Symantec's Internet Security Threat Report, Volume 16 reveals significant changes to the threat landscape in 2010, including an increase in volume and sophistication of threat activity. The report, which highlights key trends in cybercrime and the threat landscape from Jan.1, 2010 to Dec. 31, 2010, discloses that Symantec identified more than 286 million new threats last year. This increase can be attributed to the growing prevalence of targeted attacks on enterprises, the continuing use of social networking sites to compromise users, the rising threats impacting mobile devices and the ongoing use of attack toolkits, which are increasingly exploiting vulnerabilities in Java.
3. Threat Landscape
2010 Trends
Social Networking + Social Engineering = Security Nightmare
Whether targeting a CEO or the family next door, the Internet and
social networks provide cybercriminals rich research for tailoring an
attack. By sneaking in among our friends, hackers can learn our
interests, gain our trust, and convincingly masquerade as friends. A
well-executed, socially engineered attack has become almost
impossible to spot.
Mobile Threats increase
More people than ever are using smartphones and tablets,
and cybercriminals are taking notice. Because most
malicious code now is designed to generate revenue, there
are likely to be more threats created for these devices as
people increasingly use them for sensitive transactions such
as online shopping and banking.
Targeted Attacks continue to evolve
Targeted attacks, while not new, gained notoriety from high-profile
attacks against major organizations (Hydraq) and significant targets
(Stuxnet). These attacks raised awareness of Advanced Persistent
Threats (APTs) .
Symantec Internet Security Threat Report (ISTR), Volume 16 3
4. Threat Landscape
2010 Trends
Attack Kits get a caffeine boost
While targeted attacks are focused on compromising specific
organizations or individuals, attack toolkits are the opposite side of the
coin, using broadcast blanket attacks that attempt to exploit anyone
unfortunate enough to visit a compromised website. Innovations from
targeted attacks will make their way into massive attacks, most likely
via toolkits.
Hide and Seek zero-day vulnerabilities and rootkits
The primary goal of malicious code that employs rootkit techniques is
to evade detection. This allows the threat to remain running on a
compromised computer longer and, as a result, increases the potential
harm it can do. Targeted attacks depend on their ability to get inside an
organization and stay hidden in plain sight. Zero-day vulnerabilities and
rootkits have made this possible.
Symantec Internet Security Threat Report (ISTR), Volume 16 4
5. Threat Landscape
Social networking + social engineering = security nightmare
More Info:
Detailed review of
Social Media threats
available in The Risks of
Social Networking
• Hackers have adopted social networking sites to:
– Use profile information to create targeted social engineering attacks
– Impersonate friends to launch attacks
– Leverage news feeds to spread spam, scams and massive attacks
Symantec Internet Security Threat Report (ISTR), Volume 16 5
6. Threat Landscape
Social networking + social engineering = security nightmare
• Shortened URLs can hide
malicious links, increasing
infections
• 73% of the shortened URLs observed on social networks (that
led to malicious websites) were clicked 11 times or more
Symantec Internet Security Threat Report (ISTR), Volume 16 6
7. Threat Landscape
Mobile threats
• Currently most malicious code for mobile devices consists of
Trojans that pose as legitimate applications
163
115 vulnerabilities
vulnerabilities
2009 2010
• Will be increasingly targeted as they are used for financial
transactions
Symantec Internet Security Threat Report (ISTR), Volume 16 7
8. Threat Landscape
Targeted attacks continue to evolve
• High-profile targeted attacks in 2010 raised awareness of Advanced Persistent
Threats (APTs)
Stuxnet signaled a leap in the sophistication of these types of attacks:
– Four zero-day vulnerabilities (vulnerabilities that were More Info:
previously unknown)
– Stolen digital signatures helped mask it from security systems
– Ability to leap the “air gap” (Used USB keys to spread
Stuxnet to computers not connected to a network)
– Potential damage to infrastructure including power grids, water supplies and
nuclear power plants Detailed review in the:
W32.Stuxnet Dossier
& W32.Stuxnet
Symantec Internet Security Threat Report (ISTR), Volume 16 8
9. Threat Landscape
Targeted attacks continue to evolve
• Less sophisticated attacks also cause significant damage
Average Number of Identities Exposed per Data Breach by Cause
• Average cost to resolve a data breach in 2010: $7.2 mm USD
Symantec Internet Security Threat Report (ISTR), Volume 16 9
10. Threat Landscape
Attack kits get a caffeine boost with Java
Def: Bundles of malicious code tools used to facilitate the launch of concerted and widespread attacks
on networked computers
• Attack kits continue to see widespread use
• Java exploits added to many existing kits
• Kits exclusively exploiting Java vulnerabilities appeared for the first time
More Info:
Detailed information
available in ISTR Mid-
Term: Attack Toolkits
and Malicious
Websites
Symantec Internet Security Threat Report (ISTR), Volume 16 10
11. Threat Landscape
