Critical. Authoritative. Strategic.


CBR is proudly produced & published
by Technews
Issue Date: March 2003 (es)

Internet security threat trends for Q3 and Q4 2002

March 2003

The recently released Symantec Internet Security Threat Report provides the Internet community with a deeper understanding of how Internet threats are evolving over time. According to Patrick Evans, Symantec regional manager for Africa, the report derives its insights on cyber attack trends from the world’s most extensive network of intrusion detection systems (IDSs) and firewalls whilst also incorporating analysis of vulnerability and malicious code data as well, the combination of which makes it the only report to provide a comprehensive view of the security landscape.

This view is based on Symantec resources, which include one of the world's largest repository of security attack data, the world's most comprehensive vulnerability database, and millions of code submissions from antivirus customers. Evans suggests that "these findings, based on empirical analysis of the world's largest repository of security data, are the most reliable source of emerging trends in cyber security. This report provides CxOs and IT administrators with benchmarks and guidance to evaluate the effectiveness of their current and future security strategies. It will help them understand the evolving nature of security threats, and how a variety of factors ultimately affect the risks experienced by their organisations."
According to the report, Internet threats have intensified and evolved in many ways, while remaining relatively stable in other areas. Excluding worm and blended threat activity, measured cyber attack volume declined slightly for the first time, dropping 6% in the second half of 2002. Despite the decline, many organisations, such as those in the financial services sector, experienced a sharp rise in attack volume and relative attack severity, while other companies, such as tenured security monitoring clients, substantially reduced their risk profile.
Attack volume by country of origin was mostly consistent with past studies. 80% of attacks were launched from or through systems located in only 10 countries, and the United States was by far the largest source of attacks.
Adding to risks associated with cyber attacks, the discovery rate for new IT product vulnerabilities accelerated substantially over the past year. The total number of new, documented vulnerabilities in 2002 was 81,5% higher than in 2001. This rise was driven almost exclusively by vulnerabilities rated as relatively severe. Furthermore, approximately 60% of the documented vulnerabilities were easily exploitable either because sophisticated tools were widely available or because exploit tools were not required at all. Finally, by leveraging the vast supply of vulnerabilities, malicious code writers introduced several successful blended threats over the past six months. Within hours of release many of these threats spread rapidly among Internet-connected organisations, and several continue to infect thousands of systems throughout the world today.
In conclusion, the evidence clearly shows that the risk of cyber attacks and malicious code infections remains high for all Internet-connected organisations. In addition, the potential introduction of entirely new, and potentially more destructive, forms of malicious code and cyber attack tools represents a substantial future risk.
Symantec's Internet Security Threat Report is available on its website at Should readers wish to contact eSecure directly, simply e-mail the editor at and request the report.
For more information contact Patrick Evans, Symantec, 011 797 6622,
Report highlights
Overall threats in terms of cyber attacks, IT product vulnerabilities, and overall susceptibility to new forms of malicious code remained substantial and constantly evolving over the past six months. For companies that are not making use of appropriate countermeasures, these threats have increased their risk of compromise.
Cyber attack trends
Excluding worm and blended threat activity, the rate of network-based attacks over the past six months was 6% lower than the rate recorded during the prior six-month period.
* On average, companies experienced 30 attacks per company per week during the past six months, as compared with 32 attacks per company per week during the prior six-month period.
* Approximately 85% of this activity was classified as pre-attack reconnaissance, and the remaining 15% was classified as various forms of attempted (or successful) exploitation.
* Despite the decline in attack volume over the prior six-month period, average attacks per company during the past six months remained 20% higher than the rate recorded during the same six-month period in 2001.
The severe event incidence rate during the past six months was slightly lower than the rate recorded during the prior six-month period.
* 21% of companies in the sample set suffered at least one severe event over the past six months, as compared to 23% during the prior six-month period.
* The current severe event incidence rate remains far below the rate of 43%, which was recorded during the same six-month period in 2001.
Several notable patterns of attacker activity were observed during specific windows of time.
* Attack volume and severity were considerably lower on Saturdays and Sundays than on any other day of the week, which confirms observations from the prior six-month period.
* Fluctuations in attacker activity appeared to be a function of the approximate local times in which the attacking systems were located, rather than the local times in which the victims were located.
* Internet-connected organisations experienced a notable spike in attacker activity between the hours of 12:00 and 21:00 Greenwich Mean Time (GMT) independent of each network's location or time zone. This appears to be the result of several high-volume regional sources of attacks achieving peak activity at approximately the same time.
The volume and relative severity of attacks experienced by companies continued to vary based on characteristics such as industry, size, and client tenure.
* Power and energy companies continued to show the highest rate of attacks and severe event incidence.
* Both the nonprofit and financial services sectors experienced higher rates of overall attack volume and severe event incidence, respectively.
* Larger companies, measured in terms of employee count, consistently experienced a higher volume and greater severity of attacks.
* Companies continued to show risk reduction as security monitoring client tenure increased. The severe event incidence rate for companies with less than 12 months tenure was 29%, while the incidence rate for companies with more than 12 months tenure was 17%.
