Symantec：全球网络安全威胁报告.pdf

2013 Trends, Volume 19, Published April 2014 INTERNET SECURITY THREAT REPORT 2014 p. 2 Symantec Corporation Internet Security Threat Report 2014 : Volume 19 CONTENTS 4 Introduction 5 Executive Summary 8 2013 SECURITY TIMELINE 9 2013 Security Timeline 11 2013 IN NUMBERS 12 Breaches 14 Spam 15 Bots, Email 16 Mobile 17 Web 18 Targeted Attacks Spear Phishing 22 Targeted Attacks Web-Based 24 TARGETED ATTACKS + DATA BREACHES 25 Targeted Attacks 26 Average Number of Spear-Phishing Attacks Per Day, 2011 2013 27 Email Campaigns, 2011 2013 28 Targeted Attack Key Stages 29 Top-Ten Industries Targeted in Spear-Phishing Attacks 30 Spear-Phishing Attacks by Size of Targeted Organization, 2011 2013 31 Risk of Job Role Impact by Targeted Attack Sent by Spear-Phishing Email 32 Ratio of Organizations in an Industry Impacted by Targeted Attack Sent by Spear-Phishing Email 33 Ratio of Organizations Targeted by Industry Size Sent by Spear-Phishing Email 33 Analysis of Spear-Phishing Emails Used in Targeted Attacks 34 Zero-day Vulnerabilities, Annual Total, 2006 2013 35 Top-Five Zero-day Vulnerabilities 38 Point of Sale Breach Stages 39 Data Breaches 39 Top Causes of Data Breach 40 Timeline of Data Breaches 44 E-CRIME + MALWARE DELIVERY TACTICS 45 E-crime and Cyber Security 46 Malicious Activity by Source: Bots, 20122013 47 Top-Ten Botnets 48 Ransomware Over Time 51 Top-Ten Malware 53 Threat Delivery Tactics 54 Timeline of Web Attack Toolkit Use, Top-Five 54 Top Web Attack Toolkits by Percent 55 Web Attacks Blocked Per Day 56 Most Frequently Exploited Websites 58 Zero-Day Vulnerabilities 58 Total Number of Vulnerabilities, 2006 2013 60 Plug-in Vulnerabilities Over Time 60 Browser Vulnerabilities, 2011 2013 p. 3 Symantec Corporation Internet Security Threat Report 2014 : Volume 19 61 Proportion of Email Traffic Containing URL Malware, 2013 vs 2012 61 Proportion of Email Traffic in Which Virus Was Detected, 2013 vs 2012 62 Top-Ten Mac OSX Malware Blocked on OSX Endpoints 63 SOCIAL MEDIA + MOBILE THREATS 64 Social Media 65 Social Media 69 Mobile 70 Number of Android Variants Per Family, 2013 vs 2012 70 Mobile Malware Families by Month, Android, 2013 vs 2012 72 Mobile Threat Classifications 74 Mobile Vulnerabilities by Percent 75 Top-Five Types of Madware Functionality Percentage of Ad Libraries 77 PHISHING + SPAM 78 Spam and Phishing 78 Phishing Rate, 2013 vs 2012 79 Number of Phishing URLs on Social Media 81 Global Spam Volume Per Day 81 Global Spam Rate, 2013 vs 2012 83 LOOKING AHEAD 84 Looking Ahead 86 RECOMMENDATIONS + BEST PRACTICE GUIDELINES 87 Best Practice Guidelines for Businesses 89 Best Practice Guidelines for Consumers 90 SANS Critical Security Controls 94 Footnotes 96 Contributors 97 About Symantec 97 More Information p. 4 Symantec Corporation Internet Security Threat Report 2014 : Volume 19 Introduction Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight Threat Management System, Symantec Managed Security Services, Norton consumer products, and other third-party data sources. In addition, Symantec maintains one of the worlds most comprehensive vulnerability databases, currently consisting of more than 60,000 recorded vulnerabilities (spanning more than two decades) from over 19,000 vendors representing over 54,000 products. Spam, phishing, and malware data is captured through a variety of sources including the Symantec Probe Network, a system of more than 5 million decoy accounts, Symantec.cloud, and a number of other Symantec security technologies. Skeptic, the Symantec.cloud proprietary heuristic technology, is able to detect new and sophisticated targeted threats before they reach customers networks. Over 8.4 billion email messages are processed each month and more than 1.7 billion web requests filtered each day across 14 data centers. Symantec also gathers phishing information through an extensive anti-fraud community of enterprises, security vendors, and more than 50 million consumers. Symantec Trust Services provides 100 percent availability and processes over 6 billion Online Certificate Status Protocol (OCSP) look-ups per day, which are used for obtaining the revocation status of X.509 digital certificates around the world. These resources give Symantec analysts unparalleled sources of data with which to identify, analyze, and provide informed commen- tary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises, small business- es, and consumers essential information to secure their systems effectively now and into the future. p. 5 Symantec Corporation Internet Security Threat Report 2014 : Volume 19 Executive Summary In 2013 much attention was focused on cyber-espionage, threats to privacy and the acts of malicious insiders. However the end of 2013 provided a painful reminder that cybercrime remains prevalent