Targeted Attacks Increased, Became More Diverse in 2011

The number of security vulnerabilities declined in 2011 but malicious attacks skyrocketed 81 percent from 2010, according a new Internet Security Threat Report released by Symantec Monday. Advanced targeted attacks, in particular, were on the rise in 2011 and they are spreading to organizations of all sizes.

"Targeted attacks have changed," says Liam O Murchu, manager of security response operations for North America at Symantec. "The picture that we had before of targeted attacks was they went after CEOs or other top people in a company, and they went after very large companies and government agencies. Targeted attacks are now being spread out and used in far more scenarios."

Attackers Target Smaller Companies in the Supply Chain, Too

O Murchu said the number of daily targeted attacks increased to an average of 94 per day by the end of November 2011. While targeted attacks have traditionally focused on the public sector and large organizations, more than 50 percent of targeted attacks in 2011 took aim at organizations with fewer than 2,500 employees. Nearly 18 percent of targeted attacks focused on companies with fewer than 250 employees.

O Murchu believes attackers may be targeting these smaller companies because they are in the supply chain or partner ecosystem of a larger company and are less well defended.

Attackers-who primarily use social engineering and malware to gain access to sensitive information-are also diversifying their targets within organizations. In the past, attackers largely focused their efforts on high-level executives, but 58 percent of attacks in 2011 targeted non-executives. O Murchu says many of the targets were in roles such as human resources, public relations and sales. While these workers may not have access to the data the attacker is ultimately after, they are often a convenient vector for penetrating an organization's defenses because they are easy to identify online and are used to being contacted and sent attachments (like resumes) from unknown sources.

Since many companies lack role-based access management that control what resources individual workers have access to depending on their role within the company, an attacker who successfully targets one of these workers often has access to a great deal of sensitive data.

"What companies need to realize right now is that once attackers get inside the perimeter of their network, they're going to spread out," O Murchu says. "Your defenses should not be focused primarily on the perimeter of the network. You should access controls set up correctly on all of your valuable data. And you should have applications in place that can watch for the loss of valuable data."

More Than 232 Million Identities Exposed in 2011

Symantec found more than 232.4 million identities were exposed overall in 2011, with an average of 1.1 million identities stolen per data breach. Attackers especially targeted the healthcare vertical. At 43 percent, Healthcare topped the list of sectors by number of data breaches. Government and education were numbers two and three, with 14 percent and 13 percent, respectively.

"We did see healthcare particularly targeted," O Murchu says. "It's likely that's because the attackers see healthcare providers as an easier target. They know they're going to have a large amount of information on their customers if they can get in."

But while the healthcare sector led the pack in number of data breaches, the picture is very different when measured by the number of identities exposed in breaches. There, healthcare was third, accounting for 8 percent of identities exposed in 2011. Instead, the Computer Software and Information Technology sectors were far and away the greatest culprits. The Computer Software sector accounted for 44 percent of the number of identities exposed, despite representing only 5 percent of the number of data breaches in 2011. The Information Technology sector accounted for 41 percent of the number of identities exposed, despite representing only 3 percent of the number of data breaches in 2011.

Data Breaches Most Often Result of Lost or Stolen Devices

Hacking attacks were not the most frequent cause of data breaches, but they had the greatest effect. Hacking attacks exposed more than 187.2 million identities in 2011 according to the Norton Cybercrime Index. Lost or stolen devices-USB sticks, laptops, smartphones and tablets-accounted for 34.3 percent of breaches, making it the largest category. Theft or loss of these devices accounted for 18.5 million exposed identities.

Even when lost devices are returned, sensitive information is likely to have been subject to unauthorized access. Symantec recently concluded its Symantec Smartphone Honey Stick Project, in which it seeded 50 smartphones with simulated corporate and personal data in locations in five cities across the U.S. and Canada and waited to see what would happen. The phones were left in places like elevators, malls, food courts and public transit stops.

Only one-half of the people who found one of the phones made an attempt to return it. And whether or not it was returned, 96 percent of the phones were accessed by the finders. That access usually went far beyond what was necessary to identify the owner of the phone. For instance, six out of 10 finders attempted to view social media information and email, while eight out of 10 finders tried to access corporate information, including files clearly marked as "HR Salaries," "HR Cases," and other types of corporate information.

Attackers Experimented with Mobile Malware in 2011

Much has been made in past years of the increasing risk of mobile malware, especially with the explosive growth of smartphones and tablets, and 2011 was no exception. Symantec found that 2011 was the first year that mobile malware presented a tangible threat to businesses and consumers, with threats primarily designed for data collection, the sending of content and user tracking. O Murchu says mobile vulnerabilities increased by 93 percent in 2011. That said, mobile threats still significantly trail PCs in terms of actual attacks.

"Mobile phones are selling faster than PCs now," O Murchu says. "From that point of view, you would expect attackers to be focused largely on mobile phones. We are seeing it grow rapidly, but it's still very small comparatively. [Attackers] will only move to a platform when they know it can be profitable for them."

"We're seeing attackers trying out different techniques on smartphones to see what works for them, to see which ones are going to make them money," he adds. "They try one technique and then move on to another."

He explains one attacker Symantec identified in 2011 had infected thousands of mobile phones. His software was instructing each of the infected mobile phones under his control to send one premium SMS message per month.

"He was able to earn $1 million a year," O Murchu says. "He was capable of earning a lot more than that, but he was spacing out the premium text messages that the infected phones sent over time."

Spam Decreased in 2011

One bright note in Symantec's report is that spam levels dropped considerably in 2011, from 88.5 percent of all email in 2010 to 75.1 percent of all email in 2011. Symantec said that on average, 42 million spam messages were in global circulation per day in 2011, compared with 66.1 billion per day in 2010. Some of that may be the result of the takedown of the Rustock botnet. That botnet primarily pumped out pharmaceutical spam, and that category of spam was down 34 percent between 2010 and 2011. However, Symantec noted that the drop in spam may also be a result of attackers turning their attention to social networks as attack vectors. Recipients of such messages in social networks are often more apt to believe the links come from a trusted source.

Thor Olavsrud covers IT Security, Open Source, Microsoft Tools and Servers for CIO.com Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at tolavsrud@cio.com

Read more about security in CIO's Security Drilldown.

Subscribe to the Security Watch Newsletter

Comments