Symantec’s Andrew Horbury provides detailed website security statistics globally and elaborates on targeted attacks by company size, industry and job function.
So, let’s take a quick look at BlackHole which works in the following way: it is an exploit kit used to inject malware when a potential victim is on a website that has some form of unpatched vulnerability, or a redirect to such a site from another compromised website. Hackers typically use the exploit kits to drop malware such as botnets built with the Zeus toolkit, rootkits, or fake antivirus packages that are intended to be used for fraudulent malware protection.
And actually, Redkit works in a very similar way. As I’ve mentioned earlier, we’ve seen quite a re-emergence of Redkit after the author of BlackHole, a guy named “Paunch”, was arrested a few months ago. Those tools have been termed as a “cyber criminals’ Swiss Army knife”, and what makes them so prevalent is they remain effective over and over again. And because of this effectiveness, we see large botnets being created. The goal of attacks, generally, is to make or steal money, and for instance if a hacktivist hacks a large multi-national bank, they’re stealing your records to your bank. Every day even seemingly innocuous sites are targeted. In fact, even the most reputable sites get compromised and serve malicious software from time to time.…Which is why it’s important to use a layered security approach and remain vigilant whilst online. A web service can also be attacked by malware just like a desktop PC. In 2012, Symantec Website Security Solution division, which is part of Symantec that I work for, scanned 1.5 million websites for malware. We scan over 135 URLs for malware each day, finding that 61% of sites serving malware are actually legitimate sites. 53% of legitimate websites have some forms of vulnerabilities, and 25% appear to have critical unpatched vulnerabilities (see right-hand image). The most common vulnerability we found was cross-site scripting (XSS) vulnerability, which is often just what the toolkits are looking for. With 5291 new vulnerabilities reported in 2012, it’s critical to keep up to date with patches. Many of us say: “We’re absolutely up to date with software and application updates across every single device that we use today,” and all of a sudden I realize there’s an update pending on my phone which I should launch as soon as I’m done presenting today. It’s relatively easy to fall behind in this process. And with all of these unpatched vulnerabilities in legitimate websites, there’s often really no need for the malware authors to set up their own. As a reminder, with 61% of all malicious sites being legitimate sites, there’s often very low need at all. Let’s take a brief look at web based attacks (see right-hand image). These are also successful because often small and medium-size businesses, as well as consumer systems, are not up to date with the latest patches for something like browser plugins such as Adobe Flash, Acrobat, perhaps it’s the Java platform. Well, while a lack of attentiveness can be blamed for consumers in terms of the updates, often in larger companies older versions of these plugins are required to run critical business systems, making it harder to upgrade to the latest versions. Such patch management predicaments with slow patch deployment rate make companies especially vulnerable to web based attacks. So, why am I telling you this? I mean, you may think it’s unlikely that your company will be targeted, right? Well, over the next few slides we will be looking at levels of malware and global vulnerabilities that Zeus has been targeting. And yes, it might be in your companies – we’ll take a look at the types of companies that have been targeted. As we can see, it’s right across the board (see right-hand image). Most concerning is not just the big firms have been targeted – a sweet spot is the 1-250 employee group, such as a small business or a startup. Take a note: security really is important. Just focusing on small businesses, in a recently published report, a survey of over 2000 small businesses conducted by the Federation of Small Businesses, which is a lobby group here in the UK, they collected some interesting statistics relating to cybercrime in the United Kingdom (see left-hand image). And although this is a UK study, I don’t think that it’s particularly specific to the UK. Many other studies show similar findings in other countries. So, just looking down the list here, 41% have been a victim of cybercrime in the past 12 months. 20% have had a virus infection in their business. 8% have suffered from a hacking incident. But what’s particularly interesting, the really worrying statistics is that 20% have not taken any steps to protect themselves at all. In a pool of 2000+ surveyed businesses – that’s at least 400 businesses that are probably at high risk – 36% say they regularly apply security patches, which leaves a huge pool of either those that do not do it at all or do it somewhat haphazardly. And bearing in mind the info in one of my previous slides that indicates that 53% of legitimate websites have vulnerabilities, you can start to see just how hacktivists and cybercriminals can get into companies.
However, on a post-it note, nearly 60% of those surveyed say that they keep their antivirus software up to date. I’m sure you’re all aware using an up-to-date antivirus solution is of course a great step forward, but it’s not necessarily enough against the attackers of today, where you need to take a layered approach of security, having firewalls, having antivirus, having demilitarized zone, having SSL encryption, etc. So it looks pretty clear from this particular survey that security is still not taken as a serious concern among small businesses, and for many it just appears to be an obstacle.There’s a widespread availability of the toolkits we were speaking about earlier, and quite often these toolkits are, relatively speaking, quite simple to use – you don’t even necessarily have to be a computer mastermind or a security expert in order to use them. Even a group of relatively low-level expertise users can, with some management, pull off a devastating attack. And when you consider that that’s what an amateur can do, imagine what impact a more serious, more proficient user or sets of users can have. The methods of hacktivists include email bombs, spam, virtual blockades; and it’s detailed by the bank story that I provided a little bit earlier, which was a DDoS attack combined with physical effects. You can start to see how the hacktivists have taken their methods to the new world. Of course, these are in addition to general hacker activities such as web hacking, defacement, and malicious code attacks. As you can see on this slide here (see left-hand image), the breadth of the industries being attacked is incredibly wide-ranging; it’s not just focusing on any one particular industry; it’s many different types. And you can also see that it’s not only the industries that are being targeted, but also many different types of people are being targeted and their job function is being targeted (see right-hand image). So, while some hacktivists break into systems to steal data for their own game, others use brute-force and DDoS attacks to shut down target websites for ideological reasons.