While at RSA, I had the chance to sit down with Piero DePaoli, senior director, Global Product Marketing, Information Security with Symantec. We talked about Symantec’s 2015 Internet Security Threat Report.
DePaoli’s “elevator pitch” summary of the report was broken down into three main categories: cyber attackers are leapfrogging defenses in ways that companies lack insight to anticipate; attackers are moving faster than defenses; and malware used for mass attacks is increasing.
In the first case, attackers leapfrogging defenses, Symantec found that large companies (defined for this study as having at least 2500 employees) are at a surprisingly high risk for a targeted attack. The study showed that five out of six companies were targeted in 2014, an increase of 40 percent from 2013. Smaller companies are at risk, too, with 60 percent of all targeted attacks hitting companies under 2500 employees.
While the attackers are using the familiar phishing and spearphishing methods for attack, DePaoli said they found the attackers are also using two other potent targeting schemes. One is a water hole attack – infecting the types of websites that the targeted victim would likely visit, which is easy enough to discern from a person’s online habits. Another increasingly popular method of targeted attacks is “Trojanized” updates, where the attacker hits a particular company using a third party. As DePaoli explained:
“If you want to attack the company itself, you instead attack the software that you know the company buys. The company then downloads legitimate software, but it is already infected with malware with the intent of attacking the end customers.”
The Dragonfly Group, which I wrote about last summer, actually employed all three attack methods at the same time, DePaoli said. Spearphishing attacks might be expected by companies at this point, but they aren’t prepared for water hole and Trojanized attacks, at least not yet.
In the second case, DePaoli said that we see an all-time high number of zero-day vulnerabilities in 2014. Once a vulnerability is discovered, it is taking attackers a matter of hours to exploit them, but at the same time, it is taking a long time for these vulnerabilities to be patched. It took a total of 295 days after discovery for the top five zero-day vulnerabilities to be patched – and as we have seen with Heartbleed, even when the patch is available, companies aren’t applying it. DePaoli added this disturbing fact:
"We did a scan of legitimate websites and found that in 2014, 76 percent of them had some sort of vulnerability. They may not have been critical, but they were there. While that was down from 77 percent the year before, we thought that with all the notoriety of Heartbleed, we would have seen a greater improvement."
Why aren’t they patching? DePaoli’s theory is that companies don’t think their website will ever be attacked.
In the third case, malware developers are getting very good at evading traditional protections and detections. Sandboxes are a popular way to detect malware, but in 2014, 28 percent of the malware developed was able to evade virtual sandboxes. The solution, DePaoli said, may be that companies need to develop virtual environments that do a better job replicating human behaviors.
So what is the next step? DePaoli said this:
"Organizations need the strongest protections they can possibly have, but also have the mindset that something may get through one day. When that happens, they need to be able to quickly respond to it."
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba