Chad Perrin: SOB

3 April 2007

Security Analysis: Symantec ISTR XI (Attack Trends Highlights)

Filed under: Security — apotheon @ 01:31

In yesterday’s analysis I presented some coverage of the executive summary of Symantec’s Internet Security Threat Report, volume XI. Today, I’ll present an analysis of the Attack Trends Highlights from the Executive Summary Highlights section of Symantec’s report. I will be providing analysis of further content of the ISTR XI on a (hopefully) daily basis, until I decide I’m finished.

Interesting Numbers:

Symantec’s Internet Security Thread Report volume XI provides a number of interesting statistics in its “Attack Trends Highlights”. The following is commentary on some of the more suggestive statistics.

  • 25% of identity theft related breaches occurred in “the government sector”, according to Symantec. In one respect at least, this is unsurprising — most of government’s more accessible data in peripheral agencies is related to personally identifying information, and the government loves to use social security numbers to keep track of people. In addition, the higher than average level of data integration and sharing across organizations that occurs in government agencies turns what would be multiple separate targets into one huge, almost homogeneous buffet serving of information useful for “identity theft” activities. It’s one-stop shopping for identity theives. Some may find this startling nonetheless because of decades of Hollywood treatments of the extremely paranoid security of government agencies, but it’s worth noting that organizations like the VA and IRS are not the same as the NSA and CIA — and even agencies like the NSA and CIA have pulled some bone-headed maneuvers, like the publicly released redacted PDF that we all know and love, wherein classified data was marked out as if with a black marker. All one had to do is strip away the PDF layer that rendered the black mark, and the text was fully visible. Additional attack types show similarly government weighted trends, indicating that it is not solely in the area of identity theft that government agencies are the targets of choice, however.
  • 54% of identity theft related data breaches involved the theft or loss of data storage media, according to Symantec. The VA’s storied loss of a laptop with identifying data for thousands of veterans stored on it in a database really illustrates this problem. The statistic is very misleading in its inclusion in the “Attack Trends Highlights”, however, as loss is not the same as theft. There’s no attack involved in some idiot civil servant leaving a laptop on a commuter train, for instance. For real relevance, this metric should have been confined to actual data security attack trends, rather than improperly including irrelevant statistical data such as by conflating carelessness and lack of effective physical security policy with computer security cracking attacks.
  • 5,213 DoS attacks took place per day, according to Symantec. This is almost certainly a lower-bound number, as obviously Symantec is not privy to all Internet activity everywhere. These were statistics gathered by attack detection by Symantec software or culled from DoS attack reports to which Symantec had access. The number seems to indicate a downward trend, but it is still such a high rate of DoS attacks (especially as a lower bound estimate) that anyone running a production deployment network with Internet connectivity cannot afford to ignore the necessity of DoS countermeasures at the firewall.
  • 77% of all attacks that target Web browsers specifically targeted Internet Explorer, according to Symantec. The only surprise here might be that the number is not higher. Interestingly, this statistic nearly matches the best estimates of Internet Explorer’s market share among Web browser applications. Unfortunately, I do not have access at this time to any statistics related to frequency of browser-specific attacks that come with raw data and collection methodology explications, so I cannot really comment authoritatively on whether Symantec’s data gathering is flawed. Assuming it is not, one possible interpretation of this data is that all browsers receive roughly equivalent attention from malicious security crackers, contrary to common beliefs about the largest target getting the lion’s share of attention in an exponentially increased fashion. This is, if accurate, an even stronger refutation of the “security through obscurity” arguments all too common among those who fancy themselves security experts without any real understanding of the principles than even I had expected (see my article Security through visibility: The secrets of open source security for more on that subject). In fact, it’s suspiciously almost too good, and I’m inclined to be distrustful of Symantec’s methodology.
  • 93% of all targeted attacks targeted the “home user sector”, according to Symantec. This is as contrasted with untargeted attacks, which include spam, phishing, and other security threats that are not tailored to a specific intended victim. The next time someone says he doesn’t use a firewall because there’s nothing on his computer that anyone wants, you might want to show him this statistic.
  • 63,912 bots (aka “zombies”) per day, on average, were observed in operation by Symantec. It’s an increase over the previous reporting period, but not an unexpected increase, as the number of computers that are vulnerable to this sort of abuse increases daily, and as Symantec’s measuring process presumably improves. The indicator you should draw from this is that it is important to check your systems regularly for signs of compromise. A single virus scanning application like Norton AntiVirus is by no means sufficient.
  • Israel, Taiwan, and Poland were the three top-ranked countries for malicious activity per capita, amongst Internet connected computer users, according to Symantec. I don’t have any further comment on the matter at this time, as I’m not sufficiently familiar with the similarities in legal systems and Internet infrastructure of these three nations to provide any authoritative analysis.

Closing:

This has been the second installment in my security analysis of the Symantec Internet Security Threat Report, volume XI. This is a series of daily posts collected under the SOB category Security. You may follow this series (and further security-specific posts) via RSS using the Security Category RSS Feed.

Next, I will continue my overview of Symantec’s “Executive Summary Highlights”, with specific attention on the “Vulnerability Trends Highlights”, in brief.

3 Comments

  1. […] View more […]

    Pingback by Identity Theft Blog » Blog Archive » Security Analysis: Symantec ISTR XI (Attack Trends Highlights) — 3 April 2007 @ 04:59

  2. […] unknown wrote an interesting post today onHere’s a quick excerptIn yesterday’s analysis I presented some coverage of the executive summary of Symantec’s Internet Security Threat Report, volume XI. Today, I’ll present an analysis of the Attack Trends Highlights from the Executive Summary Highlights … […]

    Pingback by live update » Security Analysis: Symantec ISTR XI (Attack Trends Highlights) — 4 April 2007 @ 12:39

  3. […] In yesterday’s analysis I presented some coverage of the “Attack Trends Highlights” of Symantec’s Internet Security Threat Report, volume XI. Today, I’ll present an analysis of the Vulnerability Trends Highlights from the Executive Summary Highlights section of Symantec’s report. I will be providing analysis of further content of the ISTR XI on a (hopefully) daily basis, until I decide I’m finished. […]

    Pingback by Chad Perrin: SOB » Security Analysis: Symantec ISTR XI (Vulnerability Trends Highlights) — 4 April 2007 @ 11:15

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License