2006 By the Numbers - Information Security Countdown

2006 By the Numbers - Information Security Countdown
By the time this is published, 2006 will be history. Here’s a look at some of the information security events that affected everyone in 2006. We pause now and breathe a sigh of relief that these numbers weren't any higher.

Numbers We Want to Forget

Data breaches were hitting the headlines almost every week in 2006, with an estimated 100 million records compromised due to security breaches, according to the Privacy Rights Clearinghouse, which tracks breaches dating to the ChoicePoint incident in 2005. With all the press coverage and consumer awareness of the issue, expect Congress to take up the matter this year in earnest. We will most probably see several legislative bodies arm wrestling to assign top enforcement duties with whatever form the federal law takes. That is aside from the 30 + state laws on the books that relate to data breach notification. Secure your sensitive data now before the waves of regulations begin washing up on the walls of your institution.

Sometimes Zero Isn’t a Good Number

Notable zero day vulnerabilities—a total of 14 were found in 2006. The majority (11) were in Microsoft Office productivity software suites. That’s right, those “zero day” flaws weren’t discovered until after hackers used them to target businesses for financial gain. Microsoft also issued 97 software updates in 2006 that were “critical,” meaning that hackers could wield them to sneak into vulnerable PCs with no action from the user. Prior to this in 2005, the critical updates were only 37. You can do the math percentages.

For the folks who think that Vista will solve every problem, um, there may be a few flaws to be worked out before declaring victory. Did you already plan to install Vista on your institution’s desktops? First, the vulnerability hits the headlines, then later, the patch for it. Don’t make plans to take any days off for a few months.

Malware: Quarter Million and Climbing

The past 12 months also saw cybercrime move closer to a for-profit model, especially in the creation of computer malware. F-Secure, the Finnish anti-virus firm, says there will be at least 250,000 known PC viruses as this year gets going.

"Cybercrime is no longer in its infancy. It is big business," said Greg Day, security analyst, McAfee, Inc. "Criminal entrepreneurs can make fast money with minimal risk and their ranks are growing with that realization. With technology continually evolving, criminal opportunity is evolving into something that is global and unrestricted by geography, language or appearance." The McAfee Virtual Criminology Report 2006 highlighted how the virtual anonymity and stealth of attack that the online environment affords means detection is a growing challenge for law enforcement. (This also applies to financial institutions, as we, along with our customers, are targets of these new breed of cyber criminals.)

Spam’s A Lot of Zombies – 8 million

A report on spam by e-mail security firm Commtouch Software dubs 2006 the "Year of the Zombies." The study found that "zombies" can number up to eight million hosts globally on a given day. As a result, spam volume increased greatly in 2006, according to the report. "Spam outbreaks got bigger, faster and smarter during 2006," Amir Lev, president and chief technical officer for Commtouch, based in Netanya, Israel, said.

"Innovative spammers quickly developed new techniques to bypass common anti-spam technologies and amassed huge zombie botnets. Outbreaks were so fast, massive and sophisticated most anti-spam solutions had great difficulty defending against them." Zombie activity, the report found, accounts for 85 percent of the spam circulating the Internet. Multi-wave image-spam outbreaks brought the spam bloat to 1.7 billion MB per day. eBay and PayPal remain top targets for fraud, their names being used in 50 percent of all phishing attempts, the report said.

Botnet armies containing as many as 200,000 zombies sprang up as they sought out weakly protected computers with fast Internet connections, primarily home broadband users. Commtouch labs estimates there are 6-8 million zombie IP addresses active on any given day. Compromised zombie machines come in and out of circulation constantly; approximately 500,000 new PCs are captured into zombie botnets each day. The report issued in the last week of 2006 noted a typical botnet can send 160 million spam emails in just two hours.

Phishing Increases, Changes Tactics

Phishing is the color of money. And phishers in 2006 continued to target well-known businesses, and even government agencies in their race for sensitive information. Even the FDIC was a target in 2006, and the financial services industry continues to hold the record for percentage of phishing emails targeting their brands – 92 percent.

The number of phishing scams spotted online exploded during the month of October -- a record 37,444, according to the Anti-Phishing Working Group, an industry coalition aimed at stamping out online fraud. That's 12,000 more phishing sites than were spotted in August, and nine times as many phishing sites as were discovered in October 2005.

Phishers are also devising increasingly sophisticated methods to get to their targets, and are evading the phishing detection toolbars on popular browsers. Their sights are narrowing too, with increased “spearphishing” and “puddle phishing.” The tactics are evolving, and phishing emails are increasingly seen with key-logging Trojans attached to swipe sensitive information from users' PCs. The phishers are then using the Trojans exploited browser vulnerabilities to secrete malware on the PCs of prospective marks. To dodge the phishing detection toolbars, phishers put their “faked” web sites on the same servers then send the emails to those servers through computers that are part of their botnet army.

If you’ve already implemented a strong authentication method for your online users, you will be able to draw a breath now. Those reading this who haven’t come up with a solution for strong authentication, a gentle reminder -- you may want to start. Or you can begin reviewing your incident response team plan.

What 2007 Has in Store

Here are some of our crystal ball predictions. The next year we’ll face even more regulations from every government agency, especially favorites like BSA, AML, FFIEC, and on we go. We’ll be filling out the new suspicious activity reports, preparing our institution for the next round of auditors and assessing our preparedness for the predicted pandemic. All of this and we’ll still perform our regular work to battle against the criminals intent on breaking down our institution’s defenses. Let us know how your battlefront is holding up in 2007.

Definitions:

Spear phishing: an email spoof attempt that targets a specific organization, e.g., your institution, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing emails, spear phishing messages appear to come from a trusted source. In the case of spear phishing, the apparent source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority. (e.g., An email from your senior management, or a board member.)

Puddle phishing: A term coined by security firm Websense that describes the phishing attempts made against smaller banks and credit unions. By targeting a bank with just a few branches, the number of potential phishing prey is reduced to a much smaller number, sometimes to just a few thousand people. Websense noted that they are seeing more and more of the smaller financial outlets being targeted by phishing attacks may indicate that this is a highly profitable scam.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network