the same reporting period in 2003.



Vulnerability Trends – Exploit Development Time

0

2

4

6

8

10

January March May July September November

Month

Between July 1st and December 31st, 2004, the average time between the disclosure of a vulnerability and the publication of its associated exploit was 6.4 days. This represents an increase of less than one day over the previous reporting period.



Vulnerability Trends – Severity

517 568696

635 618

667

40

5128

0

200

400

600

800

1,000

1,200

1,400

1,600


Period

Docu

men

ted

vuln

erab

ilitie

s

High severity vulnerabilities continue to rise representing nearly 50% of the total number of vulnerabilities. When combined with medium severity vulnerabilities, over 97% of the total number of vulnerabilities discovered in this period result in a partial or complete compromise.



Malicious Code Trends – Win32 Variants

445 687994

1,702

4,496

7,360

0

2,000

4,000

6,000

8,000

Jan-Jun 2002 July-Dec 2002 Jan-Jun 2003 July-Dec 2003 Jan-Jun 2004 July-Dec 2004

Date

Tota

l viru

ses

and

wor

ms

During the current reporting period more than 7,360 new virus and worm variants were discovered representing a 64% increase over the previous reporting period and a 332% increase over the same period last year.As of December 31st, 2004, the total number of Win32 variants is approaching 17,500.



Malicious Code Trends – Confidential Information

44%

54%

36%

0%

20%

40%

60%


Period

Perc

ent o

f top

50

repo

rts

Threats to confidential information continue to increase with 54% of the Top 50 reported malicious code having the potential to expose confidential information.



Malicious Code Trends – P2P/IM/IRC/CIFS

32%36%

50%

0%

20%

40%

60%


Period

Perc

ent o

f top

50

repo

rts

The number of threats using P2P, IM, IRC, and CIFS within Symantec’s top 50 malicious code reports has increased by 39% over the previous six-month period and currently represent 50% of the Top 50 Threats reported to Symantec.Variants of Netsky, Beagle, and Mydoom continue to be predominant threats during the current reporting period and all use P2P to spread.



Additional Security Risks – Phishing

0.0%

0.1%

0.2%

0.3%

0.4%

0.5%

0.6%

0.7%

0.8%

0.9%

1.0%

1.1%

1.2%

1.3%

1.4%

1.5%

Perc

ent

Aug

15,

200

4

Sep

1, 2

004

Sep

15,

200

4

Oct

1, 2

004

Oct

15,

200

4

Nov

1, 2

004

Nov

15,

200

4

Dec

1, 2

004

Dec

15,

200

4

Dec

31,

200

4

Aug

1, 2

004

Date

Between July 1st and December 31st, 2004, the volume of Phishing messages as a percentage of email grew from an average of 1 Million a day to 4.5 Million.During peak days during this period over 9 Million Phishing messages were observed.



Additional Security Risks – Spam

0

5

10

15

20

7/1/

04

7/15

/04

7/29

/04

8/12

/04

8/26

/04

9/9/

04

9/23

/04

10/7

/04

10/2

1/04

11/4

/04

11/1

8/04

12/2

/04

12/1

6/04

12/3

0/04

Date

Total messagesTotal spam

Based on data returned from the Symantec Probe Network, 60% of all email traffic between July 1st and December 31st, 2004 was considered Spam.During the current reporting period there was a 77% growth in the amount of Spam that Symantec saw in the companies it monitored.



Future WatchViruses and Worms targeting Client Side exploits are expected to increase over the next six months to a year. Bots and Bot Networks being used for financial gain. In conjunction with more sophisticated phishing and malicious code attacks Symantec expects to see an increase in the number of reports of bots and bot networks being used for financial gain.More damaging mobile device malicious code is expected to appear over the next six months. The release of the Cabir worm source code in December is an indication of things to come.Embedded malicious code in Audio and Video images. In September Microsoft announced a vulnerability in its implementation of the JFIF image file format that could potentially allow image files displayed on a host system to execute malicious code.



ConclusionsAttackers are increasingly motivated by financial gain. As the rewards get more attractive, attackers will continue to improve their methods.Traditional perimeter defenses are not enough. With the rise in client side attacks and web application attacks, attackers are finding new ways into the network. The volume and severity of attacks continues to rise. A short patch window, increasing numbers of malicious code variants and more daily attacks.

Thank You

indo-us cyber security seminar - internet threats

Documents