Last month, Symantec released a new Internet Security Threat Report (Volume XII)
, providing a review and analysis of the threat activity for the time period of January 1 through June 30, 2007. The report not only tracks the latest attacks and vulnerabilities, it also assesses trends in threat activity and makes some predictions for the future. This comprehensive and detailed look at the threat landscape helps small and mid-sized businesses protect themselves from the most prevalent threats.
Based on the data collected during the first half of 2007, the following five statements summarize Symantec's findings regarding the current threat landscape:
- More professional and commercialized
- Tailored for specific regions
- Multistaged attacks
- Exploiting trusted entities
- Converging attack methods
In a previous Threat Report (released March 2006), Symantec predicted that malicious code trading in forums like IRC, Web sites, and black-market auction sites would grow. Not only has this proven to be true, but the malicious code black market growth has exceeded most predictions. Now, in order to satisfy this lucrative criminal industry, development and distribution of malicious activities has taken on a much more commercial and professional aspect, with widespread availability of malicious code toolkits. These toolkits enable anyone who purchases the kit to launch attacks.
The Report also notes a continued rise in underground economy servers that are used by criminals and criminal organizations to sell stolen information, typically for subsequent use in identity theft. During the first six months of 2007, the United States was the top country for underground economy servers, accounting for 64 percent of the total known to Symantec. Also during that period, credit cards were the item most frequently advertised for sale on underground economy servers, making up 22 percent of all goods advertised. Credit card numbers are a valuable commodity in the underground economy; so keeping these and other financial details secure is a priority for businesses.
Historically, threat activity has been global in nature, but that is changing. Recent analysis performed by Symantec indicates that attackers are now focusing more on targets that share a common language, infrastructure, and/or online activity. For example, as broadband access moves into new areas and develops a stronger regional presence, more potential targets appear online for attackers.
Previous attack methods like wide-scale network worms and denial-of-service attacks (DoS) are no longer as effective as they once were. That's where multistaged attacks come in. In the Threat Report, Symantec notes considerable attack activity that incorporates multistaged attacks that start with a low-profile compromise (like a Trojan) that is then used to establish a beachhead from which subsequent attacks are launched. These stealthy attacks work to overcome network defenses, such as IDS/IPS and firewalls.
Staged downloaders, threats that download and install other malicious code onto a compromised computer, are a prime example of the multistaged approach. During the first six months of 2007, 28 of the top 50 malicious code samples were staged downloaders.
Instead of trying to break into the computers of targeted users, attackers are now compromising trusted sites and/or applications. This trend has been made possible by the increased deployment of Web applications and Web 2.0 technologies. Attackers have found that attacks can be launched from sites that users are likely to trust, which can be easily compromised due to the prevalence of Web application vulnerabilities within those sites. During the first half of 2007, 61 percent of all vulnerabilities disclosed were Web application vulnerabilities. This has serious implications for end users because it makes it hard to trust seemingly reliable, well-known sites. Attacks against trusted sites are often highly valued by attackers because they can be used to expose confidential user information, such as usernames, passwords, and online account information.
Especially in the past year, it has become increasingly apparent that threats like Internet attacks, vulnerabilities, malicious code, phishing and spam – once regarded as separate attacks – are now being consolidated into diverse attack methods. That is, Symantec is noticing a convergence of the various components of attack activity that stems from the increased interconnectivity and cross-functionality of the various malicious activities. As attacks converge, it is important to provide complete protection for computers and business networks. Security for desktops, servers, and the network should also converge and work together, because a single threat can affect them all.
Today's attack activity is primarily motivated by financial gain. Most attacks are now driven by a quest for data or information (like credit card numbers) that can be used directly for fraud or theft, or indirectly to create the necessary conditions for fraudulent activities. This poses a security issue for SMBs that store and manage information that could be used to facilitate identity theft. In the first half of 2007, the primary cause of data breaches that could facilitate identity theft was the theft or loss of a computer or other medium on which data is stored or transmitted.
So what steps should SMBs take to protect themselves (and their customers)? Employing defense-in-depth strategies, including the deployment of IDS/IPS solutions, antivirus and antifraud solutions, as well as a firewall, is a good place to start. Of course, reading Symantec's semi-annual Internet Security Threat Reports is a great way to stay informed about the threat landscape so you know what you're up against. Antivirus definitions should be updated regularly and all desktop, laptop, and server computers within the business should be updated with all necessary security patches from their respective vendors. Implementation of a Network Access Control (NAC) solution is highly recommended to control and monitor access to your network. To help prevent accidental or intentional data leaks, SMBs should employ data leakage prevention solutions. Symantec also advises businesses to develop and implement policies that prevent users from viewing, opening, or executing any email attachment unless the attachment is expected and comes from a known and trusted source, and unless the purpose of the attachment is known.