The Internet security threat landscape continues to evolve and we must keep up on the current trends. There are places to look for authoritative guidance on the rapidly-changing security technology evolution. One thing we can look at is the numerous annual security reports that organizations publish. In this blog entry I share with you some of the key industry analysis on security trends to help you stay ahead of the wave.
There is an old Chinese proverb that goes "It's better to be a dog in a peaceful time than be a man in a chaotic period". This is certainly the curse of the IT security industry of 2008 and from the recent four months things are not slowing down in 2009. I must admit that sometimes I would rather be a dog at home sleeping rather than be a man in a data center at 2AM remediating an issue. Our lives in the IT industry are also made more interesting by the media, vendors, and others who report on security trends. The IT world certainly has no shortage of prognosticators and analysts. It is these industry security reports that we look to for guidance when crafting a defensive security strategy and preparing our budgets for coming years. Therefore, I wanted to point you to these popular sources of information on security trends and review their contents and commonalities.
I enjoy reading these Computer Security Institute (CSI) Annual Security Reports each year that they come out. I find it fascinating how things change dramatically from one year to the next. One of the interesting things about this report that is different from the others is that it is a compilation of a survey that is sent to CSI members and attendees at their events. The information is compiled from the educated answers of this body of security experts spread evenly across all industry sectors. Presumably the vast majority of folks affiliated with CSI are “white hats”. Therefore, the downside to this report is that it may not completely reflect the threats as viewed from the perspective of the attackers.
This report identified that there is a gradual reduction in the average estimated loss per incident. This report also identified that viruses, network abuses and laptop loses are the things that administrators have to deal with the most. One shocking statistic is that most organizations spend 5% of their annual IT budget on security. That seems low to me because I was expecting it to be closer to 8% which is more in line with other enterprise organizations that operate more secure environments. The report also stated the sad truth that most organizations are still not focused on security awareness training for employees. I feel strongly that this is a key are where organizations can really make a big difference in mitigating the insider threat.
The Gartner “Hype Cycle” is this idea that the media hypes up the importance of an issue and as that particular issues is more fully understood and dealt with does it become a less interesting topic to publicize. Instead of the seven stages of grief the Hype Cycle goes through the phases of Technology Trigger, Peak of Inflated Expectations, Trough of Disillusionment, Scope of Enlightenment, ending finally on the Plateau of Productivity. This concept works particularly effectively with IT security because early on in a new type of threat there is a very high Fear Uncertainty and Doubt (FUD) factor but as fixes and work-arounds are created and implemented then the issues quickly dissipates into the background noise. The key figure in this document is the classic wave pattern created by charting out these threats. The important thing to note is that the points along the wave line are color-coded for the duration of mainstream adoption. It is interesting to see that E-mail content filtering and encryption and SIEMs are on their way to the plateau of productivity yet other reports seem to indicate that most organizations are not yet implementing these technologies. That highlights the fact that this report is focusing on what the media reports and that what organizations are implementing are indeed different.
This annual security report comes from Cisco’s Security Intelligence Operations group and covers the more popular threats that cause problems for most organizations. This report covers web-based threats, malware, botnets, spam/phishing, data loss, Human issues, insider threats, trust issues, vulnerabilities, and geopolitical issues. This document doesn’t spend much time talking about mitigation techniques but rather focuses on what transpired in 2008 and what is likely to continue being security issues that companies will need to deal with. The Cisco report does a great job discussinghe interrelationships between attacks describing how spam helps spread malware which creates bots which send more spam and how vulnerable web pages help spread malware which creates bots which helps glean valuable data off computers. The Cisco report stated an alarming statistic that over 600,000 laptops are lost in airports each year. The Cisco report also alluded to the Sockstress TCP stack table implementation vulnerabilities that have been identified. For those interested, Brad Reese wrote a previous NetworkWorld blog on this Cisco report and provides links to video from Patrick Peterson (Cisco Fellow and Security Researcher).