Hide and seek (zero-day vulnerabilities and attack rootkits)
• A rootkit is a collection of tools
that allow an attacker to hide
traces of a computer
compromise from the operating
system and also the user
• Zero-days are being used in a
more aggressive way and
featured heavily in
Hydraq/Stuxnet
• Attack toolkits help to spread
knowledge of exploits that
leverage vulnerabilities
Number of documented ‘zero-day’ vulnerabilities
Symantec Internet Security Threat Report (ISTR), Volume 16 11
12. ISTR 16: Key Facts and Figures
Symantec Internet Security Threat Report (ISTR), Volume 16 12
13. Symantec™ Global Intelligence Network
Identifies more threats, takes action faster & prevents impact
Calgary, Alberta Dublin, Ireland
Tokyo, Japan
San Francisco, CA
Mountain View, CA Austin, TX Chengdu, China
Culver City, CA
Taipei, Taiwan
Chennai, India
Pune, India
Worldwide Coverage Global Scope and Scale 24x7 Event Logging
Rapid Detection
Attack Activity Malware Intelligence Vulnerabilities Spam/Phishing
• 240,000 sensors • 133M client, server, • 40,000+ vulnerabilities • 5M decoy accounts
• 200+ countries gateways monitored • 14,000 vendors • 8B+ email messages/day
• Global coverage • 105,000 technologies • 1B+ web requests/day
Preemptive Security Alerts Information Protection Threat Triggered Actions
Symantec Internet Security Threat Report (ISTR), Volume 16 13
14. Key Facts and Figures
Malicious code, which is anyof
programming code capable
causing harm to legitimate
code or data, or that can
compromise confidentiality in a
computing system…
…takes advantageoperating
vulnerabilities in
of
systems, programs,
applications, etc….
…which canlaptop,tomobile
computer,
lead your
phone, or other Internet-
connected device being
infected with threats like
viruses, worms, or Trojans…
…It may also leadoftofraud.
and other forms
ID theft
Symantec Internet Security Threat Report (ISTR), Volume 16 14
15. Malicious Code Trends
Threats to confidential information
• 64% of potential infections by the top 50 malicious code
samples were threats to confidential information
Symantec Internet Security Threat Report (ISTR), Volume 16 15
16. Vulnerability Trends
Web Browser Plug-In Vulnerabilities
• Number of Flash and Reader vulnerabilities continued to grow
Symantec Internet Security Threat Report (ISTR), Volume 16 16
18. Threat Activity Trends
Data Breaches by Sector
• The average cost to resolve a data breach
in 2010 was $7.2 million USD
• 85% of identities exposed were customers
Average Number of Identities Exposed per Data Breach by Cause
Average Number of Identities Exposed per Data Breach by Sector
Symantec Internet Security Threat Report (ISTR), Volume 16 18
19. Threat Activity Trends
Web-based Attacks
• 93% increase in Web-based attacks from 2009 to 2010
• Spikes related to specific activities (release of new attack kits, current events, etc.)
Symantec Internet Security Threat Report (ISTR), Volume 16 19
20. Fraud Activity Trends
Phishing categories
Def: “Phishing” is a derivative of “fishing” and alludes to the use of “bait” to “catch” personally identifiable information
• 56% of phishing attacks imitated banks
• Many email-based fraud attempts referred to major sporting, news
and pop-culture events in 2010
Symantec Internet Security Threat Report (ISTR), Volume 16 20
21. Fraud Activity Trends
Underground economy servers
• Credit cards and bank account credentials continue to be the
top two advertised items on the black market
• Bulk rates for credit cards range from 10 cards for $17 to 1000
cards for $300
Symantec Internet Security Threat Report (ISTR), Volume 16 21
22. Consumer and Enterprise Best Practices
For protection defending against latest threats
Symantec Internet Security Threat Report (ISTR), Volume 16 22
23. Consumer Best Practices
Protect yourself
• Use a modern Internet security solution for maximum protection against online threats that
includes:
• Antivirus protection
• Intrusion prevention to protect against Web-attack toolkits, unpatched vulnerabilities, and
socially engineered attacks
• Browser protection to protect against Web-based attacks
• Reputation-based tools that check the reputation and trust of a file before downloading
• Behavioral prevention that keeps malicious threats from executing even if they get onto your
computer
• URL reputation and safety ratings for websites found through online searches
Keep up-to-date
• Keep virus definitions and security content updated at least daily - if not hourly – to protect your
computer against the latest viruses and malicious software (“malware”)
Use an effective password policy
• Ensure that passwords are a mix of letters and numbers, and change them often. Passwords
should not consist of words from the dictionary, since these are easier for cybercriminals to hack
• Do not use the same password for multiple applications or websites
• Use complex passwords (upper/lowercase, punctuation and symbols) or passphrases. (e.g., “I
want to go to Paris for my birthday” becomes, “I1t2g2P4mb”
Symantec Internet Security Threat Report (ISTR), Volume 16 23
24. Consumer Best Practices
Know what you are doing
• “Free,” “cracked,” or “pirated” versions of software can contain malware or social engineering
attacks
• Read end-user license agreements (EULAs) carefully and understand all terms before agreeing to
them. Some security risks can be installed because of that acceptance
