Cisco Q4-11 Global Threat Report

‘Tis the season for 2011 threat reports to start emerging, and here is Cisco’s contribution.  The Q4-11 report covers the period from 1 October 2011 through 31 December 2011.  This quarter’s contributors were Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco Security Research and Operations (SR&O), and Cisco ScanSafe.



Highlights from the Cisco 4Q11 Global Threat Report include:

  • An overall average of 362 Web malware encounters per month occurred throughout 2011.
  • Enterprise users experienced an average of 339 Web malware encounters per month in the quarter.
  • The highest average rate of encounters occurred during September and October (698 and 697).
  • An average of 20,141 unique Web malware hosts were encountered per month in 2011, compared to 14,217/month in 2010
  • During 4Q11, 33% of Web malware was zero-day, not detectable by traditional signature-based methodologies.
  • The rate of SQL injection signature events remained steady, with a slight decrease observed as the quarter progressed.
  • Denial-of-service events increased slightly over the course of 4Q11.
  • Global spam volumes continued to decline throughout 2011. Continue reading

Hacking Forums & Breaches Analyzed

Imperva has released a study of hacker forums highlighting how they work and communicate.  They look at what hackers are discussing, collaborating on, and recruiting for, from an attack and attacker’s standpoint.

  • Apparently, DDoS comprised nearly 22% of forum discussions.
  • SQL injections took 2nd place with 19%.
  • Spam was third, with 16%.
  • Shell code & brute forcing both were 12% of discussions.
  • Zero day threats followed with 10%.

There has been a 150% growth rate in discussions regarding hacking in general for the past several years, highlighting why hacking appears to be on the rise.  A lot of time (about 25%) on these forums is spent instructing and demonstrating new techniques as well as the fundamentals, indicating that hackers are teaching and mentoring new hatchlings. Continue reading

Sophos 2011 Security Threat Report

Sophos’ threat experts see 30,000 new malicious URLs each day.

70% of these sites are legitimate websites that have been compromised.

Their 2011 Security Threat Report has been released detailing the battle against malware.

It describes the significant threats of 2010, what to watch for in 2011, and more importantly, what you need to do to get ahead of the threats.

  • .
  • One of the more persistent threats of the year was fake anti-virus, also commonly known as “scareware” or “rogueware.”  In this widespread practice, software is introduced into a victim’s computer system, through an interface closely resembling—and in some cases directly impersonating—genuine security solutions.   Criminals are using this ploy to drain bank accounts and completely take over identities.
  • The search engine is our gateway to the web, and crooks are skilled at manipulating search results from the popular engines such as Google, Bing and Yahoo! to lure victims to their malicious pages.   These pages host security risks and browser exploits just waiting to infect users who are directed to these sites. There’s also the abuse of legitimate search engine optimization (SEO) techniques. Legitimate SEO techniques are regularly used as marketing tools, but when SEO is abused by the bad guys, and supplemented by more devious methods, it’s known as “SEO poisoning”. With SEO poisoning, search engine results are poisoned to drive user traffic to the rogue site.  Google reported that up to 1.3% of their search results are infected . You’re directed to a bad page through a poisoned search.  Once a victim is lured to the desired webpage, they’re redirected to a rogue or compromised site.  On these sites, criminals infect users’ machines with malware or push fake goods and service while attempting to steal personal information.
  • Facebook recorded half a billion active users, making it not only the largest social networking site, but also one of the most popular destinations on the web.  Young people are less likely to use email, and more apt to communicate through Facebook, Twitter or other social sites.  Unsurprisingly, scammers and malware purveyors targeted this massive and committed user base , with diverse and steadily growing of attacks throughout 2010.  One of the more common types of attack hitting Facebook users is “clickjacking,”.  These attacks use maliciously created pages where the true function of a button is concealed beneath an opaque layer showing something entirely different.  Often sharing or “liking” the content in question sends the attack out to contacts through newsfeeds and status updates, propagating the scam.

Other areas that are assessed and reported on are passwords, and spam.  It’s a good report, well worth the read.

Threat Landscape Shifts

I have watched the vulnerability exploitation window move down over the years, from 1 year in the ’90s, to 3 months in 2000, and more recently to just under 30 days.  This is the amount of time that it takes for an attacker to develop working, weaponized exploit code for execution in the wild.  This development window is for privately reported vulnerabilities, and does not consider the zero-day threat where a “researcher” discovers a vulnerability and publicly discloses the details, or simply starts exploiting it.

