Web Security Threats on the Rise, Report Finds

It may not be Tony Soprano on the Web, but a new security report finds that wise-guy hackers have become increasingly organized.

Additionally, they have more targets to hit on the Internet, according to Marc Fossi, a Symantec Security researcher. Fossi is editor of the "Symantec Global Internet Security Threat Report: Trends for 2009, Volume XV," which was released Tuesday. The 97-page report can be accessed here.

"Once the malicious activity takes root, it's really difficult to get rid of it, and we're seeing that increasingly on the Internet," Fossi said. "As everybody gets more and more connected between different computer networks, it just increases the attack surface and more information stored on various sources becomes vulnerable or targeted."

According to the report, the United States is once again No. 1 with the most malicious activity on the Internet. China and Brazil came in second and third place, respectively.

Key Findings
Vulnerabilities in browser-based applications represent the fastest-rising information security flaws anywhere, the report found.

The biggest increase in malicious code was concentrated in the Europe, Middle East and Africa (EMEA) region. EMEA now leads the world in the overall volume of new viruses, worms and trojans created. The United States was found to be home to the most botnet command and control servers. It's also the most frequent target in denial-of-service attacks, according to the report.

Corrupt code, which is sold and distributed over the Internet, is becoming more widely available. Symantec found that 2.9 million new threats were developed last year in coded form. The code can become "more complex and dangerous" through additional alterations.

Malware kits, Internet threats and various client-side vectors, along with zero-day exploits, have grown. Consequently, manually patching computers to protect them from each new vulnerability is considered to be a losing battle, according to Symantec's report.

Fossi noted the emergence of do-it-yourself malware kits, including the Zeus Kit and SpyEye.

"You can create a unique binary with these kits that are professional enough to where they're selling for one hundred dollars and then be deployed," Fossi said. "You don't have to have a high degree of skill to deploy malware that is an info stealer and [it] can be configured to just lock a system."

Fossi said he's not ruling out a return of the Conficker worm, which ravaged Windows networks last year. It was the biggest worm since Blaster, which did its damage in 2003 and 2004.

"Conficker is definitely a possibility to come back, if not in its original form, in a variant or a new iteration" he said. "In the end, whether Conficker will emerge again is also a big psychology question. If you say [Conficker's authors] have moved on to something else, that's when they prove you wrong. So, yes, the possibility remains."

Best Practices
The best ways to secure an IT environment and reduce risks is to use antivirus software, firewalls and network security measures. Enterprises can initiate intrusion detection and prevention policies as well.

Fossi recommended keeping up with patch management cycles too. "Keep your browsers patched, regardless of which one you use," he said.

On top of that, there are issues with browser plug-ins and IT pros should have a strategy for managing them. The most common Web-based attack in 2009 was associated with malicious PDF activity, accounting for 49 percent of the total. Weaknesses in ActiveX are a huge issue when using Internet Explorer.

"Securing the endpoint is just as important is securing the server," Fossi explained. "With the rise of Web-based attacks, the endpoint is becoming increasingly important. Because they expand network influences, you can stumble on all types of things. Client-side vulnerabilities are being exploited more than anything else now."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • stylized illustration of an elementary school classroom under construction

    4 Educators Win Classroom Makeovers in KI Giveaway

    Furniture manufacturer KI has announced the results of its third annual Classroom Furniture Giveaway.

  • person signing a bill at a desk with a faint glow around the document. A tablet and laptop are subtly visible in the background, with soft colors and minimal digital elements

    California Governor Signs Off on AI Content Safeguard Laws

    California Governor Gavin Newsom has officially signed a series of landmark artificial intelligence bills into law, signaling the state’s latest efforts to regulate the burgeoning technology, particularly in response to the misuse of sexually explicit deepfakes. The legislation is aimed at mitigating the risks posed by AI-generated content, as concerns grow over the technology's potential to manipulate images, videos, and voices in ways that could cause significant harm.

  • glowing digital padlock at the center, surrounded by interlocking circuit-like patterns that form the shape of a school building

    FCC Cybersecurity Pilot Update: Administrative Window Opens Aug. 26

    The Universal Service Administrative Co. (USAC) has just released information on how to begin making administrative updates to prepare the user permissions necessary for the Federal Communications Commission Schools and Libraries Cybersecurity Pilot Program.

  • close-up illustration of a hand signing a legislative document

    California Passes AI Safety Bill, Awaits Governor's Signature

    California lawmakers have approved a bill that would impose new restrictions on AI technologies, potentially setting a national precedent for regulating the rapidly evolving field. The legislation, known as S.B. 1047, now heads to Governor Gavin Newsom's desk. He has until the end of September to decide whether to sign it into law.