By Garrett Michael Hayes
Confronted with taller, more formidable walls and doors around the corporate castle, today’s IT barbarians are doing their storming through an easier entry point: the user’s desktop.
That’s one of the conclusions in the latest version of Symantec’s semiannual «Internet Security Threat Report,» a 104-page tome published last month. The report, which offers a broad look at the industry’s critical security threats, is based on data from more than 24,000 Symantec «sensors» around the world, as well as feedback from the company’s 120 million antivirus software licensees.
According to Symantec’s trend analysis, both the motivations for and targets of Internet threats are ch anging, quite discernably. On the attacker side, there is a decided shift from «because I can» to «because I’m being paid to,» as attackers increase their efforts to sell access to bot-networks. Of the top 50 pieces of malicious code Symantec discovered, 74 percent were designed to reveal confidential information and 14 percent were bot-related. Read More:
• Symantec Webcast, enterprise security
• Joint report of the Computer Security Institute and the FBI on trends in computer crime
Perhaps more important, attackers are shifting their targets. Instead of attempting to crack the corporate infrastructure, which has become hardened with firewalls and IDSs, attackers are going after the ever-vulnerable end user. Phishing messages have virtually doubled since Symantec’s previous report, from 2.99 million messages per day to nearly 5.7 million per day. And, as many administrators have seen, most adware and spyware is installed through Web browsers or bundled into other programs. Although many of these attacks have exploited vulnerabilities in Microsoft’s Internet Explorer, Symantec lists nearly twice as many vulnerabilities in Mozilla-based Web browsers such as Firefox.
Security patches can prevent attacks, but vendors still take too long to develop them. Symantec reports that the average time between the publication of a vulnerability and the appearance of an exploit is six days, but the average time between confirmation of a vulnerability and shipment of a patch is 54 days–that’s 48 days of naked exposure. It’s also a reversal of a trend toward shorter lags in patch releases. Push your vendors to roll out their patches more quickly–you can bet the bad guys aren’t going to slow down.
The one oddity in the report is that Symantec doesn’t classify adware and spyware as malicious. Huh? Anything that interferes with legitimate use of your own systems–or transmits your confidential information to people without your consent–is malicious, even if it wasn’t sent to destroy your stuff. C’mon, Symantec, let’s expand that definition.
