The online world is an innovative and increasingly dangerous place. So says The Symantec Internet Security Threat Report (ISTR) 2013, which exposes a far more varied threat landscape this past year while revealing an increase in targeted attacks, many focused on smaller firms much less likely to take adequate security measures.
One of the primary themes of the ISTR is an evolving cyber threat that encompasses new platforms and targets different user types, following the rise of mobile devices and social media forums into the workplace and setting sights on knowledge workers and sales representatives who have ready access to intellectual property and other sensitive customer information.
The number of Web-based attacks surged by 30% in 2012, according to the ISTR, but the majority of breaches originated from the compromised websites of smaller businesses, not from the latest zero-day vulnerability, which has been the cause of many prior security breaches. What that reveals, according to Symantec security experts, is that any company, regardless of size, is now a potential target for cyber attacks, underscoring a mandate for formal security practices in an effort to mitigate risk to the greater public.
With that in mind, here are the top five security takeaways from the Symantec ISTR 2013:
Given that anyone is now a mark, the actual number of targeted attacks—on big-named companies, small shops, individuals, and specific industries—grew by 42% in 2012, bringing the average number to 116 per day with a corresponding increase in data theft and incidents of industrial espionage. Manufacturing—with 6 of the top 10 in the defense sector—is the industry most clearly in the crosshairs, comprising 24% of targeted attacks this last year, and strikes are now aimed at individuals at all levels of the organization, not just C-level executives—a figure that's declined from 25% in 2011 to 17% this year.
Beyond the sheer volume, the type and sophistication of targeted attacks has also increased over the last year. One of the biggest innovations in targeted attacks was the emergence of so-called watering hole incidents, pioneered by the Elderwood Gang, which exposed 500 organizations to attacks in a single day using this technique. With a watering hole attack, cybercriminals target a legitimate website that attracts their intended victim profile—for example, a blog or small business site—and then use the compromised site to install malware on unsuspecting victims, gaining access to their sensitive data.
Large, brand-name companies are no longer the primary targets for cyber crime. In 2012, 50% of all targeted attacks struck companies with fewer than 2,500 employees and the largest growth area (31%) was businesses with fewer than 250 employees, which is a three-fold increase in volume from 2011. While small businesses believe they are immune to such criminal activities because they have nothing to steal, they are actively targeted because they are less likely to have the budgets for sophisticated security measures, including regular patch management of known vulnerabilities, which puts their customer data, intellectual property, and banking information at risk. Their lack of protective measures also opens the door for cyber criminals to use the smaller firms as a stepping stone to get at the so-called Big Kahuna company that sits atop of their supply chain.
Legitimate websites, not a new crop of vulnerabilities, were the primary culprits behind the proliferation of malware last year. In fact, 61% of all websites propagating malware were legitimate, with 53% of legitimate sites boasting unpatched vulnerabilities that provided an entrée cyber criminals were quick to exploit. Comparatively, the ISTR found only a 6% increase in new vulnerabilities, creating a total of 5,291 overall, with zero-day vulnerabilities continuing their upward trend. Fourteen zero-day vulnerabilities were reported in 2012, and the sophisticated Elderwood Gang was responsible for four of that total.
Given the proliferation of smart phones and tablets, it's no surprise that mobile malware is on the rise. 2012 saw a 58% increase in mobile malware families compared to the prior year, and 32% of all mobile threats were an attempt to steal information, including email addresses and phone numbers. While there was a 30% surge in the number of vulnerabilities reported in mobile operating systems, the ISTR found no direct correlation between that number and the instances of mobile malware. For example, while Apple's iOS had the most documented vulnerabilities (387 compared to Android's 13), it had only a single threat discovered in 2012. Android, by contrast, was the most targeted mobile platform by attackers, comprising 158 out of 163 unique threats—a scenario primarily attributed to its market share, open platform, and multiple distribution methods available for malware-embedded applications.
In addition to the rise in watering hole incidents, ransomware became a bigger challenge in 2012 given its growing popularity with malware authors. Ransomware is typically contracted from drive-by downloads from legitimate sites that have been compromised by hackers with malicious code or via malvertisements, where attack code is hidden in advertisements on legitimate websites. Once infected, ransomware locks a computer and demands a release fee—typically anywhere from $50 to $400. Oftentimes, the locking screen contains a fake warning from local law enforcement claiming that the ransom is a fine for online criminal activity.
Whether it's an emerging tactic like ransomware or a tried and true threat, no company is immune from attack, and the increasingly complex and sophisticated threat landscape shows no signs of slowing down. To dive deeper into the ISTR findings and take the pulse of 2012's top security trends, view the full report
or view the webcast, Gangs, Watering Holes, and Other Threats: Highlights from Symantec’s Annual Threat Report