Microsoft has released its Security Intelligence report covering the first half of 2008. It shows that the volume of threats is increasing and the distribution of threat types continues to evolve. An interesting aspect of the picture is that Microsoft's work in improving Windows is paying off and attackers are turning to attacking applications rather than platforms, making it imperative that enterprises patch and protect their applications promptly. However, a report by the Computer Security Institute (CSI) shows that organisations with the necessary expertise can protect themselves from these threats.
Malware volume is still increasing, but the vulnerability of Microsoft software is decreasing. Applications are now the focus of vulnerabilities.
The total number of software vulnerabilities reported during the period fell by 4%, but the number classified as high severity increased by 13%. This contradiction may be explained by changes in the incentives for finding vulnerabilities that emphasise serious failings. Operating system vulnerabilities represented just over 6% of this total, compared with over 15% in 2003. Thus the majority of vulnerabilities are in applications and hackers are exploiting this opportunity. It is now critically important to patch vulnerabilities in all software that interacts with the Internet.
Microsoft accounted for nearly 10% of all disclosures in 2003, but only around 3% in 2008. This shows the success of its efforts to improve its software development processes since it embarked on its Trustworthy Computing Initiative. The figures show a dramatic fall in infection rates with each stage in the development of the Windows platform, with the biggest single improvement coming with XP Service Pack 2.
Browser-based exploits represent a large proportion of attacks. Forty-seven percent of these came from
Information theft continues to be dominated by low-tech approaches - nearly 40% of incidents involved the theft of laptops.
One of the sources that Microsoft uses to collect data is its free Malicious Software Removal Tool. This source showed that the amount of malware removed from computers worldwide increased by 43% over 2007, indicating that the problem is very much alive. Trojan downloaders accounted for 30% of this total, indicating the extent of the problem of hackers hijacking legitimate machines to act as malware servers. This is a criminal activity. One of these has been found to have 86,000 variants (500 new versions per day). There has also been a big increase in social engineering attacks. The number of traditional viruses is now quite small.
There are wide variations in the total incidence of malware and the composition of malware across countries, reflecting their level of IT development (and hence their level of security deployment) and to a lesser extent social issues.
The threat can be beaten
Organisations that have sound security practices can beat the attackers.
The figures coming from Microsoft and several other organisations that report on the Internet threat landscape are in sharp contrast to those published by the US CSI earlier in October. The CSI conducts an annual survey of US-based businesses, comprising a detailed questionnaire. A key characteristic of this survey is that the respondents choose to participate and so we can assume that the respondents are passionate about their security efforts. About 10% of questionnaires are returned, and the results are biased towards larger enterprises. This assumption is confirmed by the response to a question that reported that 68% of respondents have a formal information security policy and a further 18% are developing one. We can assume that these are the organisations that are getting security right.
In this survey almost all types of attack decreased in 2008, apart from attacks on domain name servers. ID fraud has decreased by 20% since 2003, and most of these attacks are made by phone or involve stolen personal property rather than online subversion. The average organisation lost $300,000 in IT security incidents in 2008, compared with $3 million in 2001. They did, however, report an increase in the number of targeted attacks that they intercepted in 2008.