SlideShare a Scribd company logo
2013 Trends, Volume 19, Published April 2014 
p. 2 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
4 Introduction 
5 Executive Summary 
9 2013 Security Timeline 
11 2013 IN NUMBERS 
12 Breaches 
14 Spam 
15 Bots, Email 
16 Mobile 
17 Web 
18 Targeted Attacks – Spear Phishing 
22 Targeted Attacks – Web-Based 
25 Targeted Attacks 
26 Average Number of Spear-Phishing 
Attacks Per Day, 2011 – 2013 
27 Email Campaigns, 2011 – 2013 
28 Targeted Attack Key Stages 
29 Top-Ten Industries Targeted 
in Spear-Phishing Attacks 
30 Spear-Phishing Attacks by Size of 
Targeted Organization, 2011 – 2013 
31 Risk of Job Role Impact by Targeted 
Attack Sent by Spear-Phishing Email 
32 Ratio of Organizations in an Industry 
Impacted by Targeted Attack Sent by 
Spear-Phishing Email 
33 Ratio of Organizations Targeted 
by Industry Size Sent by Spear-Phishing Email 
33 Analysis of Spear-Phishing Emails 
Used in Targeted Attacks 
34 Zero-day Vulnerabilities, Annual Total, 
2006 – 2013 
35 Top-Five Zero-day Vulnerabilities 
38 Point of Sale Breach Stages 
39 Data Breaches 
39 Top Causes of Data Breach 
40 Timeline of Data Breaches 
45 E-crime and Cyber Security 
46 Malicious Activity by Source: Bots, 2012–2013 
47 Top-Ten Botnets 
48 Ransomware Over Time 
51 Top-Ten Malware 
53 Threat Delivery Tactics 
54 Timeline of Web Attack Toolkit Use, Top-Five 
54 Top Web Attack Toolkits by Percent 
55 Web Attacks Blocked Per Day 
56 Most Frequently Exploited Websites 
58 Zero-Day Vulnerabilities 
58 Total Number of Vulnerabilities, 2006 – 2013 
60 Plug-in Vulnerabilities Over Time 
60 Browser Vulnerabilities, 2011 – 2013
p. 3 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
61 Proportion of Email Traffic 
Containing URL Malware, 2013 vs 2012 
61 Proportion of Email Traffic 
in Which Virus Was Detected, 2013 vs 2012 
62 Top-Ten Mac OSX Malware 
Blocked on OSX Endpoints 
64 Social Media 
65 Social Media 
69 Mobile 
70 Number of Android Variants 
Per Family, 2013 vs 2012 
70 Mobile Malware Families by Month, 
Android, 2013 vs 2012 
72 Mobile Threat Classifications 
74 Mobile Vulnerabilities by Percent 
75 Top-Five Types of Madware Functionality 
Percentage of Ad Libraries 
78 Spam and Phishing 
78 Phishing Rate, 2013 vs 2012 
79 Number of Phishing URLs on Social Media 
81 Global Spam Volume Per Day 
81 Global Spam Rate, 2013 vs 2012 
84 Looking Ahead 
87 Best Practice Guidelines for Businesses 
89 Best Practice Guidelines for Consumers 
90 SANS Critical Security Controls 
94 Footnotes 
96 Contributors 
97 About Symantec 
97 More Information
p. 4 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Symantec has established the most 
comprehensive source of Internet threat 
data in the world through the Symantec™ 
Global Intelligence Network, which is made 
up of more than 41.5 million attack sensors 
and records thousands of events per second. 
This network monitors threat activity in 
over 157 countries and territories through 
a combination of Symantec products and 
services such as Symantec DeepSight™ 
Threat Management System, Symantec™ 
Managed Security Services, Norton™ 
consumer products, and other third-party 
data sources. 
In addition, Symantec maintains one of the world’s most 
comprehensive vulnerability databases, currently consisting of 
more than 60,000 recorded vulnerabilities (spanning more than 
two decades) from over 19,000 vendors representing over 54,000 
Spam, phishing, and malware data is captured through a variety 
of sources including the Symantec Probe Network, a system 
of more than 5 million decoy accounts,, and 
a number of other Symantec security technologies. Skeptic™, 
the proprietary heuristic technology, is able 
to detect new and sophisticated targeted threats before they 
reach customers’ networks. Over 8.4 billion email messages 
are processed each month and more than 1.7 billion web 
requests filtered each day across 14 data centers. Symantec also 
gathers phishing information through an extensive anti-fraud 
community of enterprises, security vendors, and more than 50 
million consumers. 
Symantec Trust Services provides 100 percent availability and 
processes over 6 billion Online Certificate Status Protocol (OCSP) 
look-ups per day, which are used for obtaining the revocation 
status of X.509 digital certificates around the world. These 
resources give Symantec analysts unparalleled sources of data 
with which to identify, analyze, and provide informed commen-tary 
on emerging trends in attacks, malicious code activity, 
phishing, and spam. The result is the annual Symantec Internet 
Security Threat Report, which gives enterprises, small business-es, 
and consumers essential information to secure their systems 
effectively now and into the future.

