Web threats continue to rise

Latest Symantec threat report finds a big increase in site specific attacks

Phil Muncaster, IT Week 08 Apr 2008

Web security threats jumped again in the second half of last year, driven by continuing vulnerabilities in web applications and the growing maturity of the underground criminal economy, according to security vendor Symantec.

The firm's biannual Internet Security Threat Report covering July to December 2007, found that the phishing hosts – computers which host one or more phishing sites - increased in number from 32,939 in the first half of 2007, to 87,963, a 167 per cent jump. Total new threats detected in 2007 numbered 711,912 compared to 125,243 in 2006 – an increase of 468 per cent.

The report also highlighted a growth in web application vulnerabilities, especially site-specific ones which criminals are increasingly looking to exploit because they are less likely to have been patched. The number of site-specific cross site scripting vulnerabilities during the period was 11,253, as opposed to only 2,134 traditional vulnerabilities.

"There has been a huge increase in the number of threats out there – they've almost doubled – and it's happening because there's a lot more investment in automation [by the criminals]," argued senior director of global services at Symantec, Richard Archdeacon. "On the other side, there has been a huge increase in web app vulnerabilities; we need to bring up to speed everyone in the web area."

The report pointed to the growing sophistication of the underground malware economy, as it seeks to draw lessons from business to increase success rates.

In particular, it reported the outsourcing of malware production to certain countries, and the increasing agility with which the criminals are operating – switching command and control centres before law enforcers can find them

"This is being done on a massive scale now. Specialist teams buy and sell threats – it's almost a cottage industry," said Archdeacon. "There is the ability to generate industrial amounts of code and new vulnerabilities on sites give them a target."

Mike Maddison, UK head of security and privacy services at consultancy Deloitte, agreed that the malware industry is maturing at a dangerous rate. "What we've seen develop over the last two years is that the technical capabilities of organised crime have become significant and is generated out of particular geographies," he added. "They have the ability to respond much more quickly than organisations can."

Maddison added that basic web application vulnerabilities exist in about 80 per cent of the firms Deloitte checks, and warned that they need to make their development processes more robust by "building security into the lifecycle".

"For a long time availability was the challenge for customers, but with the advent of Trojans [that can steal information], it's very much about taking an information-centric view of protecting your assets, because that's certainly what the criminals are after," said Maddison.

In related news a new survey by security vendor Fortinet has found that outsourcing your coding practice could increase the risk of that code being hacked.

According to the report, 60 per cent of companies that outsource the coding of their critical applications don't mandate that security must be built into the applications, and 20 per cent don't consider security when building applications. Yet despite this, 84 percent of respondents said that code development is business critical or important.

"For a lot of firms the point of outsourcing is cost reduction, but when that's your aim you're trying to cut corners," argued Rob Rachwald of Fortinet. If you offshore code the developers may also lack that security coding exposure – they're not thinking about the negative functionality; how people can take advantage."

Rachwald added that if firms are to protect their mission critical code, the order needs to come from the top down to focus on negative as well as positive functionality in development of new applications.

See also: