Released today, the 2003 Symantec Internet Security Threat Report collects global data on network probes and attacks from more than 400 companies that share incident information with Symantec. The latest instalment in this bi-annual report identified a sharp rise in the reporting of IT-based and network vulnerabilities, with an average of seven new vulnerabilities reported per day over the past 12 months. Overall, this represented an 81.5 percent increase over the number of vulnerabilities reported in 2001. Symantec is attributing this increase to a number of factors including:
- The emergence of a responsible disclosure movement
- A lack of vendor prioritisation of security during product development phase
- New methods of identifying and exploiting software bugs
- An increased effort among vulnerability researchers
- Increased media coverage of vulnerabilities
According to John Donovan, Symantec managing director in Australia and New Zealand, this increased emphasis has dramatically reduced the time-lag between when a software product is released and when its vulnerabilities are identified. However, he pointed out that the major beneficiaries of such information are those companies opting for managed security services which can quickly take advantage of such information.
"It is then up to the individual companies to ensure their systems are up to date, and at a consumer level this is quite straight forward, as long as they are receiving regular updates to their security software," Donovan said. "At the enterprise level, those opting for managed services are benefiting from the early discoveries. If a company keeps its protection up, it will be able to defend itself with the patches."
The study also found that the number of severe incidents--defined as access attempts that threaten to breach a network's security, rather than vandalise a site, for example--had decreased, dropping to 21 percent in the latter half of last year, compared with 23 percent in the first half.
However, the news is not all good, with the report capturing a sharp rise in the volume of self-replicating mass mailers, many of which were designed to take advantage of already-identified vulnerabilities.
"We have seen a rapid increase in the number of worms and viruses. Both consumer systems and enterprise systems are at threat," Donovan said.
According to the report, the big trends to emerge over the last twelve months have been blended threats--those that use multiple methods of propagation. Despite improvements in the identification of vulnerabilities, Symantec's research seems to indicate such attacks are able to take advantage of the time lag between the identification of a threat and the updating of the relevant system.
Symantec's research indicated that 80 percent of infections came from just three Windows 32 viruses which were blended threats: Klez, Bugbear and Opaserv.
However, Symantec warns that Linux is becoming more popular with virus writers, and the movement of Linux to the home user brings the operating system to people who are likely to be unaware of appropriate security practices.
The report also pointed to potential causes for concern indicating Instant Messaging, peer-to-peer applications and mobile devices as potential vectors for the next big worm.
"In a lot of cases these things are being introduced into a company without the knowledge of the management, and it is introducing a new weak link into the organisation." Donovan said. "Instant messenger is another area for concern; they are all very insecure forms of communications. Where you have pockets of people deploying instant messenger software and punching holes in the firewalls, all these technologies will bring a whole new raft of problems as they become more widespread."
Chasing the source
According to the report, the US, South Korea and China lead the world when it comes to online aggression.
Accounting for 35.4 percent of overall attacks over the period, the US is far and away the source of the most Internet-based attacks, with South Korea generating 12.8 percent and China accounting for 6.9 percent. However, if the number of Internet users is taken into account, South Korea takes the lead, with the highest number of attacks per 10,000 Internet users.
Symantec's Donovan warned that the figures may not represent the source of attacks, but the location of compromised systems being used to launch attacks.
"The high number of attacks generated from South Korea, for example, does not so much suggest that the country is a rogue state as that it is a convenient launch pad thanks to the high uptake of broadband and other factors," Donovan said.
The report seems to support the view that countries which the US State Department has designated as state sponsors of terrorism do not represent a major threat via the Internet. Nor for that matter do countries which Symantec has identified as possible "hot spots" of terrorist activity. In fact, these countries generated less than one percent of attacks detected. Furthermore the report stated that attacks generated by these countries were generally unsophisticated and based on antiquated techniques.
Additional reporting by staff writers, ZDNet US.
