Volume of cyber security threats on the rise, warns Microsoft

5 Nov 2008

The volume of threats in the online world is increasing and the distribution of these threats continues to evolve, Microsoft has warned in its Security Intelligence Report on the first half of 2008.

Malware volume is still increasing, but the vulnerability of Microsoft Windows software is decreasing. Applications are now the focus of vulnerabilities.

The total number of software vulnerabilities reported during the period fell by 4pc, but the number classified as high severity increased by 13pc.

Operating system vulnerabilities represented just over 6pc of this total, compared with over 15pc in 2003. The majority of vulnerabilities are in applications and hackers are exploiting this opportunity.

It is now critically important to patch vulnerabilities in all software that interacts with the internet, Graham Titterington principal analyst with research firm Ovum warned.

Microsoft accounted for nearly 10pc of all disclosures in 2003, but only around 3pc in 2008. “This shows the success of its efforts to improve its software development processes since it embarked on its Trustworthy Computing Initiative,” said Titterington.

“The figures show a dramatic fall in infection rates with each stage in the development of the Windows platform, with the biggest single improvement coming with XP Service Pack 2.”

Browser-based exploits represent a large proportion of attacks. Some 47pc of these came from China, pushing the US to second place with 23pc. This indicates the relative weakness of internet security in China, and of its search engines in particular.

Information theft continues to be dominated by low-tech approaches – nearly 40pc of incidents involved the theft of laptops.

One of the sources that Microsoft uses to collect data is its free Malicious Software Removal Tool. This source showed that the amount of malware removed from computers worldwide increased by 43pc over 2007, indicating that the problem is very much alive.

Trojan downloaders accounted for 30pc of this total, indicating the extent of the problem of hackers hijacking legitimate machines to act as malware servers. This is a criminal activity. One of these has been found to have 86,000 variants (500 new versions per day). There has also been a big increase in social engineering attacks. The number of traditional viruses is now quite small.

There are wide variations in the total incidence of malware and the composition of malware across countries, reflecting their level of IT development (and hence their level of security deployment), and to a lesser extent social issues.

The threat can be beaten, said Titterington. “Organisations that have sound security practices can beat the attackers.

“The figures coming from Microsoft and several other organisations that report on the internet threat landscape are in sharp contrast to those published by the US CSI earlier in October. The CSI conducts an annual survey of US-based businesses, comprising a detailed questionnaire.

“A key characteristic of this survey is that the respondents choose to participate and so we can assume that the respondents are passionate about their security efforts. About 10pc of questionnaires are returned, and the results are biased towards larger enterprises.

“This assumption is confirmed by the response to a question that reported that 68pc of respondents have a formal information security policy, and a further 18pc are developing one. We can assume that these are the organisations that are getting security right.

“In this survey, almost all types of attack decreased in 2008, apart from attacks on domain name servers. ID fraud has decreased by 20pc since 2003, and most of these attacks are made by phone or involve stolen personal property rather than online subversion,” Titterington said.

“The average organisation lost US$300,000 in IT security incidents in 2008, compared with US$3m in 2001. They did, however, report an increase in the number of targeted attacks that they intercepted in 2008.”

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years