Overall attack activity by apparent country of origin remained relatively consistent over the past 18 months; however, a few notable fluctuations in activity were also detected.
* The top 10 attacking countries accounted for 80% of all attacks detected during the prior six months; the United States continued to show the highest attack volume, accounting for 35,4% of all attacks.
* Attacks from South Korea increased by 62% over the past six months, establishing this country as the second largest overall source of attacks and the highest source of attacks per 10 000 Internet users among Tier One countries. One factor driving this trend may be South Korea's rapidly growing consumer broadband infrastructure. As broadband becomes more accessible in other nations, its exposure to and participation in malicious activity may also rise unless protection technologies are widely deployed.
* Several Eastern European countries showed high rates of attacks per 10 000 Internet users.
* Poland and the Czech Republic were number two and three, respectively, on the list of Tier One countries, while Romania, Latvia, Lithuania, and Slovakia were all represented on the list of Tier Two countries.
Symantec detected no verifiable cases of Cyber Terrorism during the past six months.
* Attacks from countries included on the Cyber Terrorist Watch List accounted for less than 1% of all activity.
Cases of internal misuse and abuse accounted for more than 50% of incident response engagements.
* In addition to exceeding external attacks in overall volume, the customer self-assessments of damage were particularly high for internal cases of abuse and misuse.
* High self-reported damage estimates, coupled with the relative simplicity with which the perpetrators acted, should be considered a warning sign that protecting against the internal threat is extremely important.
Vulnerability trends
Symantec documented 2524 new vulnerabilities over the past year, which amounted to an 81,5% increase over 2001.
* On average, Symantec analysts documented seven new vulnerabilities per day over the past year.
* Potential drivers of the increase include the establishment of the responsible disclosure movement, the use of several new methodologies to exploit software bugs, and increased media exposure for vulnerability researchers.
The increase in new vulnerabilities was driven by the sharp rise in moderately or highly severe vulnerabilities.
* The total number of moderate and high severity vulnerabilities documented in 2002 was 84,7% higher than the total documented in 2001. In comparison, the total number of low severity vulnerabilities was only 24,0% higher than the total documented in 2001.
* The rapid development and deployment of remotely exploitable Web applications appears to be the most substantial driver of this trend.
The relative ease with which attackers could exploit new vulnerabilities remained unchanged over the past year.
* Approximately 60% of all new vulnerabilities could be easily exploited either because the vulnerability did not require the use of exploit code or because the required exploit code was widely available.
* However, of the subset of vulnerabilities that required the use of exploit code, only 23,7% actually had exploit code available in 2002, as compared with 30,0% in 2001.
Based on vulnerabilities that surfaced in 2002, a number of high-risk future threats have emerged, which attackers and malicious code writers are only beginning to leverage.
* Known blended threats are exploiting only a fraction of the vulnerabilities that are currently documented. Because past blended threats were able to successfully exploit vulnerabilities that were known for several months, it appears that many recently discovered vulnerabilities remain highly viable targets for future threats.
* A number of widely used open source applications were Trojanised with backdoors over the past year. The attacks targeted high profile distribution sites that had taken significant efforts to protect themselves. This may serve as a warning not only to other open source projects, but also to commercial software vendors. Rather than targeting individual systems, attackers are clearly exploring alternative ways of impacting a large number of systems in a short period of time.
* Web client vulnerabilities, specifically those that affect Microsoft's Internet Explorer, should be closely watched over the next year. The volume and severity of these vulnerabilities increased substantially over the past year.
Malicious code trends
Blended threats continue to present the greatest risk to the Internet community.
* Three blended threats (namely Klez, Bugbear, and Opaserv) were the source of nearly 80% of malicious code submissions to Symantec Security Response over the previous six months.
* In addition, a large percentage of cyber attacks detected by Symantec Managed Security Services clients were caused by only a handful of both old and new blended threats, such as Bugbear, Nimda, and Code Red.
* Because recent forms of malicious code, such as Bugbear, continued to successfully exploit vulnerabilities that were at least one month old, the Internet community as a whole still appears to be highly vulnerable to new blended threats that exploit known vulnerabilities as a method of propagation.
Infection vectors (method of exploitation) and payload preferences have changed over the past six months.
* Self-replicating mass mailers experienced a sharp increase in volume. Eight of the top 50 reported threats over the past six months were classified as self-replicating mass mailers, as opposed to only one out of the top 50 during the same six-month period in 2001.
* Malicious code that steals confidential information from users has increased substantially over the past year. The potential for exposing trade secrets, sensitive financial information, and other forms of proprietary data could easily increase the damage potential by orders of magnitude.
Technologies that are just now entering the mass market present highly attractive opportunities for malicious code writers.
* High market penetration and increasing unauthorised usage of instant messaging and peer-to-peer (P2P) applications make these programs an attractive infection vector for future blended threats.
* Mobile devices are expected to achieve stronger market penetration in 2003 and 2004. Often deployed with relatively weak security protection, these devices represent a highly attractive infection vector for future malicious code.

Others who read this also read these articles

Search Site

Search Directory

  • Search for:


Previous Issues