Guard your personal data
• Limit the amount of personal information you make publicly available on the Internet (including
and especially social networks) as it may be harvested by cybercriminals and used in targeted
attacks, phishing scams, or other malicious activities
• Never disclose any confidential personal or financial information unless and until you can confirm
that any request for such information is legitimate
• Avoid banking or shopping online from public computers (such as libraries, Internet cafes, etc.) or
from unencrypted Wi-Fi connections
Think before you click
• Never view, open, or execute any email attachment or click on a URL, unless you expect it and
trust the sender.; even if it’s coming from trusted users, be suspicious
• Do not click on shortened URLs without expanding them first using “preview” tools
• Do not click on links in social media applications with catchy titles or phrases; you may end up
“liking it” and sending it to all of your friends – just by clicking anywhere on the page
• Be suspicious of warnings that pop-up asking you to install media players, document viewers and
security updates; only download software directly from the vendor’s website
Symantec Internet Security Threat Report (ISTR), Volume 16 24
25. Enterprise Defenses Against Social Engineering
Web Gateway Security
• Scan all potentially malicious downloads regardless of how the download is initiated
• Prevent users from being redirected to malicious Websites
Data Loss Prevention
• Discover concentrations of confidential information downloaded to an employee’s PC
Network and Host Based Intrusion Prevention
• Monitor and protect critical systems from exploitation
• Protect against misleading applications like fake antivirus
• Prevent drive-by download web attacks
Strong Authentication
• Protect against unauthorized access to confidential data beyond just username and password
Security Awareness Training
• Ensure employees become the first line of defense
Symantec Internet Security Threat Report (ISTR), Volume 16 25
26. Defenses Against Mobile Threats
Device Management
• Remotely wipe devices in case of theft or loss
• Update devices with applications as needed without physical access
• Get visibility and control of devices, users and applications
Device Security
• Guard mobile device against malware and spam
• Prevent the device from becoming a vulnerability
Content Security
• Identify confidential data on mobile devices
• Encrypt mobile devices to prevent lost devices from turning into lost confidential data
Identity and Access
• Strong authentication and authorization for access to enterprise applications and resources
• Allow access to right resources from right devices with right postures
Symantec Internet Security Threat Report (ISTR), Volume 16 26
27. Enterprise Defenses Against Targeted Attacks
Advanced Reputation Security
• Detect and block new and unknown threats based on reputation and ranking
Host Intrusion Prevention
• Implement host lock-down as a means of hardening against malware infiltration
Removable Media Device Control
• Restrict removable devices and functions to prevent malware infection
Email & Web Gateway Filtering
• Scan for infected files and block accordingly
Data Loss Prevention
• Discover data spills of confidential information that are targeted by attackers
Encryption
• Create and enforce security policy so all confidential information is encrypted
Network Threat and Vulnerability Monitoring
• Monitor for network intrusions, propagation attempts and other suspicious traffic patterns
Symantec Internet Security Threat Report (ISTR), Volume 16 27
28. Defenses Against Attack Toolkits
Advanced Reputation Security
• Detect and block new and unknown threats based on reputation and ranking
Fraud Detection Services
• Monitor and analyze specific transaction types for known scams and evolving threats
Asset and Patch Management
• Identify what and where your high value assets are
• Ensure latest patches are deployed and up-to-date across all platforms and applications
Threat and Vulnerability Management
• Monitor for network intrusions, propagation attempts & suspicious traffic patterns
• Receive alerts for new vulnerabilities and threats across vendor platforms
Host Intrusion Detection and Prevention
• Monitor and protect critical systems from being exploited
Symantec Internet Security Threat Report (ISTR), Volume 16 28
29. Enterprise Defenses Against Hide and Seek
Advanced Reputation Security
• Detect and block new and unknown threats based on reputation and ranking
Security Incident and Event Management
• Detect and correlate suspicious patterns of behavior
Network Threat and Vulnerability Monitoring
• Monitor environment for excessive log-ins or privileged escalation
Vulnerability Assessment
• Ensure network devices, OS, databases and web applications systems are properly configured
• Determine whether or not a vulnerability is truly exploitable
Host Intrusion Prevention
• Implement host lock-down as a means of hardening against malware infiltration
Symantec Internet Security Threat Report (ISTR), Volume 16 29
30. Stay Informed: Additional Resources
Build Your Own ISTR
go.symantec.com/istr
Daily measure of cybercrime risks
nortoncybercrimeindex.com
Follow Us:
Twitter.com/threatintel
Twitter.com/nortononline
Symantec Internet Security Threat Report (ISTR), Volume 16 30