Internet Security Threat Report, Volume 16

Symantec Internet Security Threat Report (ISTR), Volume 16 1

Internet Security Threat Report (ISTR) 16Highlights and Recommended Defenses

April 2011


Threat Landscape

Threat Landscape

2010 Trends


Social Networking + Social Engineering = Security Nightmare

Mobile Threats increase

Targeted Attacks continue to evolve

Whether targeting a CEO or the family next door, the Internet and social networks provide cybercriminals rich research for tailoring an attack. By sneaking in among our friends, hackers can learn our interests, gain our trust, and convincingly masquerade as friends. A well-executed, socially engineered attack has become almost impossible to spot.

More people than ever are using smartphones and tablets, and cybercriminals are taking notice. Because most malicious code now is designed to generate revenue, there are likely to be more threats created for these devices as people increasingly use them for sensitive transactions such as online shopping and banking.

Targeted attacks, while not new, gained notoriety from high-profile attacks against major organizations (Hydraq) and significant targets (Stuxnet). These attacks raised awareness of Advanced Persistent Threats (APTs) .

Threat Landscape

2010 Trends


Hide and Seek zero-day vulnerabilities and rootkits

Attack Kits get a caffeine boost

While targeted attacks are focused on compromising specific organizations or individuals, attack toolkits are the opposite side of the coin, using broadcast blanket attacks that attempt to exploit anyone unfortunate enough to visit a compromised website. Innovations from targeted attacks will make their way into massive attacks, most likely via toolkits.

The primary goal of malicious code that employs rootkit techniques is to evade detection. This allows the threat to remain running on a compromised computer longer and, as a result, increases the potential harm it can do. Targeted attacks depend on their ability to get inside an organization and stay hidden in plain sight. Zero-day vulnerabilities and rootkits have made this possible.

Threat Landscape

Social networking + social engineering = security nightmare


• Hackers have adopted social networking sites to:

– Use profile information to create targeted social engineering attacks

– Impersonate friends to launch attacks

– Leverage news feeds to spread spam, scams and massive attacks

Detailed review of Social Media threats available in The Risks of Social Networking

More Info:

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_risks_of_social_networking.pdf

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_risks_of_social_networking.pdf

Threat Landscape

Social networking + social engineering = security nightmare


• Shortened URLs can hide malicious links, increasinginfections

• 73% of the shortened URLs observed on social networks (that led to malicious websites) were clicked 11 times or more

Threat Landscape

Mobile threats

• Currently most malicious code for mobile devices consists of Trojans that pose as legitimate applications

• Will be increasingly targeted as they are used for financial transactions


163 vulnerabilities

2010

115 vulnerabilities

2009

Threat Landscape

Targeted attacks continue to evolve


• High-profile targeted attacks in 2010 raised awareness of Advanced Persistent Threats (APTs)

Stuxnet signaled a leap in the sophistication of these types of attacks:

– Four zero-day vulnerabilities (vulnerabilities that werepreviously unknown)

– Stolen digital signatures helped mask it from security systems

– Ability to leap the “air gap” (Used USB keys to spreadStuxnet to computers not connected to a network)

– Potential damage to infrastructure including power grids, water supplies and nuclear power plants Detailed review in the:

W32.Stuxnet Dossier& W32.Stuxnet

More Info:

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

Threat Landscape

Targeted attacks continue to evolve


• Less sophisticated attacks also cause significant damage

• Average cost to resolve a data breach in 2010: $7.2 mm USD

Average Number of Identities Exposed per Data Breach by Cause

Threat Landscape

Attack kits get a caffeine boost with Java


Def: Bundles of malicious code tools used to facilitate the launch of concerted and widespread attackson networked computers

• Attack kits continue to see widespread use

• Java exploits added to many existing kits

• Kits exclusively exploiting Java vulnerabilities appeared for the first time

More Info:

Detailed information available in ISTR Mid-Term: Attack Toolkits and Malicious Websites

http://www.symantec.com/business/theme.jsp?themeid=threatreport





Threat Landscape

Hide and seek (zero-day vulnerabilities and attack rootkits)

• A rootkit is a collection of tools that allow an attacker to hide traces of a computer compromise from the operating system and also the user

