Over 9 months ago I posted a blog about the numerous annual security reports that are published by various organizations. However, in the rapidly-changing world of Internet security much has changed since then. New security reports have since been written and it is time to revisit these reports to see what different organizations are observing. I find it useful to seek out new perspectives on the ever-changing security realm. By reviewing these reports, we can gain a greater understanding of the emerging Internet threats our organizations are facing.
Veracode State of Software Security Report - March 2010
Veracode has published the most recent security report that was released during the RSA conference focused on the state of application software. Veracode provides application source code review using a SaaS model to help their clients avoid security vulnerabilities. This report notes the extremely high percentage of software that is submitted to their testing process is not even close to meeting standards for safe coding best practices. Third-party software and internally developed applications both had significant issues that could compromise the security of the entire system. Open source applications tend to get repaired more quickly than internally developed applications. That is consistent with applications like Firefox that, while they may have many vulnerabilities in a year, the time for a patch to be made available can be less than one day. The report mentioned vulnerabilities in programs written in C/C++, but applications written in other programming languages like Java also had significant security issues. Cross-site Scripting (XSS) vulnerabilities are still pervasive despite all the publicity about how good coding standards can help mitigate these issues.
IBM X-Force 2009 Trend and Risk Report
One of the best annual security reports is the IBM X-Force Trend and Risk Report. This year's report showed that the overall vulnerability disclosures dropped in 2009. The report analyzed disclosures by day of week and month to look for trends. I liked the Exploitability Probability graph that chards the opportunity against the monetization and exploit cost. It is easy to see that PDF, Flash, and ActiveX exploits fall into the highest probability quadrant. The IBM report also charts which OS manufacturers have had the most disclosures over the recent years. The report also shows how web application platforms are not nearly as vulnerable as the plug-ins those web applications use. Cross-site scripting, SQL injection, and file include attacks have grown in popularity and are pervasive across industry segments. The report also determined that about 7.5% of the Internet contains bad stuff (adult content, criminal content, malware, etc.). Like many other reports the IBM X-Force report analyzed where malware infected servers are located, the issues of koobface and social networking malware infection, rogue AV software, and ZeuS Builder. Spam was the other malware propagation attack vector that was also analyzed. I found the tables at the end of the document that review the top URL spam domains by month. From this you can easily see how spammers change their domains month-by-month. The analysis clearly shows Brazil's rise to the top spam and phishing originating countries.
Sophos Security Threat Report: 2010
This is a good follow up to their annual report for 2009. This report highlighted the use of social networking sites as a means of spreading spam, malware, and phishing attacks. The United States is still the top country when it comes to hosting malware-infected web content. The report covered how Trojan Bredo gained popularity by disguising itself as fake shipping information. This report mentioned that IPv6 was used by spammers in January of 2010. Adobe has now moved to a "patch Tuesday" method due to the rise in PDF-related attacks. This report also showed that the majority of Mac users don't use anti-virus software yet Macs are increasingly becoming targets of malware. Just as anything may become more popular, its threat profile increases. We can expect the same behavior with mobile
Trustwave 2010 Global Security Report
The Trustwave report is a great report because it leverages their experience performing vulnerability assessments of their clients but also covers the forensic analysis and remediation of actual attacks their customers sustained. This report showed that most breaches are identified by external organizations and this is in-line with the Verizon data breach report from last year. Initial entry by attackers was shown to be through remote access applications or via 3rd party connections which also matches with the Verizon report from last year. This report shows a great graph of the types of techniques used by malware or attacks to perform exfiltration of data off compromised computers. Exfiltration doesn't use IPv6 encapsulated in IPv4 packets very often and rarely are encrypted tunnels used. This report also includes many "Top 10" lists of the various issues and weaknesses that we all should consider.
Arbor Networks - Worldwide Infrastructure Security Report 2009
The Arbor Networks Worldwide Infrastructure Security Report V was published in January 2010. This report is a great report for addressing security issues that are affecting the top Internet service providers and enterprises. This report covered the period from Q3 2008 to Q3 2009. Not surprisingly, this report focused on the size of DDoS attacks and how enterprises with 1Gbps Internet links could easily be overwhelmed by many of the attacks seen recently. I was surprised to find out from this report that the largest DDoS attacks could generate up to 40Gbps of traffic. The vast majority of these attacks are flood-based traffic like UDP and ICMP and the other two types of attacks use TCP flags or specific application traffic for the attack. The majority of the organizations use source/destination ACLs or BGP RTBH mitigation techniques. Even though rate-limiting is used it is not an effective strategy.
This report also mentioned how service providers are concerned over security issues related to adoption of IPv6. The Arbor Network report also mentioned that several of the respondents were concerned about IPv6 security features within manufacturer's products. This report agreed with several other reports in that people have started to let down their guard when it comes to DNS cache poisoning attacks. It was nice to see that SSH has taken over for Telnet as the preferred remote administration protocol. I was dismayed by the lack of application of Unicast RPF at service provider network boundaries.