Recommended for you

Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection

The Best Online Security Service for CIM – Central Management Log Monitoring Intrusion Detection Systems Firewall Monitoring System Host based IDSs Vulnerability Scanning Evidence Retention CIM Intelligence A must to see for all,......!!!

RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014

This report discusses the latest global trends in phishing and cybercrime. In January, phishing losses to global organizations is estimated at $387 million.

by EMC
rsa securityrsa fraudphishing
Topsec email security 2016
Topsec email security 2016Topsec email security 2016
Topsec email security 2016

Multiple intelligence reports have identified significant cybersecurity threats to global email networks from coordinated cyber criminals. Email remains the primary form of business communication, but the rapid growth has fueled security threats like spam, malware, ransomware, and phishing. The document recommends immediate actions for companies to improve their email security such as deploying email security services, blocking suspicious file attachments, educating users, and considering upgrading defenses.

ittopsecemail security
p. 5 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Executive Summary 
One of the major challenges for government in 2013 has been how to prepare for attacks 
against the supply chain that have increased in sophistication throughout the year. In the last 
ISTR, Symantec identified a growing shift towards highly targeted malware attacks being sent 
in email to small-to-medium-sized businesses, which now appears to have reached a plateau. 
Moreover, although the overall volume of such email-based attacks overall has returned to 
2011 levels, they have become much more subtle and harder to identify without the right 
technology in place. The frontline in these attacks is still moving along the supply chain; 
meanwhile, large enterprises may be targeted through web-based “watering-hole” attacks 
should email-based spear-phishing attacks fail to yield the desired results. 
For the past decade, the threat landscape has been very aware of highly targeted attacks, 
most notably the carefully targeted spear-phishing emails that rely on sophisticated social 
engineering as well as state-of-the-art malware; however, this landscape is shifting and the 
nature of the attacks are less defined by their tactics, and more by their outcome. So when we 
narrow our focus on only the email aspect of targeted attacks, we may be blind to the other 
means by which breaches occur, such as the use of social media and watering-hole attacks. 
The most important trends in 2013 were: 
Data Breaches, Privacy and Trust 
With privacy issues and data breach revelations dominating 
the headlines not only in the industry media, but also in the 
mainstream press, 2013 has sounded a loud clarion call for 
people and businesses to take a more serious look at their online 
information, and to keep it private and secure. The headlines 
in 2013 were not only peppered by the revelations about how 
governments were keeping track of their citizens online, but also 
increasingly dominated by the large number of data breaches 
and even larger volume of identities being leaked. 
In 2013, the number of data breach incidents increased by 62 
percent since 2012, with the number of online identities being 
exposed growing by as much as five times. It’s no longer a 
matter of having a secure password, but who you trust to keep 
your credentials safe and secure. The number of incidents that 
resulted in 10 million or more identities being exposed was 
eight, compared with five in 2012. The most common cause 
of breach incidents was hacking, which was the reason for 35 
percent of the incidents recorded in the Norton Cybercrime 
Index for 2013. Moreover, accidental disclosure and theft or loss 
of a device were close behind, making up 28 and 27 percent of 
breaches, respectively. 
Fundamentally, the number of breach incidents is higher than 
ever before, and the challenge for organizations and individu-als 
alike is to make sure they do not become counted in the 
next wave of statistics. Among the greatest concerns is who 
has access to sensitive data, and how that data may be used. A 
security breach at a major organization may have serious conse-quences 
not only for itself but also for its customers; personal 
information stolen in an online hack may later be used in the 
commission of fraud or to gain unauthorized access to online 
As a result, the adoption of encryption technology is likely to 
grow in 2014/15, not only for use in securing data on devices, 
but also for securing online transactions. The use of personal 
VPNs is already growing, as concerned users become wary about 
the traffic that may be exposed through their Wi-Fi hotspot.
