Some Sobering Security Stats
Symantec today released its latest report on Internet security, cataloging 2,249 software vulnerabilities discovered or reported from January through June 2006 -- the most the company has ever recorded in a six-month period.
Nearly 80 percent of the vulnerabilities were considered easily exploitable and involved applications like Web browsers or software such as blogging and shopping cart programs.
Hackers often use Web application flaws to deface Internet sites -- thousands of sites are defaced each day thanks to this class of vulnerabilities. Annoying as they are, however, defacements aren't the real problem. Criminals can exploit the same Web application flaws to gain access to sensitive databases, access that can drive credit card and identity theft. Online criminals also can use Web app flaws to hijack legitimate sites and redirect visitors to sites that try to install spyware and other malicious programs.
Web application flaws can even cause a Web site to become a drone in a massive army of computers that organized criminals use to launch crippling and extortionist attacks against other Web sites. According to Symantec's stats, the first six months of 2006 brought an average of 6,110 distributed denial-of-service attacks (DDoS) each day.
That figure is a low-ball number, as Symantec only measured DDoS attacks in cases where the perpetrators faked the Internet addresses of the compromised computers doing the attacking. With millions of compromised machines on the 'Net these days available for use in DDoS attacks, spoofing the source Internet address of drone computers is really not necessary, and the practice is now a lot less common than it used to be.
Other stats of interest in the report: Microsoft's Internet Explorer was the most frequently targeted Web browser, with 47 percent of all attacks. Mozilla's Firefox and other browsers had the most number of flaws -- 47 -- (IE had 38), but IE continued to have the largest window of exposure to known security flaws.
A PDF copy of the Symantec report can be downloaded here.
By Brian Krebs |
September 25, 2006; 2:35 PM ET
Latest Warnings
Previous: IM Worms "Epidemic" on MSN Messenger |
Next: Microsoft Issues Emergency Patch for IE Flaw
Posted by: Tim B | September 25, 2006 4:01 PM
>Anyone else getting 'threat fatigue'? All this gloom and doom, every day. Their recent specialty has been a series of self-serving "be afraid of Vista" reports.
Posted by: JohnJ | September 25, 2006 4:39 PM
It all boils down to one truth, everyone beleives it could never happen to them anyway..............
Posted by: Mike M | September 25, 2006 8:37 PM
How much money does Symantec Corporation stand to make by coming out with a report like this? This whole thing makes about as much sense as me coming out with a report that says bear attacks are up, and then turning around and saying 'Hey, wanna buy this anti-bear spray I'm selling?' Where is the independent research to back there claim?
Posted by: Kevin R | September 26, 2006 10:49 AM
Scare tactics is how Symantec profits off of such reports. For me, I never trusted Microsoft. That why i use Linux. Microsoft might as well re-package it's software with a big Bulleye on front. Hackers love Microsoft.
Posted by: Jeff | September 26, 2006 3:08 PM
With all due respect to the previous posts, I disagree. It is foolish to dismiss Symantec's report. Use it as a tool, along with other reports and information, to make intelligent decisions on computer security. Whether you like Symantec and their products or any other vendor, you have to consider they are at the forefront of computer security and they analyze a plethora of raw data, then aggregate it and put it out there for review. Take it for what it is, nothing more, nothing less! You still have a choice in security products and operating systems. Let's not be so cynical.
Posted by: TJ | September 26, 2006 6:51 PM
I've been in I.T. for 20 years, and we work very hard to try and keep everything within our network patched-to-date because it DOES make a difference. I've worked for companies who do not install patches as they are released and when a virus hits it cost the companies a lot of money in downtime and overtime. My current Fortune 500 employer spends the time/money on keeping everything up-to-date, which is cheaper because it's mostly automated, where as recovery from viruses/DOS etc can not be automated.
All companies face that decision because of choices made long ago that put Microsoft Windows software in much much too large a percentage of servers across the world.
MS hasn't put out a clean piece of code in 15 years, which leaves more places within the code for vulnerabilities.
Posted by: LQ | September 28, 2006 1:48 AM
Hello,
Can you help or advise. They say that when you delete an e-mail it never really goes away but stays on your hard drive (forever). Therefore, how can you get them back !?
Is there a program you can purchase (That's not too costly) that allows you to retrieve these old e-mails from years ago ?? Any suggestions ?
Thanks.
Bill (Kaval)
Retired Police Lieutenant
Waldorf, Md
wgkav@msn.com
Posted by: Bill Kaval | October 5, 2006 5:52 PM
The comments to this entry are closed.
Anyone else getting 'threat fatigue'? All this gloom and doom, every day.
Yet, you rarely get any actual dollar figures attached to these vulnerabilities. How about data on how much identity fraud is accomplished via hacking vs. stealing it through old fashion methods? The last study on IT security costs that I read from the Computer Security Institute was that security costs associated with attacks were actually down from last year. How can this be? A culture of IT fear may be good for sales, who knows?
I think it would be nice to attach some real economic numbers to exploits rather than just say, there are a 2300 vulnerabilities out there and suggest that we are in deep trouble. People are going to ignore reports like these.