Symantec Intelligence Quarterly - January 2010
Symantec recently released their quarterly intelligence report that covers October 2009 through December 2009. This report showed that the United States was the country with the highest percentage of malicious activity. This is because the US hosts many of the malware infected web servers and its e-mail servers source much of the world's spam. This report also mentioned the pervasiveness of PDF issues and the popularity of the Sality worm.
Symantec has also released a report on the recent rogue security software trend. This report mentioned the recent explosion of malware disguising itself as rogue security software and anti-virus suites. One interesting statistic is that the pre-installation price for the installation of malware by an attacker's affiliate is far higher in North American and in the UK and Australia. An installation on a computer in the US is worth $0.55 while installation on computers in other countries can be only pennies.
McAfee January 2010 Spam Report
McAfee published their spam report in January. This report discussed the rapid rise and fall of the spam that targeted Pfizer products. This report talked about how the common domain landing pages for spam has moved from using .cn domain names to use blogs such as Microsoft's live.com and Google's blogspot.com. I find the misspellings in spam messages amusing as it is a way to avoid detection by anti-spam analysis software. As an interesting side note this report covers the Top 25 Men and Women in Spam during 2009.
Cloud Security Alliance Security Guidance - December 2009
If your organization is considering or has already moved to using a cloud-computing service then you must read the Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 that was published in December 2009. This is a great report that covers an introduction to cloud computing strategies and how to create a security plan for each variant. I highly recommend that everyone read this guide and consider you plan for cloud computing within the context of your security strategy. The best practice of considering the confidentiality, integrity, and availability of your data is vital for cloud services.
Cisco 2009 Annual Security Report - December 2009
Cisco released their 2009 Annual Security Report in December of 2009. This report covers security issues identified from 2009 related to Cisco themselves, their customers, and trends they are seeing in the industry. The best part of this report is that the data presented here is gathered by the Cisco Security Intelligence Operations and SenderBase. This report discussed the threats of social media on enterprise security. Social media will continue to be a focus of attacks and a time-waster for many, but few organizations want to prevent their employees from using these systems. On page 9 of the report there is a startling graph that illustrates the potential increase of SPAM we are likely to experience in 2010. Like other reports, this report mentioned rogue anti-virus software as a disguise for malware. This Cisco report also discussed the high percentage of PDF files that contain malicious code. This report determined that 1 out of every 600 PDF files contains some form of malicious code.
CSI Computer Crime and Security Survey 2009 - December 2009
The Computer Security Institute (CSI) report is one of those reports that I read every year it is released. It is a summary of a survey that is sent out to many security practitioners so the survey respondents are very knowledgeable on the subject. This year the report showed an increase in financial fraud, malware infections, DoS attacks, password attacks, and web site defacement. The graph on page 7 of the executive summary shows how attack types rise in popularity and fall out of favor through the years. The graph on page 13 shows that spending on security awareness training is still lower than desired. I believe that if organizations focused more on the people and processes they could achieve better security results than focusing on compliance which tends to be technology-focused. Security awareness training does not have to cost a lot of money but it could yield huge results in helping end users learn how to avoid common pitfalls that lead to malware infection.
Cenzic Trend Report on Web Application Security - December 2009
Cenzic published its Web Application Security Trends Report, for Q1-Q2, on November 9, 2009. If you haven't heard of Cenzic, you should get to know this company. Cenzic is a manufacturer of web application security assessment software and services. Their report focuses on web and application threats. Page 11 contains a nice graph of the different classes of web vulnerabilities followed on the next page by a graph of browser vulnerabilities. Safari vulnerabilities are on the rise as the popularity of Macs continues to grow.
PandaLabs 2009 Annual Report
PandaLabs released their annual security report at the end of 2009. Similar to the other reports by anti-virus suite manufacturers the focus of this report is on the security of end-user computers. Similar to the Microsoft SIR 7 this report also lists infection rates by country. This report also mentioned, liked several other reports, that hackers are using Search Engine Optimization (SEO) techniques to get their malware infected sites more hits. This report covered many of the other points found in other reports like the increased threats of social networking sites, rogue security malware, and increases of SPAM.
Sourcefire December 2009 Vulnerability Report
Sourcefire, maker of snort, released their December vulnerability report. Sourcefire releases a monthly report that covers the most recent security issues they are watching closely. This method of delivering the report with a video is enjoyably unique. This video discussed the patches from Microsoft and Adobe. Because of the issues with PDF malware and flash player Adobe has started to move toward a "patch Tuesday" frequency. You can also look back at the Sourcefire monthly November and October security reports.
SANS Top Cyber Security Risks - September 2009