Fortinet, a network security and unified threat management (UTM) solutions provider reveals a 61% exploitation rate of new vulnerabilities discovered in January in its January 2011 Threat Landscape report.  Fortinet says that during a typical month, exploit activity falls between 30% and 40%.  Half of new critical rated vulnerabilities were targeted, offering arbitrary code execution by an attacker on a target machine. 

In order to pull this accelleration off, they have been reverse engineering patches released by the vendors, identifying the differences between the patched and unpatched files, and then targeting their research on the changes being made to develop their exploit code.  SecurityWeek

InformationWeek is reporting that Distributed denial of service (DDoS) attacks, the bane of all online services, have broken the 100 Gbps barrier, increasing in bandwidth by 102% over the past year, and by 1000% since 2005.   This finding comes from an infrastructure security report, released on Tuesday by Arbor Networks.  The company surveyed 111 IP network operators from around the world, and found the volume and severity of attacks continues to increase.

The attacks appear to be driven by the spread of botnet malware agents that allow an attacker to use compromised computers to launch coordinated and focused attacks.  This has led to rapidly escalating DDoS attack size, frequency, and sophistication.  “Adding to the challenges facing operators is the increasing number of attack vectors, including applications and services, not to mention the proliferation of mobile devices” according to Roland Dobbins, a solutions architect at Arbor Networks.

Dealing with DDoS has been a major challenge for businesses of all size.  Solutions have been targeted at ISPs and very, very large enterprises, but have had very low adoption rates becaused of cost limitations.  ISPs can’t generally justify the expense without some sort of return on investment, and protection against a threat that may or may not materialize is a very tough sell as a value added proposition and justify in the boardroom.

Trustwave 2011 Global Security Report

Hackers continue to improve their malware, while 3rd-party vendors continue to under serve their clients when it comes to data security, and Russia appears as the single biggest source of attacks on databases according to the new Global Security Report 2011 from Trustwave.  The report is based on more than 200 data-breach investigations and 2,300 penetration tests conducted in 2010.  Payment card data once again was the most sought-after asset in 85% of Trustwave’s cases.  Sensitive company data were next at 8%, followed by trade secrets at 3%.  As reported last year, hotels were the major target in 2009.  This has shifted to food and beverage merchants in 2010.

Criminals used malware to harvest data in 76% of Trustwave’s investigations, a 23% increase from 2009.  They also used malware in 44% of cases to exfiltrate data from targeted computer systems.  The malware is getting more sophisticated, becoming virtually undetectable by current anti-virus products, according to Trustwave.  Still, many of the issues found point to human error or indifference, and not much has changed from 2009.  3rd parties were responsible for system admin in 88% of Trustwave’s 2010 investigations, often taking shortcuts such as leaving in default passwords or failing to activate firewalls.  Such shortcuts often go undetected by merchants who trust their hired security experts.

Continue reading

Cisco – Reporting & Investing

SAN JOSE, Calif. – Jan. 20, 2011 – In a major online crime turning point, scammers are shifting their focus away from Windows-based PCs to other operating systems and platforms, including smart phones, tablet computers, and other mobile platforms, according to the Cisco 2010 Annual Security Report.  The report finds that 2010 was the first year in the history of the Internet that spam volume decreased, that criminals are investing heavily in “money muling,” and that people continue to fall prey to trust exploitation.

Cisco has also announced in an unrelated story, that it has invested in Tilera, a developer of multicore processors for cloud computing and communications.  Tilera is operating “near break-even” and expects to reach profitability later this year.  The $45 million round of investments will accelerate development of its 4th-generation processor line, expand sales and marketing, and develop new products.


Continue reading

E-Eye 2011 VM Trends Report

A new vendor survey from eEye Digital Security has found many organizations are still struggling to deal with patch and configuration management issues and are often lacking efficient processes and tools to deploy patches to systems and applications in a timely manner.  The time it takes to assess and test patches can make staying on top of the patching cycle exceedingly difficult.  It is imperative to develop a method to prioritize patches and test them to ensure they don’t break any critical systems or fragile artifacts.  Standard practice is to assign each CVE record a risk score based on the vulnerability’s characteristics, combined with a risk score based on the sensitivity of the system being considered for receiving the patch.  This is NEVER a simple formula, requires in-depth knowledge of the environment, and I don’t know a single company in the world that doesn’t struggle with these patching issues.

