Category: Statistics

Lynnfield, Mass.-based antivirus firm Sophos said in a recent report that they detected 4,677 new viruses in the first six months of 2004; a 21% increase over the same period last year.

The general consensus that Windows is the main target is bolstered by a soon-to-be released study by Santa Cruz, Calif.-based research firm Evans Data. More than 90% of Linux users who were surveyed said their systems have never been attacked, and several suggested they switched over from Windows because of increased vulnerabilities.

Steven House, senior product manager for Cupertino, Calif.-based network management firm Packeteer, said his clients have definitely seen a dramatic increase in virus activity this year. “This time last year, there was some activity. Customers were saying they spend some time on security problems,” he said. “Since late last year, the number of customers overwhelmed with activity has gone way up.”

According to Sophos, the Sasser worm has accounted for more than a quarter of all viruses so far this year. It topped the virus chart despite the battle between the Netsky and Bagle worms that has raged since February, producing six of the most damaging viruses so far this year.

MyDoom, the fifth-most-damaging virus this year, highlights the increasing trend of virus writers trying to create armies of possessed PCs.

The sixth most prevalent virus so far is Zafi-B, which carries a message calling on the Hungarian government to house the homeless and introduce the death penalty against criminals.

Cluley pointed to one piece of good news: This year’s most prolific malware scribe got caught. “Increased scrutiny from law enforcement agencies and Microsoft’s bounty initiative to encourage people to snitch on virus writers led to a very-high profile arrest in Germany,” he said. “Sven Jaschan, the teenage author of the Sasser worm and member of Skynet, the gang responsible for distributing Netsky, confessed in May.

“One thing we’re seeing this year is that because of the sharp increase in attacks, a large number of respondents are switching from Windows to Linux.”

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci996788,00.html

So far this year, 31 viruses have been classed as a medium risk or higher, compared to 20 in the whole of 2003.

The main factor behind this rise is the battle between the authors of the Bagle and Netsky viruses, who each launched a volley of malicious code containing insults about their rivals.

Today, there are still three variants of both Bagle and Netsky that McAfee classes as a medium threat.

An average of 50 new pieces of malware have been released on the Internet each day this year, according to the company, and McAfee is forecasting that by the end of 2004 another 18,000 new pieces of malware will have been created.

“The rise in viruses, worms, Trojans and unwanted programs such as spyware, hacking tools and password stealers in the first half of 2004 has already surpassed what we saw throughout all of 2003, bringing us very close to the 100-thousandth mark for identified threats,” said Vincent Gullotto, vice president of McAfee AVERT, the company’s antivirus emergency response team.

The forecast for the rest of 2004 and beyond is not heartening. McAfee expects that spyware and adware will become more of a problem, especially spam emails that deposit spyware on a user’s PC after they are opened.

Phishing attacks, in which organised criminals attempt to fool people into disclosing their banking details by creating a fake Web site are also predicted to rise – as many users are still blind to the danger of clicking on attachments from unknown sources, according to McAfee.

http://news.zdnet.co.uk/0,39020330,39161677,00.htm

A survey earlier this year of 933 U.S. and Canadian companies found that more than three quarters of the respondents rated security as an “extremely or very significant” concern or IT challenge for their organizations, International Data Corp. said.

“Our latest survey findings indicate that IT spending on security and business continuity has increased at 59 percent of organizations in the last 12 months,” IDC analyst Lucie Draper said in a statement. We believe that despite the economic environment, and in some cases because of the geopolitical environment, the prospects for vendors of security technologies are good.”

Other findings included that corporate compliance and government regulations related to security and privacy remained of particular concern to the banking and the healthcare services industries.

http://www.techweb.com/wire/story/TWB20040726S0010

Some 91 per cent of North American and 88 per cent of European businesses use basic passwords to protect their data.

Only 45 per cent of North American businesses and 32 per cent in Europe use multiple log-ons or passwords with tiered or graded authentication.

Just 19 per cent of North American businesses use one-time passwords or access tokens, compared with five per cent of Europeans, six per cent of Asia-Pacific businesses and seven per cent of South Americans.

Meta Group analyst Tom Scholtz pointed out that businesses often have good intentions when it comes to improving security, but cost inevitably becomes a problem. “When it comes to things such as passwords, the whole issue is around strong authentication. You should have things like tokens and smartcards, but the issue always comes down to cost versus benefit,” he said.

“Many organisations have been investing in strong authentication but, when they’ve done the initial pilots and calculated the costs, not just for software and hardware but for management, they realise that the cost per user is usually high, and the business maybe doesn’t want to pay for it.”

Beatrice Rogers, e-business manager at industry trade body Intellect, accepts that cost is a major factor in the adherence to security best practice. “During the downturn there was a cutback in IT spending and people were looking for direct return on investment for their bottom line,” she explained. “It is very difficult to make a proposition on internal investment, especially for IT directors not reporting directly to the board, until there has been a problem and it’s too late. What will make an impact is the spate of regulations that are coming out around corporate governance – Basel, Basel II, Sarbanes-Oxley, FSA regulations that create the need for more data security – and that will probably push up IT spend over all.”