and that damaging threats from cybercriminals continue to loom over businesses and consumers. Eight breaches in 2013 each exposed greater than 10 million identities, targeted attacks increased and end-user attitudes towards social media and mobile devices resulted in wild scams and laid a foundation for major problems for end- users and businesses as these devices come to dominate our lives. This years ISTR once again covers the wide-ranging threat landscape, with data collected and analyzed by Symantecs security experts. In this summary, we call out seven areas that deserve special attention. The most important trends in 2013 were: 2013 Was The Year of Mega Breach Our Internet Security Threat Report 17 reported 2011 as the Year of the Data Breach. The year was extraordinary because in addition to increased cybercrime-driven breaches, Anonymous in acts of hactivism breached dozens of companies. With Anonymous less active, breach numbers returned to more predictable growth in 2012. And then came 2013. If 2011 was the year of the breach, then 2013 can best be described as the Year of the Mega Breach. The total number of breaches in 2013 was 62 percent greater than in 2012 with 253 total breaches. It was also larger than the 208 breaches in 2011. But even a 62 percent increase does not truly reflect the scale of the breaches in 2013. Eight of the breaches in 2013 exposed more than 10 million identities each. In 2012 only one breach exposed over 10 million identities. In 2011, only five were of that size. 2011 saw 232 million identities exposed, half of the number exposed in 2013. In total over 552 million identities were breached in 2013, putting consumers credit card information, birth dates, government ID numbers, home addresses, medical records, phone numbers, financial information, email addresses, login, passwords, and other personal information into the criminal underground. Targeted Attacks Grow and Evolve While targeted attacks continue to rise, Symantec observed an interesting evolution in these attacks. As first reported in last years Internet Security Threat Report, attackers added water- ing-hole attacks to their arsenal. But reports of the death of spear phishing are greatly exaggerated. While the total number of emails used per campaign has decreased and the number of those targeted has also decreased, the number of spear-phishing campaigns themselves saw a dramatic 91 percent rise in 2013. This “low and slow” approach (campaigns also run three times longer than those in 2012) are a sign that user awareness and protection technologies have driven spear phishers to tighten their targeting and sharpen their social engineering. We have also observed the addition of real world social engineering, combining virtual and real world attacks, being employed to increase the odds of success. This years Internet Security Threat Report also introduces a new calculation. Using epidemiology concepts commonly applied to public health issues, we have estimated the risk industries and users face of being targeted for attack. It sends a warning to some industries that may view the volume of attacks against them as no cause for concern. For instance, while the most targeted attacks in 2013 were against Governments and the Services industry, the industries at most risk of attack were Mining, Governments and then Manufacturing. Their odds of being attacked are 1 in 2.7, 1 in 3.1 and 1 in 3.2 respectively. p. 6 Symantec Corporation Internet Security Threat Report 2014 : Volume 19 Executive Summary Zero-day Vulnerabilities and Unpatched Websites Facilitated Watering-Hole Attacks More zero-day vulnerabilities were discovered in 2013 than any other year Symantec has tracked. The 23 zero-day vulnerabili- ties discovered represent a 61 percent increase over 2012 and are more than the two previous years combined. Zero-day vulnerabilities are coveted because they give attackers the means to silently infect their victim without depending on social engineering. And by applying these exploits in a watering-hole attack they avoid the possibility of anti-phishing technology stopping them. Unfortunately legitimate web sites with poor patch management practices have facilitated the adoption of watering hole attacks. 