For the past 10 years one IT problem has been making a slow rise in the Top Ten Charts put out by IT Analysts and Advisory firms tracking IT Systems. Lo and behold lowly Security has risen from barely making the Top Ten 10 years ago. A decade ago Microsoft was just getting serious about the Web(Internet Explorer had less than 7% market share), online Web transactions were just getting accepted and much security was by obscurity – beyond SSL for online transactions, most protection depended on good will or benign ignorance as much as deliberate protection mechanisms.
Fast forward 10 years and the story is quite different. The semi-annual Symantec Threats Report 10 of September 2006 reporting on the first 6 months of 2006 reads like a horror chapter out of a William Gibson Necromancer-like novella (it is novella in length at 120 pages). The past half year has seen the following:
1 – an increase in distinct phishing attacks by 81% from the previous 1/2 year, 84% against Financial Services
2 – Internet Explorer sees 47% of all distinct web browser attack types, leading all other browsers
3 – A reversal from the previous quarter as Firefox exceeds IE for the most critical browser attacks 38 to 27
4 – However, the continuance of Firefox as the best browser for average unpatched vulnerability days of 1 versus 9 days for IE
5 – DOS-Denial of Service attacks continue to rise with 38% directed against ISP-Internet Service Providers
6 – 54% of DOS attacks occur in the US
7 – 42% of BOT attackers originate in the US and 20% of the millions of slave machines used are based in China
8 – 86% of attacks are against and/or using Home computers; Financial Services is the second highest ranking target
9 – Symantec detected 2250 new vulnerabilities 69% of which are Web directed an 18% increase from the previous 1/2 year
10-For OS, Sun Solaris had the worst patch development time of 89 days; Windows and Redhat Linux the best of 13 days
11- For all Enterprise software the average is 28 vulnerability days down from 50 in the previous comparable period
12- 18% of all the malicious code seen by Symantec in this period were new and had not been seen before
13- 60% of the top 50 malicious code samples could expose confidential information
14- 54% of all email traffic is spam material, 1% 0f that is malicious attacks
15- For the year ahead, greatest vulnerabilities will be Microsofts Vista OS, Web 2.0 Ajax applications, & BOT attacks
Now these security concerns are reflected in other major website and security reports. Attrition.org tracks simple physical security dataloss where database disks, laptops or PCs were stolen – in the US this amounts to more than 1 per by day with average of 6000 parties being exposed by corporations, colleges, and other large public organizations. Datamation has its list of top five security threats for 2006 – and they are eerily accurate with Symantecs threat reports. More troubling is the polymorphic viruses that modify themselves on infection to prevent detection by antivirus software and then spew out DOS attacks or spam attacks causing spam to reach unprecedented 75% of email content in October.
But the bottom line comes back to Symantec and what their CEO says about the trends they are observing in Security threats:
“While a few years ago many people were much more focused on attacking the machine and attacking the broad-based activities that were going on online, now all of a sudden weve noticed a significant shift in both the type of attack and the motivation of the attack. The attacks that we see today are more targeted and more silent and their objective is to create true financial harm as opposed to visibility for the attackers.” In essence the Security attackers are switching from hackers to determined criminals. This is a serious shift given the divisiveness in the Security industry.
Divisiveness in the Industry
There are unsettling signs of divisiveness in the Security industry. The root cause of the problems in the industry are threefold. First, the Security market has gotten very big – estimated to be $18 Billion in size and growing at 15-25% annually depending on who you talk to. That huge market has finally attracted Microsoft into the business – and that is the second problem. Microsoft is still in a state of denial on its role in security exploits whether it be OS, IE, and Application software. So then Redmond feels justified in taking aggressive positions against its one time partners (who incidentally saved its bacon many a time in the past ten years – but Redmond will have none of that). So just when the market desperately needs cohesion, but its major players are in a ugly spat over access to APIs and fundamental code. Microsoft seeks to give to its Security software exclusive access to Vista OS and other code – privileges that were available in the immediate past(do you see death to Microsofts competitors if they concede even a smidgen on this issue like I do ?).
But the third problem is the collision and rapid integration of mobile, WiFi, network, and SOA/Web Services where there is an even more diverse set of security players with very much overlapping services and a mish-mash of marketplace directions and strategies (think Cisco, Palm, Juniper, Nokia, Microsoft, NTT/Docomo, Entrust, Motorola, Nortel, Symantec, etc, etc, etc like in the King and I). Also recall how long it took PC security firms to acknowledge adware and spyware as problems they should be addressing. So just as the criminal element gets involved big-time in exploiting security weaknesses, big-time turf disputes are starting to emerge in the sprawling Security marketplace. Now just to add fuel to the fire, what major governments are using their Security apparatus to spy on their own citizens. ? Hmmmm … does this sound like the makings of an IT Security Iraq?