Peter Sommer, security expert at the London School of Economics, maintains that laziness is to blame. “The trouble is that we have 10 years of literature about this sort of thing, from the unreadably academic to the downright popular, and it’s astonishing that people are still being very lazy about it. The only thing that works is a well publicised disaster,” he said.

Biometrics, touted for the past seven years or so as the next great security solution, is still very much in its infancy, according to the survey.

Just two per cent of European respondents use biometric-based security, compared with five per cent of North Americans, four per cent of South American businesses and eight per cent of those in the Asia-Pacific region. According to Scholtz, these companies are going to stay in the minority for some time to come.

When it comes to security spending, the survey found that European companies allocate 11 per cent of their budgets to security, compared with 12 per cent in North America, 16 per cent in South America and 17 per cent in Asia-Pacific.

In the UK, the mean figure came out at just 9.4 per cent.

“These figures are very interesting,” said Scholtz. “As a rule we recommend organisations spend between three and eight per cent. If they’re spending 11 per cent, I’m not sure organisations always know how to capture that number.”

But Rogers suggested that company culture dictates the level of security spending.

“Security is only as good as the people who run it, so it comes down to training and culture and embedding that within the organisation,” she said.

“Having the systems and the policies are not enough if they are not being used and the policy sits on the shelf.

Culture has to be embedded from the very top right down to the very bottom.

“Best practice is about knowing which parts of your systems need which level of security.

“Each organisation must understand its own risk profile and allow this to drive its security spend.

However, even with an ample budget, if the spend is not effectively placed, then it will do little to mitigate risk,” he explained.

Enhancing application security has emerged as the biggest security priority over the next 12 months, followed by the installation of better access controls, securing remote access and monitoring user compliance in conjunction with policies.

http://www.vnunet.com/features/1156593

Out of 162 companies contacted, 84 percent said their business operations have been disrupted and disabled by Internet security events during the last three years.

Though the average rate of business operations disruption was one incident per year, about 15 percent of the surveyed companies said their operations had been halted and disabled more than seven times over a three-year period.

The portents for enterprises are alarming, given the increased use of the Internet for core business activities.

About three-fourths of the companies contacted by Aberdeen indicated they are increasing online sales and customer service, 55 percent will do more procurement and sourcing through the Web, and 48 percent want to enhance online distribution and fulfillment activities.

“Increasing usage of the Internet for these core business functions means that business disruptions from Internet security can seriously impact a company’s revenue,” Aberdeen analyst Jim Hurley said in a release.

The market researcher calculates that the median annual revenue loss rate can vary from US$6,700 for a US$10 million company to US$20.1 million for a Global 5,000 company with US$30 billion revenue.

The first six months of 2004 saw an increasing number of attacks on Internet security.

Disruptive Internet agents that have raised the level of concern include worms, viruses, spyware, hacker attacks, denial-of-service attacks, attacks on e-mail and Web systems, and attacks on company data and applications.

Some of the most malicious mass-mailing worms roaming the Net include the Bagle and Sasser worms.

Security experts recently unearthed a pernicious pop-up program that reads keystrokes and steals passwords.

Most businesses are worried that their operations are exposed to Internet-based threats.

For instance, 80 percent of survey respondents indicated that they’re worried about network outages, 86 percent are worried about Internet security threats, 84 percent are worried about compromised IT systems; 85 percent are worried about compromises to data integrity; and 71 percent are worried about human errors that may lead to Internet business disruptions.

http://www.zdnet.com.au/news/security/0,2000061744,39152626,00.htm

A survey by Bank of Scotland (BoS) found that 37 per cent of UK small firms were being badly hit in the pocket by spam and viruses, such as the SoBig outbreak which hit many businesses earlier this year. The study found that the while the cost of minor data losses and firewalls is less than £1,000 a year for two-thirds of small firms, a full-scale virus attack can be terminal for entrepreneurs on tight budgets.

For one in fifty businesses polled, the cost of computer viruses was over £10,000 per year. A further 40 per cent of bosses claimed that junk email significantly added to their costs, with one in ten losing an estimated £10,000 year through lost productivity and the cost of filtering systems.

Multiple unwanted faxes are also a headache for small firms, with over half of those surveyed claiming that the cost of receiving and handling junk faxes was a significant problem.

Firms in London were most concerned about the impact of computer viruses, while Newcastle businesses were most likely to suffer from a high volume of spam. The research suggests that anti-spam laws, introduced by the government last year, have done little to ease business concerns over the impact of junk email on productivity and profits. Although individuals are now banned from sending emails and other communication to users without prior consent, the laws only apply in the UK and has done little to stem the flood of junk from the USA.

Computer viruses continue to pose a serious threat to small firms, who often do not have the resources to properly protect their IT systems or recover lost data. Eddie Morrison, of BoS, said that computer viruses are clearly one of the scourges of our business age. “The cost of protecting systems with ever more advanced firewalls can be expensive in itself but compare to that the devastation of losing important files to a virus. It has also become increasingly easy for small firms to be bombarded with multiple unsolicited emails and faxes for advertising and other purposes. Though less often seen as a direct threat, it can generate significant costs to the unsuspecting recipient.”

More info: http://www.theregister.co.uk/2004/06/15/viruses_hit_small_biz/