77 percent of legiti- mate websites had exploitable vulnerabilities and 1-in-8 of all websites had a critical vulnerability. This gives attackers plenty of choices in websites to place their malware and entrap their victims. Typically cutting-edge attackers stop using a vulnerability once it is made public. But this does not bring an end to their use. Common cybercriminals rapidly incorporate zero-day vulner- abilities to threaten all of us. Even though the top five zero-day vulnerabilities were patched on average within four days, Symantec detected a total of 174,651 attacks within 30 days of these top five becoming known. Ransomware attacks grew by 500 percent in 2013 and turned vicious Scammers continued to leverage profitable ransomware scams where the attacker pretends to be local law enforcement, demanding a fake fine of between $100 to $500. First appearing in 2012 these threats escalated in 2013, and grew by 500 percent over the course of the year. These attacks are highly profitable and attackers have adapted them to ensure they remain profitable. The next step in this evolution was Ransomcrypt, commonly known as Cryptolocker. This is the most prominent of these threats and turns ransom- ware vicious by dropping all pretence of being law enforcement and is designed to encrypt a users files and request a ransom for the files to be unencrypted. This threat causes even more damage to businesses where not only the victims files are encrypted but also files on shared or attached network drives. Holding encrypted files for ransom is not entirely new, but getting the ransom paid has previously proven problematic for the crooks. With the appearance of online payment methods ransomcrypt is poised for growth in 2014. Small businesses and consumers are most at risk from losing data, files or memories. Prevention and backup are critical to protecting users from this type of attack. Social Media Scams and Malware Flourish on Mobile While the prevalence of mobile malware is still comparatively low, 2013 showed that the environment for an explosive growth of scams and malware attacks is here. Our Norton Report, a global survey of end-users, showed that 38 percent of mobile users had already experienced mobile cybercrime. Lost or stolen devices remain the biggest risk, but mobile users are behaving in ways that leave themselves open to other problems. Mobile users are storing sensitive files online (52 percent), store work and personal information in the same online storage accounts (24 percent) and sharing logins and passwords with families (21 percent) and friends (18 percent), putting their data and their employers data at risk. Yet only 50 percent of these users take even basic security precautions. The number of brand new malware families created slowed as malware authors worked to perfect existing malware. In 2012 each mobile malware family had an average of 38 variants. In 2013 each family had 58. However several events in 2013 showed that mobile users are highly susceptible to scams via mobile apps. It might be said that mobile malware has not yet exploded because the bad guys have not needed it to get what they want. p. 7 Symantec Corporation Internet Security Threat Report 2014 : Volume 19 Executive Summary Prevalence of Scams Fail to Change User Behaviour on Social Media Surrounded by their friends, users continue to fall for scams on social media sites. Fake offers such as free cell phone minutes accounted for the largest number of attacks of Facebook users in 2013 81 percent in 2013 compared to 56 percent in 2012. And while twelve percent of social media users say someone has hacked into their social network account and pretended to be them, a quarter continue to shared their social media passwords with others and a third connect with people they dont know. As social media becomes more and more of an activity done on mobile devices these bad behaviours are likely to have worse consequences. Attackers are turning to the Internet of Things Baby monitors, as well as security cameras and routers, were famously hacked in 2013. Furthermore, security researchers demonstrated attacks against smart televisions, automobiles and medical equipment. This gives us a preview of the security challenge presented by the rapid adoption of the Internet of Things (IoT). The benefit to attackers of compromising these devices may not yet be clear, and some suspect claims about hacked devices (refrigerators for instance) are to be expected. But the risk is real. IoT devices will become access points for targeted attackers and become bots for cybercriminals. Of immediate concern are attacks against consumer routers. Computer worms like Linux.Darlloz are making a comeback as attackers target devices without users to social engineer, but with unpatched vulnerabilities they can remotely exploit. Control of these devices can prove profitable for attackers, using DNS redirection to push victims to fake websites, usually to steal financial details. Today the burden of preventing attacks against IoT devices falls on the user; however this is not a viable long-term strategy. Manufacturers are not prioritizing security they need to make the right security investments now. The risk gets even higher with the proliferation of data being generated from these devices. Big data is big money and unless the