p. 6 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Executive Summary 
VPNs are not new, but they have traditionally been the preserve 
of businesses seeking to safeguard its employees’ data when 
working remotely. Newer and faster encryption protocols will 
also be in demand, so even if your data is exposed or your device 
falls into the wrong hands, you can be assured that it cannot be 
exploited by the criminals. 
The Value of Data 
The threat from governments potentially gathering our personal 
data in the routine business of safeguarding our national 
security was a major concern to many individuals and busi-nesses. 
In 2013 the value of our data was also being challenged 
by cybercriminals, who were escalating the stakes to see how 
much financial value we put on our own data. Ransomware-type 
malware volumes increased by 500 percent from 100,000 to over 
600,000 by the end of the year, an increase of over six times its 
previous level. 
As more and more personal data is online and in the cloud than 
ever before and consumers are sharing more data with each 
other, businesses and governments have to routinely handle 
massive quantities of personal information safely. But do the 
owners of this data take sufficient protective measures to 
safeguard the data on their own computers and devices? Cyber-criminals 
are increasingly seeing the value of this information 
for financial crime, identity theft, and other acts of fraud. 
Personal data is a very attractive commodity for cybercrimi-nals, 
who have developed business models to sell them. Huge 
amounts of personal data is being harvested and sold to other 
malicious parties, details including names, addresses, social 
security numbers, health insurance details, and credit card 
One of the biggest breaches this year was caused by an attack 
against a major retailer’s point of sale (PoS) system. These 
systems handle customer transactions through cash or credit 
cards. When a customer swiped their credit or debit card at 
a PoS system, their data was sent through the company’s 
networks in order to reach the payment processor. Depending on 
how the system was set up, attackers could take advantage of a 
number of flaws within these networks to ultimately steal their 
targeted data. 
Targeted Spear-Phishing Emails 
In 2012, we saw increasing numbers of targeted attacks using 
email, but when these attacks were thwarted the attackers would 
intensify their volume, perhaps change the social engineering, 
or change the exploits, or even adapt the malware. But in 2013, 
if a spear-phishing attack was unsuccessful, after a few attempts 
the attacker may be more likely to shift to a different tactic alto-gether 
such as a watering hole attack, or baiting the intended 
target by seeking to connect with them over social media. 
The largest percentage of email-based spear-phishing attacks 
overall were still being directed at large enterprises (comprised 
of over 2,500 employees) at 39 percent compared with 50 
percent in 2012, the industry sector most targeted in 2013 was 
Government and Public Sector (a.k.a. Public Administration), 
and accounted for 16 percent of all targeted spear-phishing 
email attacks blocked in 2013, compared with 12 percent in 
In 2013, targeted email attacks aimed at Small Businesses 
(1-250) accounted for 30 percent of all such attacks blocked by 
the company, compared with 31 percent in 2012 and 18 percent 
in 2011. Despite the overall average being almost unchanged, 
the trend through the year reveals that the proportion of attacks 
against small businesses has increased throughout the year, 
peaking at 53 percent in November. 
Watering-Hole Attacks and Exploiting 
Zero-Day Vulnerabilities 
Watering-hole attacks were first described in the 2012 Symantec 
Internet Security Threat Report (ISTR), and as a threat they can 
be among the most dangerous. Watering holes are legitimate 
websites that have been compromised, but not by cybercrimi-nals 
who have planted a traditional web-attack toolkit, such as 
Blackhole or Cool Exploit Kit; rather these websites are trapped 
with exploits for as yet undiscovered zero-day vulnerabilities. 
Once these exploits are discovered and the vulnerabilities 
patched, the perpetrators will quickly adapt by using another 
exploit for another zero-day. As these attacks rely on zero-day 
vulnerabilities in order to go undiscovered, it is all the more 
worrying to report an increase in the number of zero-day 
vulnerabilities from 14 in 2012 to 23 in 2013. There were more 
zero-day vulnerabilities discovered in 2013 than in any previous 
year since Symantec began tracking them, and more than the 
past two years combined.
p. 7 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Executive Summary 
For 2013 the majority of attacks using zero-day vulnerabilities 
focused on Java. Not only did Java hold the top three spots in 
