The world uses hundreds of different units of currency to conduct business, from pounds to pesos, and money has been the target of thieves since the dawn of civilization. But in the age of the Internet, cybercriminals are also going after a new, universal currency: information. And just like bank robbers in the movies, they are becoming more and more creative in devising ways to steal this information.
Internet-based threats are now accepted as a cost of doing business, but we can never afford to become complacent in our defenses. Each year Symantec prepares an Internet Security Threat Report, which provides an in-depth look at the current threat landscape. This year's report shows that attacks are rising sharply - in 2011, Symantec blocked 5.5 billion malicious attacks, an increase of 81 percent over 2010. Cybercriminals are also continuing to target specific organizations with a variety of attacks, and more attacks are being made by large, organized groups.
Criminals are using tools such as customized malware and social engineering to attack specific targets, and the number of attacks has grown from a daily average of 77 in 2010 to 82 in 2011. While high-profile incidents might give the impression that only large enterprises are the primary victims of targeted attacks, organizations of all sizes are affected. More than half of targeted attacks are directed at businesses with fewer than 2,500 employees, and in fact almost 18 percent of all attacks are aimed at organizations with no more than 250 employees. While these may not make the news, it shows that every business should be aware of the need for defense.
These truly are targeted attacks. These cybercriminals consider every aspect of the business they are attacking. The individuals they target are carefully selected, based on their roles in the organization - and it's not only executives with access to a lot of proprietary information. The majority of employees targeted are people in other functions, such as human resources, where they might be used to receiving emails with attachments from unknown sources. This gives the cybercriminals access to someone in the organization, which they can use to initiate further attacks.
One particular subset of targeted attack has been growing in prominence recently - the advanced persistent threat (APT). APTs are narrowly targeted attacks deployed by large, well-organized groups that may even have the support of a nation state or military. They attack high-profile targets including government agencies, defense contractors and manufacturers, in order to obtain valuable information such as military intelligence or sensitive intellectual property. Their attacks are subtle and stealthy, using highly customized techniques and a variety of attack vectors, such as SQL injection, malware, phishing and spam.
Data Breaches and Trust
There are all kinds of threats to an organization's information, but one of the most dangerous is hacking. In 2011 we saw a rise in politically motivated hacking, which not only results in direct damage from the loss of data, but also injures the organization's reputation. Personal data, such as customer identities, is often stolen in these attacks, and in 2011 such attacks resulted in the compromise of more than 187 million identities - more than any other type of breach. An average of 1.1 million identities was compromised per breach. The healthcare, government and education sectors accounted for more than two-thirds of all attacks, while the most identities (85 percent) were exposed through attacks on the computer software and IT sectors.
Lost or stolen mobile devices are another potential source of data breaches. Symantec's Smartphone Honey Stick Project revealed that 96 percent of lost phones will experience a data breach. Because a growing number of employees are using personal devices to access corporate information, this poses a significant risk when these devices are lost. Data such as business emails, customer information and intellectual property can easily be compromised and cause significant financial damage and loss of customer trust.Customer trust is also at stake when online transactions aren't secure. Businesses and consumers depend on security certificates to do business on the Internet, and certificate authorities (CAs) are experiencing an increase in attacks. Stolen certificates make malware more difficult to identify and affect confidence. Providers are responding by offering services such as always-on SSL (which secures the entire session rather than just the login and payment portals), extended validation SSL certificates and DNSSEC to boost end-user trust.
Mobility and the Cloud
Anywhere, anytime information access is the hallmark of business today. Employees are using personal mobile devices for work, and that means using the cloud to store and access personal information, which creates a new series of risks. Businesses are concerned about the security of their data as it is transmitted and stored outside the local network. There also concerns about regulations mandating where data may and may not be stored, potential service or availability issues, and rogue cloud deployments that pose unknown risks.
Mobile devices themselves are also becoming a point of security concern. As devices continue to proliferate worldwide, and open platforms such as Android become more popular, we are seeing a rise in malware designed for smartphones and tablets. This malware is designed to collect and transmit user data and track their behavior. As the deployment of this malware becomes more profitable, it will attract more cybercriminals.
Billions of spam emails are sent every day (42 billion, in fact), and it now makes up 75 percent of all email. The good news is that this is down from 88 percent in 2010, but phishing emails are on the rise. The kinds of spam being sent are constantly evolving, and 2011 saw a shift in the topics. Pharmaceutical emails dropped from 74 percent to 40 percent, but several other categories saw a proportional increase, particularly watches/jewelry and sexual/dating spam messages.
Spammers are also taking advantage of tools that make it easier to attract traffic. URL shortening services, which are popular for social networking, also help spammers hide the end destination of links in their emails, as well as providing useful information about users to aid in future campaigns. This also makes it more challenging for filters to block spam based on links.
Websites and email continue to be sources of malware, with hundreds of millions of users exposed each year to websites hosting malicious content. This can happen through visiting a legitimate site that has been infected with malicious code. In fact, 61 percent of malicious sites are simply normal websites that have been infected. The most commonly compromised sites were blogs, personally hosted sites, business websites and shopping websites.
Malware also made up a higher portion of emails in 2011, making up 4-5 percent of business communications. They take advantage of a variety of attachment types, and utilize social engineering techniques in an effort to persuade recipients to click on links and open attachments.
Polymorphic malware is particularly concerning, because it is constantly changing its internal structure, making it more difficult for traditional security measures to detect. One particular variant identified by Symantec in 2011 accounted for 7.5 percent of all email malware.
Attack toolkits are also rising in popularity, allowing nearly anyone to create malware using a variety of exploits. Criminals are able to purchase theses kits for as little as $40, and new kits are constantly being created to take advantage of weaknesses in systems as they are discovered.
Each year Symantec identifies vulnerabilities in software that can potentially lead to system compromise. These include weaknesses in industrial systems, web browser vulnerabilities and zero-day exploits, which criminals use to create more effective attacks. In 2011 Symantec identified a total of 4,989 new vulnerabilities, compared to 6,253 in 2010. While vendors often work to quickly address weaknesses as soon as they are identified, the most commonly exploited vulnerability in 2011 was one that was identified six years ago, but still proved effective because many users fail to regularly apply patches.
Security in the Face of Increasing Threats
Just as a bank keeps updating its security systems to counter modern, high-tech robbery attempts, we need to be increasingly vigilant in protecting our information. We anticipate that this year targeted attacks, including APTs, will become more common, and the technology involved will be used in more malware attacks. Mobile attacks will continue to rise, and IT will be working to better integrate these devices into their overall security plan.
But while threats seem ever present, businesses can take the initiative to protect keep their information. A multi-pronged approach is the best way to guard against a variety of threats. An effective security strategy should combine network-level protection such as firewalls and Web security gateways with endpoint solutions such as antivirus and data loss prevention systems.
In addition to employing the latest technology, organizations should educate their users on minimizing risks. They should avoid opening unrecognized attachments in emails, clicking on links on social media websites and downloading software from unknown sources. They should also know what to do in case their computer or mobile device is infected. The organization should also implement policies concerning the creation of strong passwords, and keep patches up to date on all systems.
While the report shows that cybercriminals are constantly adapting their tactics, today's businesses can't afford to become victims. Organizations and users should educate themselves on current threats and develop strategies to keep themselves safe. By taking a proactive, intelligent approach to security, we can keep our information locked away safe from 21st-century thieves.