Symantec Internet Security Threat Report identifies more attacks targeting e-commerce, Web applications

Symantec Corp, the global leader in information security, has released its latest Internet Security Threat Report. The sixth bi-annual report provides analysis and discussion of global trends in Internet attacks, vulnerabilities and malicious code activity for the period of 1 January 2004 to 30 June 2004.

"As this latest Internet Security Threat Report demonstrates, exploits are being created more easily and faster than ever, while attackers are launching more sophisticated attacks for financial gain," said Arthur Wong, vice-president, Symantec Security Response and Managed Security Services.

"Software vulnerabilities and targeted attacks remain a primary area of concern for organisations and individuals. By publishing a comprehensive and accurate update on Internet threat activity, Symantec is providing the information security community the information needed to effectively secure systems now and in the future."

"South Africa is currently on a drive to develop its resources and capital generation to support its local industry requirements and participate on a global scale," say Patrick Evans, regional manager at Symantec Africa. "If we consider that SA has recorded a 696% year on year increase in the number of Internet attacks per capita, we need to ensure that businesses and the market understand the impact of these threats from an economic and IT infrastructure perspective."

"Symantec believes that to create a sustainable infrastructure, we need to support the industry in realising the benefits of security, threat management and the reduction of risk. Therefore, our position is not one of dictating policy in countries, but rather we are focused on providing the tools to ensure information is protected and secured. As our area of expertise is information integrity, we work through the channel, as they bring with them local expertise and understanding of national needs in the technology and business sector," adds Evans.

Increased threats to e-commerce: During this reporting period, e-commerce was the single most targeted industry, with nearly 16% of attacks against it. This represents a 400-percentage increase from the 4% reported during the previous six months. This rise may indicate a shift from attacks motivated by notoriety to attacks motivated by economic gain. This possibility is further illustrated by an increase in phishing scams and spyware designed to steal confidential information and pass it along to attackers.

"Spyware has become so prevalent locally, based on the fact that it is undetectable to users. This proliferation has developed mainly due to the immense amount of time that both consumers and corporates spend on the Internet, whereby certain Web sites are programmed to install spyware and other forms of malicious code," adds Evans. "In any instance, a person's security needs to be a tightly integrated product, including applications such as anti-virus, a desktop firewall, intrusion detection, content filtering and anti-spam. The more comprehensive your protection, the less likely malicious attacks and intrusion from spyware can occur."

Attacks against Web application technologies are increasingly popular: Web application technologies are appealing targets for attacks because of their widespread deployment within organisations and the relative ease with which they can be exploited. Web applications allow attackers to gain access to the target system simply by penetrating one end-user's computer, bypassing traditional perimeter security measures. Nearly 82% of documented Web application vulnerabilities were classified as easy to exploit, thereby representing a significant threat to an organisation's infrastructure and critical information assets.

Short time between vulnerability and exploit: According to the report, the time between the announcement of a vulnerability and the release of associated exploit code was extremely short. Symantec data indicates that over the past six months, the average vulnerability-to-exploit window was just 5.8 days. Once an exploit has been released, the vulnerability is often widely scanned for and quickly exploited. This short window leaves organisations with less than a week to patch vulnerable systems.

Rise in bot networks: Adding to concern about the short vulnerability-to-exploit window is the growth in bots (short for "robot"). Bots are programs that are covertly installed on a targeted system, allowing an unauthorised user to remotely control the computer for a wide variety of purposes. Attackers often coordinate large groups of bot-controlled systems, or bot networks, to scan for vulnerable systems and use them to increase the speed and breadth of their attacks. Over the past six months, Symantec has seen a large increase in the number of remotely controlled bots. During the first six months of 2004, the average number of monitored bots rose from under 2 000 to more than 30 000 per day - peaking at 75 000 in one day. Bot networks create unique problems for organisations because they can be remotely upgraded with new exploits very quickly, which could potentially allow attackers to outpace an organisation's security efforts to patch vulnerable systems.

Increase in severe, easy-to-exploit vulnerabilities: Symantec documented more than 1 237 new vulnerabilities between 1 January and 30 June 2004, an average of 48 new vulnerabilities per week. Seventy percent of these vulnerabilities were considered easy to exploit, and 96% were considered moderately or highly severe. Consequently, organisations must contend with an average of more than seven new vulnerabilities per day, and a significant percentage of these vulnerabilities could result in a partial or complete compromise of the targeted system.

The Slammer worm was the most common attack over the past six months, with 15% of attacking IP addresses performing an attack related to it. Gaobot and its variants were the second most common attack, increasing by more than 600% over the past six months.

* Overall, the daily volume of attacks is decreasing due to a decline in Internet-based worm attack activity over the first six months of 2004.

E-commerce received the most targeted attacks of any industry during this period; small business received the second most.

* The US was the top attack source country with 37%, down from 58% in the previous six months. Other countries rose accordingly, indicating that attack activity is becoming more international.

* Eighty-seven percent of Symantec Managed Security Services clients with tenure of more than six months successfully avoided experiencing a severe attack.

* During the first six months of 2004, the average time between the public disclosure of a vulnerability and the release of an associated exploit was 5.8 days.

* The Symantec Vulnerability Database documented 1 237 new vulnerabilities between 1 January and 30 June 2004. Ninety-six percent of documented vulnerabilities disclosed during this period were rated as moderately or highly severe; 70% of vulnerabilities were considered easy to exploit; 64% of vulnerabilities for which exploit code is available were considered high severity.

* In the first half of 2004, 479 vulnerabilities - or 39% of the total volume - were associated with Web application technologies.

* Over the past six months, Symantec documented more than 4 496 new Windows viruses and worms (particularly Win32), more than 4.5 times the number in the same period in 2003.

* The number of distinct variants of bots is rising dramatically, increasing by 600% over the past six months.

* Peer-to-peer services (P2P), Internet relay chat (IRC), and network file sharing continue to be popular propagation vectors for worms and other malicious code.

* Adware is becoming more problematic, making up six of the top 50 malicious code submissions.

* The first malicious worm for mobile devices, Cabir, was developed.

* Client-side attacks are expected to increase in the near future. Targeted attacks on firewalls, routers and other security devices protecting users' systems are also a growing security concern.

* Symantec expects bot networks to employ increasingly sophisticated methods of control and attack synchronization that are difficult to detect and locate. Symantec also expects to see instances of port knocking, a method attackers may use to create direct connections to potential target systems.

* Symantec expects that recent Linux and BSD vulnerabilities that have been discovered and used in proof-of-concept exploits will be used as exploit-based worms in the near future. Symantec also expects to see more attempts to exploit mobile devices.

"The majority of local companies are beginning to understand the increasing need to protect their internal networks from external threats. However, the perceived challenges associated with implementing a fully integrated security protection solution, in many instances, overrides this premise of safety, especially in light of the associated costs, limited resources, ease-of-use and network architecture involved. That's why today is the right time for organisations to look at their IT security plans and evaluate the effectiveness of their strategies," concludes Evans.