exploited zero-day vulnerabilities, it was responsible for 97 
percent of attacks that used zero-day vulnerabilities after they 
were disclosed. When looking at the top five zero-day vulnera-bilities, 
the average exposure window between disclosure and an 
official patch was 3.8 days, comprising a total of 19 days where 
users were left exposed. 
Compromising a legitimate website may seem to be a challenge 
for many, but vulnerability scans of public websites carried 
out in 2013 by Symantec’s Website Security Solutions division 
found that 77 percent of websites contained vulnerabilities. Of 
these, 16 percent were classified as critical vulnerabilities that 
could allow attackers to access sensitive data, alter the website’s 
content, or compromise visitors’ computers. This means that 
when an attacker looks for a site to compromise, one in eight 
sites makes it relatively easy to gain access. 
Social Networking and Mobile Threats 
Some of the most popular applications used on mobile devices 
are for social networking, and as the various social networking 
sites vie for our attention, new ones continue to emerge. These 
are quickly adopted by teenagers and young adults, who have 
little sense of loyalty to some of the more established networks, 
which are increasingly being dominated by the older generations 
and their parents. In 2013, cybercriminals have sought to exploit 
the data we share online through social media, and as these sites 
become increasingly interconnected the security of our data 
and personal information online becomes more important than 
ever. Fake offers dominated the social media landscape in 2013, 
making up 81 percent of all social media related attacks, up from 
56 percent in 2012. 
Furthermore, the greatest risk for a compromised mobile device 
was being spied on; this tactic was found in 60 percent of mobile 
threats in 2013 compared with 20 percent in 2012. Approximate-ly 
36 percent of malware was designed to steal data in 2013, 
compared with 46 percent in 2012. The individual can be spied 
on through the collection of SMS messages or phone call logs, 
tracking GPS coordinates, recording phone calls, or by gathering 
photos and video taken with the device. 
Social networking also has an important role to place in the 
social engineering tactics employed in some targeted attacks, 
and not only by the cyber-criminals as revealed in some of the 
documents published by Edward Snowden in 2013. For example, 
a potential target may be exposed to a malicious social media 
profile that could result in malware being deployed on their 
computer. Social media also enables a potential attacker to 
find out who works for a targeted organization using profes-sional 
social networking sites, such as LinkedIn. IT and network 
administrators may be the most attractive targets because of 
the type of privileged information they may have access to, due 
to the nature of their roles. It’s through these and other means 
that watering-hole attacks could be expected to take the place of 
the more traditional email-based attacks. 
Internet of Things 
There has been much talk of the “Internet of Things” (or IoT) in 
2013, and the first signs of attacks intended for these emerging 
technologies appeared in 2013. The IoT is the name given to 
the idea that more devices are being connected to the Internet 
beyond the traditional computers: Consoles, tablets and mobile 
devices, smart TVs and refrigerators, cameras, home security 
systems, and baby monitors. IoT is the way the Internet is 
moving, and people are as likely to become connected through 
tablets and smartphones as laptops and PCs, and more people 
will be watching TV streamed across the Internet into their 
living rooms rather than on their computers. As the popular-ity 
of these previously “dumb” devices increases, so will the 
attention they garner from security researchers. As vulner-abilities 
are discovered in recently-innovated internet-enabled 
devices, the challenge of applying patches to fix them will grow. 
In 2013 much of the efforts of cybercriminals were narrowed to 
carving out particular areas of focus for e-crime related activi-ties. 
These criminals found themselves with a great deal to 
choose from; some administered web attack toolkits while others 
rented out botnets to third parties. Spam campaigns shifted 
further away from the traditional pharmaceutical spam, exploit-ing 
people’s desires and needs with more adult-orientated spam. 
Ransomware, which grew by 500 percent (an increase of six 
times) in 2013 was perhaps the most notable and brazen growth 
areas in 2013. Cyber-criminals directly extorted money from 
users by holding their personal data as hostage for ransom, and 
even adopting alternative and anonymous payment systems 
such as Bitcoin.
p. 8 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 