The 2010/2011 survey of nearly 2,000 IT security professionals finds that a majority of medium-to-large organizations have vulnerability management processes in place to tackle Microsoft Windows monthly patch releases, but are still struggling to deal with so called zero-day vulnerabilities, and are lacking the staff to effectively test and deploy updates to other systems and applications.  Smaller businesses are even less prepared.

This poses a real challenge from a security perspective; there are many important security initiatives that need consideration, and IT is often buried in other projects, improving the efficiency, resilience and effectiveness of the business.  Remediation activities make a lot of IT resources unavailable for a considerable amount of time.  Some organizations simply don’t have enough staff to keep up with the requests.  A majority of companies have more than 100 applications deployed in their networked environments.  According to the stats highlights, 60% indicate that up to 25% of their deployed apps have unpatched vulnerabilities. That is a lot of exposed attack surface for attackers to exploit for network access.  Unfortunately, this stat is somewhat misleading, since it is for those who believe they have ZERO to 25% unpatched.  Zero should be a separate metric…

  • 85% of those surveyed indicate that their IT staff is too busy managing and maintaining regulatory compliance to deal with a holistic vulnerability management effort. 
  • Approximately 50% said regulatory compliance initiatives take up to half of their work weeks.

Let that sink in a second.  Half the workweek spent on compliance issues.  So, companies are stuffing money into their pockets, and relying on swiss cheese systems to keep that money from dropping out of the holes.  And we wonder why there are hacking incidents?  Why do thrill seekers climb mountains?  Because they are there, and they pose a challenge!  Why do people rob banks?  Because that is where the money is!  Why do criminals hack into businesses so foten?  Because that is where the money is, where the controls are weak, and the risk of getting caught is low! 

The trend of increasing smartphone and other mobile device penetration into the network adds to the complexity of ensuring systems are kept up to date. 31% indicated they don’t have enough personnel to handle these increased patching demands.

Some of the statistical highlights from the survey reveal the following:

  • IT security manages vulnerabilities across hundreds of applications
    • 73% have as many as 100 applications deployed
    • 18 percent have more than 200 deployed
  • Zero-Day threat identification is difficult
    • 81% ranked the degree of difficulty of Zero-Day identification as between 3 and 5 out of 5 (most difficult)
    • 20% ranked it as a 5
  • Application vulnerabilities need more of IT’s attention
    • 60% indicated that as many as 25% of their applications have unpatched vulnerabilities
  • Personnel shortages, mobile computing and zero-days challenge their patching processes

Many organizations use free Windows Update or WSUS from Microsoft.  Larger firms tend to rely on a third-party vulnerability management service or commercial product to help with patch deployment issues.  Generally, centralized vulnerability management helps alleviate some of the pain by linking together vulnerability management, patch management, configuration management, and change management processes.  Automate wherever you can, and document your processes for your own sanity, audit, and repeatability.

WebSense 2010 Threat Report

WebSense has published its 2010 Threat Report.  I have only just started reading the report, but the page that it is posted on provides these highlighted findings, affirming that while broad threats continue, focused, targeted attacks are on the rise:

  • 111.4% increase in the number of malicious websites from 2009 to 2010
  • 79.9% of websites with malicious code were compromised legitimate sites
  • 34% of malicious Web/HTTP attacks included data-stealing code
  • 52% of data-stealing attacks were conducted over the Web
  • 89.9% of all unwanted emails during this period contained links to spam sites and/or malicious websites
  • The US and China continued to be the top 2 countries hosting crimeware and receiving stolen data during 2010
  • The Netherlands has found its way into the top 5 countries hosting crimeware and receiving stolen data
  • Searching for breaking news represented a higher risk (22.4%) than searching for objectionable content (21.8%)
  • 23% of real-time search results on entertainment lead to a malicious link
  • 40% of all Facebook status updates have links and 10% of those links are either spam or malicious

The Websense report also analyzes recent headline-grabbing attacks such as Aurora, Stuxnet, and Zeus, and others for malicious and data stealing code.  Also featured are statistics on the top five hosts of data-stealing code, a deep analysis of social Web content and threats, and an in-depth link analysis of top social networks.

Get the full report from here!