• Zero-days are being used in a more aggressive way and featured heavily in Hydraq/Stuxnet

• Attack toolkits help to spread knowledge of exploits that leverage vulnerabilities


Number of documented ‘zero-day’ vulnerabilities


ISTR 16: Key Facts and Figures

Symantec™ Global Intelligence NetworkIdentifies more threats, takes action faster & prevents impact

Information ProtectionPreemptive Security Alerts Threat Triggered Actions

Global Scope and ScaleWorldwide Coverage 24x7 Event Logging

Rapid Detection

Attack Activity• 240,000 sensors

• 200+ countries

Malware Intelligence• 133M client, server,

gateways monitored

• Global coverage

Vulnerabilities• 40,000+ vulnerabilities

• 14,000 vendors

• 105,000 technologies

Spam/Phishing• 5M decoy accounts

• 8B+ email messages/day

• 1B+ web requests/day

Austin, TXMountain View, CA

Culver City, CA

San Francisco, CA

Taipei, Taiwan

Tokyo, Japan

Dublin, IrelandCalgary, Alberta

Chengdu, China

Chennai, India

Pune, India

13Symantec Internet Security Threat Report (ISTR), Volume 16

Key Facts and Figures


Malicious code, which is any programming code capable of causing harm to legitimate code or data, or that can compromise confidentiality in a computing system…

…takes advantage of vulnerabilities in operating systems, programs, applications, etc….

…which can lead to your computer, laptop, mobile phone, or other Internet-connected device being infected with threats like viruses, worms, or Trojans…

…It may also lead to ID theft and other forms of fraud.

Malicious Code Trends

Threats to confidential information

• 64% of potential infections by the top 50 malicious code samples were threats to confidential information


Vulnerability Trends

Web Browser Plug-In Vulnerabilities


• Number of Flash and Reader vulnerabilities continued to grow

Threat Activity Trends

Malicious Activity by Country



Data Breaches by Sector

• The average cost to resolve a data breach in 2010 was $7.2 million USD

• 85% of identities exposed were customers


Average Number of Identities Exposed per Data Breach by Sector

Average Number of Identities Exposed per Data Breach by Cause


Web-based Attacks

• 93% increase in Web-based attacks from 2009 to 2010

• Spikes related to specific activities (release of new attack kits, current events, etc.)


Fraud Activity Trends

Phishing categoriesDef: “Phishing” is a derivative of “fishing” and alludes to the use of “bait” to “catch” personally identifiable information

• 56% of phishing attacks imitated banks

• Many email-based fraud attempts referred to major sporting, news and pop-culture events in 2010


Fraud Activity Trends

Underground economy servers

• Credit cards and bank account credentials continue to be the top two advertised items on the black market

• Bulk rates for credit cards range from 10 cards for $17 to 1000 cards for $300



Consumer and Enterprise Best Practices For protection defending against latest threats

Consumer Best Practices

• Use a modern Internet security solution for maximum protection against online threats that includes:

• Antivirus protection

• Intrusion prevention to protect against Web-attack toolkits, unpatched vulnerabilities, and socially engineered attacks

• Browser protection to protect against Web-based attacks

• Reputation-based tools that check the reputation and trust of a file before downloading

• Behavioral prevention that keeps malicious threats from executing even if they get onto your computer

• URL reputation and safety ratings for websites found through online searches

Protect yourself

• Keep virus definitions and security content updated at least daily - if not hourly – to protect your computer against the latest viruses and malicious software (“malware”)

Keep up-to-date

• Ensure that passwords are a mix of letters and numbers, and change them often. Passwords should not consist of words from the dictionary, since these are easier for cybercriminals to hack

• Do not use the same password for multiple applications or websites

• Use complex passwords (upper/lowercase, punctuation and symbols) or passphrases. (e.g., “I want to go to Paris for my birthday” becomes, “I1t2g2P4mb”

Use an effective password policy


Consumer Best Practices

• “Free,” “cracked,” or “pirated” versions of software can contain malware or social engineering attacks

• Read end-user license agreements (EULAs) carefully and understand all terms before agreeing to them. Some security risks can be installed because of that acceptance

Know what you are doing

• Limit the amount of personal information you make publicly available on the Internet (including and especially social networks) as it may be harvested by cybercriminals and used in targeted attacks, phishing scams, or other malicious activities