Recommended for you

[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world

The document summarizes 7 major cyber attacks that shook the world: 1. In 2006, a data breach at the Veteran Administration exposed personal information of 26.5 million US military personnel. 2. The 2017 WannaCry ransomware attack spread to over 150 countries through unpatched Microsoft Windows systems, encrypting user data and causing $4 billion in damages. 3. Ransomware attacks are becoming more advanced and sophisticated over time. 4. A 2011 data breach at marketing firm Epsilon resulted in theft of email accounts and personal details from thousands of customers, causing $225 million in damages.

cyber attackcyber securitycyber threat
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention

According to the Verizon DBIR 2017, 61% of data breach victims in 2016 were small businesses with under 1000 employees. Data Loss Prevention (DLP) technology helps enterprises minimize data leakage threats and prevent sensitive information like employee information, client data, intellectual property, and financial data from leaving a corporate network, which could occur due to human error, USB drives, cloud storage, email, or network sharing. DLP provides enhanced protection across Windows and Mac platforms, centralized management and visibility of policies, monitoring of data transfer through multiple channels, and real-time notifications and reports on data flows.

cybersecuritydata loss preventioncyber attack
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMS

This document discusses the growing problem of SMS phishing and how current security approaches are ineffective. It proposes a new "Zero Trust" approach called Zero Trust SMS that would authenticate URLs in SMS messages before delivery to help subscribers avoid phishing links. This is presented as being more effective than just blocking URLs after the fact. The benefits of this approach for multiple stakeholders are outlined. The document also provides details on the company MetaCert and their technology and services that aim to implement this Zero Trust SMS approach for mobile operators and their subscribers.

p. 9 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
2013 Security Timeline 
• Elderwood Project found using new 
Internet Explorer Zero-Day Vulner-ability 
• Java Zero-Day found in Cool Exploit 
Kit (CVE-2013-0422) 
• Android.Exprespam potentially 
infects thousands of devices 
• Backdoor.Barkiofork used to target 
Aerospace and Defense industries 
• Bamital botnet taken down 
• Adobe zero-day used in “LadyBoyle” 
attack (CVE-2013-0634) 
• Cross-platform toolkit for creating 
the remote access tool (RAT) 
“Frutas” discovered 
• Fake Adobe Flash update discovered 
installing ransomware and perform-ing 
click fraud 
• Bit9 suffers security breach, code-signing 
SSL certificates stolen 
• Android Malware spams victims’ 
• “Facebook Black” scam spreads on 
• Blackhole Exploit Kit takes 
advantage of financial crisis in 
• Several South Korean banks and 
local broadcasting organizations 
impacted by cyber attack. 
• #OpIsrael hacktivism campaign 
targets Israeli websites 
• NPR, Associated Press, and various 
Twitter accounts hacked by Syrian 
Electronic Army (SEA) 
• Distributed Denial of Service attacks 
hit Reddit and European banks 
• WordPress plugin vulnerability 
discovered, allowing PHP injection 
• LivingSocial resets passwords for 50 
million accounts after data breach 
• A US Department of Labor website 
becomes victim of a watering-hole 
• Cybercriminals steal more than $1 
million from a Washington state 
• SEA hacks twitter accounts of The 
Onion, E! Online, The Financial 
Times, and Sky 
• New Internet Explorer 8 Zero-Day 
Vulnerability used in watering-hole 
attack (CVE-2012-4792) 
• #OpUSA hacktivism campaign 
launches against US websites 
• Seven men were arrested in New 
York in connection with their role 
in international cyber attacks which 
resulted in theft of $45 million 
across 26 different countries. 
• Microsoft and FBI disrupt Citadel 
• A surveillance scandal emerges 
in the United States, as a former 
Government security contractor 
releases classified documents 
• Zero-day vulnerability found in most 
browsers across PC, Mac, mobile, and 
game consoles 
• Anonymous launches #OpPetrol 
attack on international oil and gas 
• 65 websites compromised to host 
malicious ads with ZeroAccess 
• FakeAV discovered on Android 
• Ubisoft hacked: user account infor-mation 
• France caught up in PRISM scandal 
as data snooping allegations emerge 
• New exploit kit targets flaws in 
Internet Explorer, Java, and Adobe 
• FBI-style ransomware discovered 
targeting OSX computers 
• Android Master Key vulnerability 
used in the wild 
• Viber and Thomson Reuters latest 
victims of SEA attacks
p. 10 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
2013 Security Timeline 
• Channel 4 blog, New York Post, 
SocialFlow, Washington Post, New 
York Times, impacted by SEA attacks 
• DNS hijack caused thousands of sites 
to redirect users to exploit kit 
• Two new ransomware scams found: 
One that changes Windows login 
credentials on Chinese systems, 
another that takes advantage of the 
NSA PRISM controversy 
• Fake ‘Instagram for PC’ leads to 
survey scam 
• Attackers targeted banks’ wire 
payment switch to steal millions 
• Francophoned social engineer-ing 
ushers in a new era of targeted 
• Syrian Electronic Army compro-mises 
US Marine Corps’ website, Fox 
Twitter accounts, supposedly using 
Mac Trojan 
• ATMs discovered that dispense cash 
to criminals 
• Ransomware called “Cryptolocker” 
surfaces that encrypts victims’ files 
and demands payment to decrypt 
• Symantec lifts lid on professional 
hackers-for-hire group Hidden Lynx 
• Belgian telecom compromised in 
alleged cyber espionage campaign 
• Symantec Security Response 
sinkholes ZeroAccess botnet 
• The Silk Road marketplace taken 
offline, resurfaces by end of month 
• SEA attacks GlobalPost and Qatar 
websites, US Presidential staff 
• Adobe confirms security breach, 150 
million identities exposed 
• Blackhole and Cool Exploit Kit 
author arrested 
• WhatsApp, AVG, Avira defaced by 
hacker group KDMS 
• New ransomware demands Bitcoins 
for decryption key 
• Second Android master key vulner-ability 
• Microsoft zero-day vulnerability 
being used in targeted attacks and 
e-crime scams (CVE-2013-3906) 
• SEA hacks in retaliation 
for article that supposedly names 
• Anonymous claims to have hacked 
UK Parliament Wi-Fi during London 
• Linux worm that targets “Internet of 
Things” discovered 
• Target confirms data breach leading 
to the exposure of 110 million 
• Data of 20 million Chinese hotel 
guests leaked 
• Cross-site scripting vulnerability 
found in wind turbine control appli-cation 
• Imitation versions of Cryptolocker 
discovered, attempt to capitalize on 
original’s success 
• 105 million South Korean accounts 
exposed in credit card security 
p. 11 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
p. 12 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Breaches With More Than 10 Million 
Identities Exposed 
1 +700% 
82012 2013 
Top-Ten Types of Information Breached 
01 Real Names 
02 Birth Dates 
03 Government ID Numbers (Social Security) 
04 Home Address 
05 Medical Records 
06 Phone Numbers 
07 Financial Information 
08 Email Addresses 
09 User Names & Passwords 
10 Insurance 
• Mega Breaches were 
data breach incidents 
that resulted in the 
personal details of 
at least 10 million 
identities being exposed 
in an individual incident. 
There were eight in 
2013, compared with 
only one in 2012.

