Looking Back: A Review of Threats Faced in 2011

Thursday, February 02, 2012

Simon Heron


Redscan proactively monitors and maintains Network Box security solutions on behalf of its customers in Europe and is part of a network of similar operations centres Worldwide.

These products generate extensive statistics that provide a unique view into what is happening in the real world. This article examines the statistics collected in 2011 and explains what they reveal.

There is a great deal that can be gleaned from customer systems. When statistics from many different organisations, of different sizes, from different industries, in different countries are amalgamated and analysed, they provide a useful insight into the true nature of security threats.

These trends are not only interesting to observe, but are also invaluable in helping companies to determine future security policies. The statistics gathered in 2011 reveal:

  • A new security signature was released every 8.1 seconds
  • Malware attacks escalated by 68.1% in 2011, as compared to 2010
  • Attacks using firewall technology increased by 13.1% on the previous year
  • Small businesses – not just large organisations – were targeted with denial of service (DoS) and distributed denial of service (DDoS) attacks
  • A larger proportion of IT managers are imposing restrictions on web site usage

In 2011, Network Box Security Response PUSHed out 7,125 updates which was down 39.2% on 2010. However the number of signatures grew 25.9% to 3,880,267. This strange statistic reflected the continued move to cloud-based signature systems (such as the Network Box’s Z-Scan and NBCP content categorisation systems).

So the number of signatures per update fell, while the number of signatures released increased. This is a trend that is destined to continue, as traditional signatures continue to be the most effective against the depth and breadth of malware, whilst cloud-based signatures are emerging as the most effective solution for zero-day outbreaks.

The result is that there was approximately one new signature every 8.1 seconds in 2011.

During the year, the average Network Box blocked 208,081 spams which is down 55.8% from 2010, but malware is up 68.1% on 2010 to 8,008. The reduction in overall spam volume is due to the large-scale takedown operations against botnets and their owners that have occurred, as botnets are the single biggest source of spam.

However, the reduction in spam volume is somewhat masked by the increased use of pre-scan filtering such as RBL blocks at the envelope stage and recipient address verification (for an explanation of envelopes, click here).

Such envelope-stage blocks are effective against a huge amount of spam (currently estimated at around 35%, globally). Messages, both spam and malware, blocked at the envelope stage do not appear in our reported figures for ‘messages blocked as spam and malware’.

The 2011 statistics reveal that the average Network Box blocked 9,191,536 attacks during the year using firewall technology. Such attacks were up 13.1% on 2010, which could indicate that hackers believe that firewalls can be badly configured and are worth probing for vulnerabilities, either in the firewall itself or just as a way of accessing the network behind.

Intrusions were down 18.3%. It should be noted, however, that such network-level attacks are an unavoidable consequence of being connected to the global Internet.

The trend away from attacks composed of mass-mailed spam and malware towards attacks of targeted/mass vulnerability exploit continued during 2011. One worrying new pattern was the increase in relatively low-impact denial of service (DoS) and distributed denial of service (DDoS) attacks.

In the past, DoS and DDoS have used hundreds of megabits of bandwidth, but 2011 saw a large number of such attacks in the tens of megabit category targeting small organisations. Whilst larger enterprises have deployed protection against this form of attack, many smaller companies haven’t and are therefore vulnerable.

In 2011, the average Network Box blocked 1,663,284 websites due to company content filtering policy, which is up a massive 45.5% on 2010. When this is compared with the 45,838,221 website URLs visited on average over the year (which is only up 12.8% compared with 2010) this indicates that IT managers are imposing more controls to implement their company’s policy.

The growth in bandwidth usage – and web usage, in particular – continues, driven by the increase in web-based applications, social networking, cloud-based solutions and smart mobile devices.

Cross-posted from Redscan

Possibly Related Articles:
Security Awareness
Information Security
Denial of Service Firewalls SPAM Cloud Security Enterprise Security malware Botnets Statistics DDoS Threats 2011 Policies and Procedures Simon Heron
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.