• Never disclose any confidential personal or financial information unless and until you can confirm that any request for such information is legitimate

• Avoid banking or shopping online from public computers (such as libraries, Internet cafes, etc.) or from unencrypted Wi-Fi connections

Guard your personal data

• Never view, open, or execute any email attachment or click on a URL, unless you expect it and trust the sender.; even if it’s coming from trusted users, be suspicious

• Do not click on shortened URLs without expanding them first using “preview” tools

• Do not click on links in social media applications with catchy titles or phrases; you may end up “liking it” and sending it to all of your friends – just by clicking anywhere on the page

• Be suspicious of warnings that pop-up asking you to install media players, document viewers and security updates; only download software directly from the vendor’s website

Think before you click


Enterprise Defenses Against Social Engineering


• Scan all potentially malicious downloads regardless of how the download is initiated

• Prevent users from being redirected to malicious Websites

Web Gateway Security

• Discover concentrations of confidential information downloaded to an employee’s PC

Data Loss Prevention

• Monitor and protect critical systems from exploitation

• Protect against misleading applications like fake antivirus

• Prevent drive-by download web attacks

Network and Host Based Intrusion Prevention

• Protect against unauthorized access to confidential data beyond just username and password

Strong Authentication

• Ensure employees become the first line of defense

Security Awareness Training

Defenses Against Mobile Threats

•Remotely wipe devices in case of theft or loss

•Update devices with applications as needed without physical access

•Get visibility and control of devices, users and applications

Device Management

• Guard mobile device against malware and spam

• Prevent the device from becoming a vulnerability

Device Security

• Identify confidential data on mobile devices

• Encrypt mobile devices to prevent lost devices from turning into lost confidential data

Content Security

• Strong authentication and authorization for access to enterprise applications and resources

• Allow access to right resources from right devices with right postures

Identity and Access


Enterprise Defenses Against Targeted Attacks

• Detect and block new and unknown threats based on reputation and ranking

Advanced Reputation Security

• Implement host lock-down as a means of hardening against malware infiltration

Host Intrusion Prevention

• Restrict removable devices and functions to prevent malware infection

Removable Media Device Control

• Scan for infected files and block accordingly

Email & Web Gateway Filtering

• Discover data spills of confidential information that are targeted by attackers

Data Loss Prevention

• Create and enforce security policy so all confidential information is encrypted

Encryption

• Monitor for network intrusions, propagation attempts and other suspicious traffic patterns

Network Threat and Vulnerability Monitoring


Defenses Against Attack Toolkits



• Monitor and analyze specific transaction types for known scams and evolving threats

Fraud Detection Services

• Identify what and where your high value assets are

• Ensure latest patches are deployed and up-to-date across all platforms and applications

Asset and Patch Management

• Monitor for network intrusions, propagation attempts & suspicious traffic patterns

• Receive alerts for new vulnerabilities and threats across vendor platforms

Threat and Vulnerability Management

• Monitor and protect critical systems from being exploited

Host Intrusion Detection and Prevention


Enterprise Defenses Against Hide and Seek



• Detect and correlate suspicious patterns of behavior

Security Incident and Event Management

• Monitor environment for excessive log-ins or privileged escalation

Network Threat and Vulnerability Monitoring

• Ensure network devices, OS, databases and web applications systems are properly configured

• Determine whether or not a vulnerability is truly exploitable

Vulnerability Assessment

• Implement host lock-down as a means of hardening against malware infiltration

Host Intrusion Prevention


Stay Informed: Additional Resources


Build Your Own ISTR

go.symantec.com/istr

Daily measure of cybercrime risks

nortoncybercrimeindex.com

Follow Us:

Twitter.com/threatintel

Twitter.com/nortononline

http://go.symantec.com/istr


http://www.nortoncybercrimeindex.com/

http://www.twitter.com/threatintel

http://www.twitter.com/threatintel

http://www.twitter.com/nortononline

http://www.twitter.com/nortononline

Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Thank you!


For more information, please visit:

go.symantec.com/istr



Internet Security Threat Report, Volume 16

Technology

Transcript of Internet Security Threat Report, Volume 16