That Was the Year 2005

As a trawl of available information about the worldwide security market shows the market is in a constant state of flux. What were the problems in 2004 became less relevant in 2005. And last year’s headaches will make way for different pain points this year. On the plus side, though, hard-pressed Chief Security Officers and their colleagues are able to spend more money on the problems, as awareness grows at the corporate level, and they are also hiring more staff, who are aiming to be better qualified to face the upcoming threats.

The biggest threats in 2005

Several security organizations track the threat arena and their results are similar. One piece of bad news in 2005 was that good old viruses made up only one percent of all malware threats. Bad news? Definitely. “Virus writers were in it for the fame now everyone wants financial gain,” said Luis Corrons, director of PandaLabs, which conducted the study. “Viruses…have reached rock bottom this year,” he added.
Of the new threats detected last year by PandaLabs, which is a virus laboratories network, 42 percent were trojans, 26 percent were bots, 11 percent were backdoor trojans, 8 percent were dialers, 6 percent were worms and 3 percent were versions of adware and spyware. Over at IT security vendor, Sophos, its Security Threat Management Report 2005 revealed the number of new malware threats rose by 48 percent. On average, one in every 44 emails was viral during 2005 and almost 16,000 new malware threats were identified. Meanwhile security firm F-Secure, reported there were only two major worm assaults during the last six months of 2005: one in September, with the Zotob worm, and the second, Sober-Y, in late November. Sophos chimed in by saying the number of Trojans written during 2005 outweighs worms by a ratio of two-to-one. Trojan threats started to appear only in mid-2004 so there is no corresponding data for this year. In 2005, the Zafi-D virus has topped the Sophos list as the most prevalent virus on the internet. The most prevalent virus in 2004, Netsky-P, dropped to second place in 2005.
Over at IDC, analyst Brian Burke, told SC Magazine that the resurgence of spam after a relatively quiet 2004 was a surprise last year. There was a hope for a while that various laws passed in the US and elsewhere would dampen enthusiasm for mass mailings. He said spam bubbled up to become the number two security problem for enterprises.
The bad news for users according to Sophos senior security consultant, Carole Theriault, is that Trojan creators are becoming more sophisticated. “Today’s threats need to be as sneaky as possible. Trojans, incapable of spreading on their own, give more control to the creator to try and bypass computers with insufficient protection in place – all while covering their tracks.”

The phishing phenomenon

Although a survey of 133 North American organizations conducted in 2005 by Gartner showed phishing was only just making it on the corporate radar, F-Secure reported that 2005 was also characterized by criminal phishing. Organizations were more concerned about viruses and worms than any other threat. Next they were worried about outside hacking or cracking, followed by identity theft and phishing.
The criminality came on strong though as the year progressed. A report published in November by Financial Insights, an IDC company, estimated that global financial institutions lost during the year US$400 million due to phishing schemes, as users gave up sensitive information in the belief they were responding the legitimate email from say their bank or a merchant they were dealing with. According to a Symnatec report phishing threats, which are attempts to deceive users into revealing confidential information, continued to increase during the second half of 2005 while focusing on smaller, regional targets. During the last half of 2005, 7.92 million daily phishing attempts were identified, an increase over the 5.70 million attempts per day in the previous reporting period.
Security companies hope users are vigilant as they expect phishing to increase and there are already warnings about slight variants called “pharming” and “Smart Redirection Attacks”.

The losses

It’s difficult to get a handle on the total amount of losses globally due to computer crime as enterprises are notoriously reticent about revealing details in case their customers loose faith in the institution. In the US however, the FBI says it has calculated that dealing with viruses, spyware, PC theft and other computer-related crimes costs US businesses a massive $67.2 billion a year. The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. The average cost per company was more than $24,000, with the total cost reaching $32 million for those surveyed. To extrapolate the results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to just 20 percent, which equated to 2.8 million US businesses. If each of those 2.8 million organizations incurred a $24,000 average loss, that would total $67.2 billion per year.
The US and many other countries are passing laws exacting stiff penalties for convicted cybercriminals but the fact that the Internet respects no borders makes inter-agency cooperation essential to track down the culprits. In February FBI director Robert Mueller told attendees of the RSA Conference 2006 the FBI must work with corporations and international law enforcement to help combat online criminal acts that are seldom reported.

Security spending

To keep the hackers, crackers and criminals at bay, research companies IDC and Business Communications Co (BCC) have different estimates on how much businesses around the world are spending. They don’t differ by much though and the amounts are in the billions. Both are still estimates as they have not yet got finalized their figures in for the year. IDC said the total spend on security hardware software and services was $32.6 billion. BCC put that figure at $27.7 billion in 2005 and said the US and Europe account for a significant portion of the Internet security market. However, the opportunity is expected to grow significantly in the Asia Pacific region, especially in China and India, where businesses are growing. For 2006 IDC has an estimated spend of $38.3 billion and BCC’s figures go out to 2010 when the company reckons $58 billion will be spent.

Understanding the problem

There is no doubt a correlation between the growth in the amount of monies being spent on security and the growth in awareness of the problem. According to the poll of 410 information technology decision makers in the US, UK, Canada, Germany and France, 81 percent now believe that the possibility of losing business because of downtime is a financial risk, up from 67 percent in 2004. In the survey conducted by Forrester on behalf of the Business Software Alliance, more than 70 percent of those asked also feared the potential loss of revenue due to negative publicity and the risk of losing intellectual property value. In the last survey that figure was just 40 percent. In the survey 73 percent of respondents said information security has become a critical part of their company’s strategic business planning. Also 63 percent said that their customers regularly ask about information security and those concerns are a key factor in companies improving their security, with 70 percent saying they made improvements to address customer concerns.

The coming battles

The not-so-good news is that the bad guys have a host of new nasty tricks up their sleeves. The New York Times reports that phishing is now passé and that we all need to watch out for key-logging, which for criminals can be a simple and lucrative way to make money. A Brazilian fraud ring stole about $4.7 million from 200 different accounts last May while one in France broken up recently made more than $1.1 million from personal bank accounts.
Forrester Research expects to see the emergence of viruses aimed at instant messaging applications and mobile devices, as well as “cross-platform” viruses that can affect a wide range of systems. There will be more attacks aimed at service-oriented architectures as they become more commonplace. Some attacks will involve a complex combination of social engineering, a breakdown in processes, technical vulnerabilities and insider abuse, says analyst Paul Stamp.
Beware those video clips now circulating around enterprise desktops via e-mail, instant messaging or blogs could bring more harm than humor in the months ahead as the hacker underground eyes their potential. Digital video content is expected to provide the next major opportunity for computer hackers, identity thieves and spyware vendors, according to a report. Organized attacks by teams of hackers that have members with expertise in business functions and processes – as well the rudimentary access and coding expertise that many current attackers have – could have a huge impact, reported NetworkWorld. “We will probably see terrorist groups, criminal organizations putting together combinations of talent,” Scott Borg, director of the US Cyber Consequences Unit, said at a recent conference.
2006 is already building up to being another stressful year as corporations fight to keep cybercriminals away from their and their customers’ monies. The FBI, probably speaking for all law enforcement organizations around the world, is calling for an end to the “code of silence” whereby businesses don’t report crime for fears of reprisals or adverse publicity. Openly reporting crime may cause companies short-term pain but in the long run protecting the total infrastructure as a whole is more important. Time will tell whether companies heed those words.

John Sterlicchi