The Symantec report provides insight into the security issues they have seen in the past year. This comes from their research as a top anti-virus suite manufacturer and their own independent security research. This report looks at many different types of threats and provides statistic by area. This threat report provides global statistics but also breaks down those facts into government threats, EMEA threats and APJ threats. This report emphasizes the financial motivation of attackers and that is supported by the fact that the majority of phishing and reputation attacks targeted financial services institutions. An interesting idea presented in this report is that the Downadup (Conficker) infection rate is much higher in APJ and LAM regions due to the fact that those regions have the highest piracy rates preventing those computers from receiving updates. Ellen Messmer also recently wrote an article about this report.
This mid-2008 report is an analysis of 500 individual cases that were forensically explored by Verizon’s Business Investigative Response team over a four-year period. This report provided some frank observations about these incidents such as the majority of the vulnerabilities exploited already had published fixes/patches. That means that IT administrators are still not doing all they can with regards to keeping systems updated and many of these cases were avoidable with some simple steps. This just reemphasizes that the devil is in the details and that disciplined IT practices will end up saving the organization money in the long run. This report also noted that most of the incidents were in the retail sector where the systems may not be as fortified as in other sectors that may have the IT budgets to protect against the threats. The vast majority of attacks were initiated from external sources which is contrary to the thought that the insider threat contributes to half the total incidents.
It’s funny that some people mistake the company I work for GTRI (Global Technology Resources, Inc.) with Georgia Tech Research Institute (GTRI). This report was actually written by the Georgia Tech Information Security Center (GTISC) after their annual security summit. This brief report is similar to the other reports in that it covers the areas of malware, botnets, cyber warfare, VoIP and mobile device threats and the changing cyber-crime economy.
This report covers the emerging threats that Sophos sees through its security research and what it hears from customers. Interesting statistics are that Sophos discovers a new infected web page every 4.5 seconds and a new spam-related web page is discovered every 11 seconds. This is an indication of the automated nature of these attacks. Sophos also noted that there are 5 times more malicious e-mail attachments than a year ago. This report also covers some of the critical events in 2008 as well as some of the court cases and judgments against spammers and attackers.
Commonalities Between Reports:
While these reports vary a little bit in terms of the statistics they report they do agree on many trends. It is valuable to read these reports and compare/contrast what they have to see and separate the issues they agree upon from the issues they contract each other. Here are some of the common themes that were identified in all of these reports.
- Most reports saw some improvement in terms of OS patching, Anti Virus software effectiveness, greater collaboration between security practitioners.
- All reports mentioned that the security perimeter is a dying philosophy but firewalls are still required elements.
- 90+% of all e-mail is spam and the US and Asia are the largest originator of SPAM and malware hosting websites. The US was the top country of attack origin but China had the most bot-infected computers. Russia also produces a lot of spam.
- All reports talked about the attackers being financially motivated rather than a decade ago when attackers were motivated by fame.
- As technology becomes more popular the threats increase because it gains the attention of the attackers. This is true for Macs, mobile devices, and virtualization and might someday be true of IPv6; as a technology becomes more popular its target value increases.
- Several of the reports commented on how Asprox has transformed itself from phishing to cross-site scripting to proliferate malware through infected websites.
- Although the reports didn’t see a significant increase in DNS incidents it is something that all reports are watching closely in 2009.
- Most attacks are of specific types that show little imagination for creating new types of attacks. In other words, most attacks are just repeats of previous attacks just targeted toward different servers or organizations.
No Mention of IPv6:
The one item that I find very interesting that is common about all these reports is that they did not contain a single reference to IPv6. I have to admit that I am biased on the subject of IPv6 Security but I honestly think that this is a subject that should be on all security practitioner’s radar. Even if IPv6 may seem like a distant ship on the horizon the IPv6 ship is heading toward us at about 15 knots. If you don’t believe me you can browse through some of the presentations from the recent Rocky Mountain IPv6 Summit that will convince you that IPv6 is coming.