Targeted attacks, mobile vulnerabilities on the rise, report states
Criminals continue to exploit old vulnerabilities as enterprises, and users fail to keep up with the flood of security updates, the latest Symantec report states.
The findings of the latest "Internet Security Threat Report" from Symantec can be summed up in a single sentence: “Attacks are rising, but the number of new vulnerabilities is decreasing.”
This describes a threat landscape in 2011 in which hackers, criminals and spies continued to exploit known vulnerabilities through new vectors as enterprises and end users failed to keep up with the flood of security updates from vendors patching their software.
“The old vulnerabilities still work,” said John Harrison, manager of Symantec’s security technology and response product group and a contributor to the report. Malware variants are being packaged in attack toolkits that effectively circumvent signature-based defenses. “When the Web attack toolkits work, it’s the same vulnerabilities they continue to depend on.”
For some hacks, everything old is new again
Getting the most out of automated IT security management
The data in the report is gathered from the company’s Global Intelligence Network monitoring activity in more than 200 countries.
The total number of vulnerabilities reported in 2011 dropped 20 percent, from a high of 6,253 the year before to fewer than 5,000. Over the same time, the number of unique variants of malware identified in the wild increased 41 percent and the number of attacks blocked by Symantec tools jumped 81 percent to 5.5 billion in 2011.
The vectors for delivering the malware are shifting, with Web attacks and social engineering through social networks replacing e-mail as the method of choice. This is due in part to successful law enforcement campaigns against command-and-control systems for spam-spewing botnets in 2011, and also because the Web offers a good alternative.
Targeted attacks, which have proven to be effective in breaching high-value organizations through carefully crafted social engineering, increased during 2011, from 26 such attacks identified in January of that year to 154 in December. At the same time, the attacks are moving downstream, with most of them now targeting smaller organizations and employees outside the executive suite.
By this time it is no surprise that malware for smarter mobile devices has been heating up, with vulnerabilities identified in these devices bucking the general trend with a 93 percent increase in 2011 over the year before.
In short, “we’re being hit in every vector,” Harrison said.
The question these figures raise is why known vulnerabilities continue to be such effective targets. Most organizations are unaware of the threats they are facing, Harrison said. “They don’t understand how they’re being attacked.” They often do not know which versions of software are running on their systems and the extent to which they already have been compromised.
“When browser plug-ins are out of data, the potential for being infected is very high,” he said.
The report offers a list of practices to counter these threats, including:
- Improved awareness and education for administrators and end users.
- Defense in depth with mutually supporting systems, including comprehensive endpoint security to complement signature-based tools.
- Network monitoring for attack patterns and identification of traffic from malicious domains.
- Improved website security through always-on SSL, scanning and monitoring of sites for vulnerabilities and malware, and improved management of digital certificates and signatures.
- Use of encryption to protect sensitive data.
- Implementation and enforcement of policies covering removable media, passwords, e-mail attachments and other security practices.
Eventually, organizations might have to make difficult decisions about updating systems that have been maintained in less-than-secure states for the sake of compatibility and continuity.
“I’m not sure they’re aware of the risk involved in that,” Harrison said. More aggressive updating with less time for testing before patches are rolled out might break some applications and interfere with compatibility. But “the pace of change in the threat landscape is going so fast that we need to change the pace of things behind the scenes,” he added.