By Tom Schmidt
According to a new report from security company Symantec, the financial services sector was the most frequently targeted industry in the last half of last year. It experienced an increase from 4% to over 6% in targeted attacks. This increase continues the pattern seen during the previous six-month period, during which the targeted attacker rate rose from 1% to 4%. This increase was the most significant increase in targeted attack rates for any industry.
At the same time, the financial services sector experienced the highest number of severe security events -- 16 per 10,000 events -- of any industry.
In the words of the report, given "the high placement of this industry in both the 'severe event ratio' and the 'targeted attacker' metrics, it is clear that [financial institutions] must take appropriate steps to identify and mitigate risks of attack."
In light of the urgency of these metrics, this article looks at some of the report's key findings, especially those that bear directly upon the financial services industry.
Today's more sophisticated attacks
Financial institutions know all too well: attackers are launching increasingly sophisticated attacks in an effort to compromise the integrity of corporate and personal information. How sophisticated? Consider:
- Phishing attacks are proliferating Phishing attacks, which involve the theft of confidential information such as passwords, credit card numbers, and Social Security numbers, increased steadily throughout the second half of 2004. One indicator of this increase was the number of phishing attempts that were blocked, growing from 9 million phishing attempts per week in mid July to 33 million per week by the end of December. In total, 10,310 new phishing attacks were detected in this six-month period.
- Threats to confidential information are on the rise Over the past three reporting periods, threats with the potential to expose confidential information have continued to increase. Between July 1 and December 31, 2004, malicious code created to expose confidential information represented 54% of the top 50 malicious code samples, up from 44% in the first six months of the year and 36% in the second half of 2003. This is partially due to the proliferation of Trojan horses.
- Windows viruses and worms continue to grow Throughout 2004, Windows 32 virus and worm variants showed a significant increase in volume. Between July 1 and December 31, 2004, more than 7,360 new Win32 viruses and worms were documented. That's an increase of 64% over the 4,496 reported in the first half of the year, and 332% over the 1,702 documented in the second half of 2003. As of December 31, 2004, the total number of Win32 variants was approaching 17,500.
- Severe, easy-to-exploit vulnerabilities are increasing Between July 1 and December 31, 2004, more than 1,403 new vulnerabilities, or more than 54 new vulnerabilities per week or almost eight new vulnerabilities per day were documented. Of these, 97% were considered moderately or highly severe, which means that successful exploitation of the vulnerability could result in a partial or complete compromise of the targeted system. In addition, 70% were considered easy to exploit, which means that either no custom code is required to exploit the vulnerability or that such code is publicly available. Compounding this problem is that nearly 80% of all documented vulnerabilities in this reporting period were remotely exploitable, which likely increases the number of possible attackers. The time between the disclosure of a vulnerability and the release of an associated exploit increased from 5.8 to 6.4 days.
Future watch
A number of emerging trends and issues are expected to become prominent over the next year. The following are of particular interest to the financial services industry:
- Bot networks are evolving Bot networks are groups of compromised computers over which attackers have remote control. Such networks are closely identified with denial-of-service and phishing attacks. Over the first six months of 2004, the average number of computers identified in daily bot network scanning increased to more than 30,000 systems a day. This trend was expected to continue; surprisingly enough, the actual number of observed bot network computers fell to under 5,000 per day by the end of the year. At the same time, smaller bot networks and a significant rise in the number of bot network variants emerged. Smaller network sizes make detection based on coordinated scanning more difficult. Bot activity, needless to say, continues to be a source of concern. The security threat from this form of attack is expected get worse, especially in financial terms.
- Expect more damaging mobile device malicious code Malicious code has been developed for mobile devices, namely a worm called Cabir. As cellular telephones and PDAs become more sophisticated and mobile connectivity increases, the potential for more malicious code that affects them increases as well. Experts expect more malicious code of this nature will be seen in the wild.
- Adware and spyware are becoming more prominent In the last six months of 2004, adware programs made up 5% of Symantec's top 50 customer reports, up from 4% in the previous report. Five of the top 10 reported adware samples were installed via a Web browser. Nine of the top 10 reported spyware programs were bundled with other software. Impending legislation to curb these risks is not expected to be an effective or sufficient deterrent on its own.
Taking action
Navigating the threat landscape continues to be extremely challenging for the financial services industry. In light of the increasing sophistication of phishing attacks, for example, financial institutions must ensure that their end users are educated about phishing in general, and about the latest phishing scams in particular. CIOs should educate employees to never disclose any confidential personal or financial information if they have any doubts about the authenticity of any email or Web site.
As for threats with the potential to expose confidential information, users can protect themselves from these by never executing unknown applications, especially those received in email or downloaded from sources that are not known to be trustworthy. Users should also avoid using public computer terminals to log on to Web-based email or online banking sites, as the integrity of these systems cannot be verified.
Finally, with regard to proliferating Windows viruses and worms, security administrators and users should use an Internet security solution that combines antivirus, firewall, intrusion detection, and vulnerability management for maximum protection against blended threats, and ensure that recommended best practices are followed at all times. Only by taking appropriate steps to identify and mitigate risks of attack can the financial services sector hope to safeguard the security and availability of its mission-critical information.
Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.