In the past I have written about annual security reports that many vendors and other organizations publish. We can learn a lot about the state of Internet security threats from the research that these reports share. The attackers share data among themselves so security practitioners also need to collaborate. There have been many new reports published since my last article on this subject. I wanted to keep you up to date on the latest reports and the findings that I think at the most interesting.
In May of 2009 I wrote an article on "Annual Security Reports" which covered many of the annual security reports published by various vendors and organizations in 2008 and 2009. We can learn a lot about the state of Internet security threats from these reports. In March of 2010 I wrote an article on "Newest Security Reports Show Changing Threats" covering the security reports that had been published since the previous blog. Today I am writing about the recent security reports that I have found most useful and what they can teach us about the state of Internet security.
On February 1, 2010, Arbor Network published their Sixth Annual Worldwide Infrastructure Security Report. You can download this report and look at past reports at this site. A startling discovery noted in this report is that DDoS attacks can now generate up to 100Gbps of traffic toward the victim. This report also mentions that mobile service providers are now concerned with DDoS attacks. When wireless subscriber bandwidth was limited DDoS was less of a problem. However, now with the projected growth of 4G services, it is possible for an infected mobile user's device to generate up to 10Mbps of upstream traffic. This report also talked about the lack of experience and visibility organizations have for responding to IPv6 attacks.
In January of 2011 Cisco published its latest Annual Security Report. You can download this report and previous annual and mid-year security reports from this site. This Cisco report starts off by covering their new concept of the Cisco Cybercrime Return on Investment (CROI) Matrix. In contrast to the Arbor Network's report Cisco has classified DDoS attacks in the "Dogs" category. Cisco's report mentioned how Spam levels are starting to drop. This report covers the concept of money mules in detail. The report (page 19) has a great list of "Seven Deadly Weaknesses" people have that allows social engineering attacks to be successful. This list includes sex appeal, greed, vanity, trust, sloth, compassion, and urgency as characteristics attackers pray upon. Previous year's Cisco security reports covered the issues related to PDFs and this year's report talks about how more attackers are targeting Java since mid-2010. This report also covered the growth of risks for mobile devices and the security challenges organizations face when employees bring their personal devices to work. The report concludes with Cisco's new Adversary Resource Market Share (ARMS) Race Index indicating that the threat level is at 6.8 as of December 2010.
In January of 2011 Symantec released their "Symantec Report on Attack Kits and Malicious Websites". Symantec allows you to download both the executive summary and the full report from their site. As its name implies the focus of this report is on the toolkits that attackers use to craft their malware that will be spread via e-mails and malware-infected web sites. When victims click on these links the attack leverages vulnerabilities in the client's software and the victim is infected and now part of a botnet. These toolkits are a large part of the cybercriminal financial ecosystem. Symantec has classified these attack toolkits into two types: exploit toolkits and command-and-control toolkits. The Symantec report includes a cool picture of the timeline of Internet attack toolkits starting in the 1990s through to the present day of SpyEye and ZeuS 2.0. Sometime this spring, Symantec will release the latest version of their annual Internet Security Threat Report.
In November 2010, Sophos released their "Security Threat Report: Mid-year 2010". This report also covers the cybercrime organization structure and culture and the term "Partnerka". It covers many of the key security events, security threats of social networks, phishing, malware, data loss, search engine optimization, rogue AV software, spam, plug-and-play USB devices, and mobile devices. This report shows that the United States is still the top country with the highest percentage of spam relaying. This report also mentioned that "In January 2010, the IPv6 internet protocol was used by spammers for the first time as a method of delivering unsolicited email." The Sophos annual security report is a good general high-level security report.
On October 13, 2010 Microsoft published their "Security Intelligence Report (SIR) Volume 9". They also published a video discussing the key findings. This report provides a lot of great detail and background information if you are new to Internet security threats. It covers botnets and malware and provides a lot of great statistics and graphs. This report provides a listing of the most popular botnet families as cleaned by Microsoft Security Essentials and the Microsoft Windows Malicious Software Removal Tool (MSRT). This report also shows how these botnets ebb and flow over time as the attackers change their strategies. This report also provides, as it has in previous years, a graph of the relative botnet infection rates of their operating systems showing that Windows 7 and Server 2008 are more secure than previous versions of Windows.
In case you missed it, one of the best reports that is published each year is the Verizon data breach report. In July of 2010 Verizon published their "2010 Data Breach Investigations Report" (DBIR). This report is exceptional because it covers the results of forensics of actual attacks and data breaches that resulted in the loss of electronic records, identities and financial information. This year, Verizon Business RISK Team partnered with the United States Secret Service and combined results from their investigations. To reinforce the fact that attackers are financially motivated, this report states that 85% of stolen data was due to attacks originated by organized crime. This report also indicates that the vast majorities who lost records were due to organizations not paying attention to their logs or security event information to self-detect the breaches. In these cases, a third party organization notified the victim that they had been compromised. These organizations should increase their visibility and awareness of their traffic patterns and privileged user accesses. One recommendation mentioned in this report that I always advocate is monitoring and filtering your outbound traffic.
I find these reports fascinating and so I wanted to share with you the reports I enjoy reading the most and the key points that I took away from each report. Hopefully these reports will help give you additional insight into the threats that your organization may face in 2011. These reports can show you that you are not alone and possibly help you craft a strategy to mitigate these risks. I encourage you to keep an eye open for new reports that are published throughout the year so you can keep up on the latest trends.