The abstract of Zscaler's State of the Web report for the fourth quarter of 2009 doesn't pull any punches. The first lines state:
Attackers are no longer targeting web and email servers. Today, they are attacking enterprises from the inside out, by first compromising end user systems and then leveraging them to gain access to confidential data.
According to Symantec, data theft costs companies millions of dollars, but protecting that data is still a problem for many companies. And part of the problem stems from IT departments that still focus on old methods of attack.
Some specific points from the Zscaler report include:
- Enterprises are vulnerable to targeted attacks that exploit employee behavior, such as advanced persistent threats.
- IE 6.0 remains a significant threat for large organizations.
- Organizations haven't come close to uncovering all the botnet zombies in their organizations.
- Users are cleverly getting around corporate policies and visiting blocked sites.
- Many transactions from corporate networks are going to darknets (file-sharing).
The report states that an increasing amount of malware is infecting computers through legitimate Web sites. This is an increasing concern given the trend permitting user supplied-content to be shared. Unfortunately, many sites are doing little to ensure that the hosted content is not malicious before it is stored for others to access.