Many years ago I worked in the network router business. Back then, as a product manager, I wrote datasheets. Yeah, exciting stuff, but you have to start somewhere. There were these datasheets—the backs of them always contained what we called the "speeds and feeds," which included the different types of connections the router supported, the different protocols, and the performance numbers. If you knew nothing about routers and networking protocols it must have looked like just a bunch of incomprehensible numbers.
When I look through some versions of the Symantec Internet Security Threat Report I can’t help but think of those speeds and feeds I use to write. You could look at the data in the ISTR as just a bunch of numbers. Although, one of the things I like about the ISTR is how easy to read and accessible it is. So, my speeds and feeds analogy breaks down here. I think it is likely that some people do look at the report as a bunch of numbers and find it not very useful. Well, I still say they’re wrong, and I’ve got a pretty good example to prove it.
The chart below is from the ISRT XIV. It shows propagation methods used by malware in 2007 and 2008:
It doesn’t take an advanced math degree to notice something significant here. File-sharing executables are way ahead of other methods of propagation—and are growing fast. I’ll give you a preview on the 2009 numbers: Downadup/Conficker effectively used this method for propagation and the other bad guys noticed. Between Conficker and all of the copycats, this number in 2009 should shoot through the roof.
So how do these ISTR numbers help anyone? Well, IT folks looking at these numbers back in 2007 saw this coming. They knew removable media, such as USB thumb drives and network file shares, were a popular propagation method and therefore took steps to protect themselves. And even if they missed a version or two of the ISTR, we didn’t—and we’ve been telling them about it. (See here and here.)
But, I’m sure it wouldn’t surprise you to learn that our own security engineers read the ISTR and they can actually anticipate product needs based on the numbers. The Symantec Endpoint Protection product has a feature called Application and Device Control. It will let you set a policy that specifically stops files from being executed from a USB. So if some new unknown version of Conficker was on a USB thumb drive that you happened to put in your computer, it’s just going to sit there. It’s not going to go anywhere. If you just got saved from an infection of Conficker, that ISTR data sure doesn’t look like just a bunch of numbers, now does it?