Recommended for you

Data security for healthcare industry
Data security for healthcare industryData security for healthcare industry
Data security for healthcare industry

This document provides an overview of enterprise security solutions by Data Security for the healthcare industry. It discusses how healthcare information is in high demand by cybercriminals for various fraudulent activities. The top 5 healthcare security threats are identified as ransomware, insider threats, advanced persistent threats, mobile devices, and employee negligence. The solutions offered by Data Security to mitigate these threats include Seqrite endpoint security, unified threat management, mobile device management, and data loss prevention. It also provides an overview of QuickHeal, the parent company of Seqrite, outlining its global presence and brand recognition in the cybersecurity industry.

cyber threatscyber securitycyber attack
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts

Cybercriminals will continue to exploit new technologies like machine learning and blockchain in 2018: - Ransomware and digital extortion will remain lucrative criminal business models, fueled by ransomware-as-a-service and cryptocurrencies like bitcoin. - Vulnerabilities in IoT devices will expand the attack surface as more devices connect to networks. - Losses from business email compromise scams will exceed $9 billion globally as these scams prove effective through social engineering. - Cyberpropaganda efforts will spread using tried-and-true spam techniques on social media to manipulate public opinion. - Threat actors will leverage machine learning and blockchain to advance their evasion techniques and stay one

Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts

- Ransomware and digital extortion will remain highly profitable methods for cybercriminals in 2018. Ransomware-as-a-service models and cryptocurrencies like bitcoin enable widespread ransomware attacks. Cybercriminals may also extort companies by threatening to expose private data violations under new regulations like GDPR. - Vulnerabilities in internet-of-things (IoT) devices will expand the potential attack surface as more devices connect to networks. Cybercriminals could abuse IoT devices for distributed denial-of-service attacks or to anonymize their online activities. The lack of secure update mechanisms for many IoT devices also poses risks. - Specific device types like drones, wireless

p. 13 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Total Identities 
+62% +493% 
Average Identities Exposed / Breach 
2013 2,181,891 
Median Identities Exposed / Breach 
2013 6,777 
• Hacking continued to 
be the primary cause 
of data breaches in 
2013. Hacking can 
undermine institutional 
confidence in a 
company, exposing its 
attitude to security and 
the loss of personal data 
in a highly public way 
can result in damage 
to an organization’s 
reputation. Hacking 
accounted for 34 
percent of data breaches 
in 2013. 
• In 2013, there were 
eight data breaches 
that netted hackers 
10 million or more 
identities, the largest 
of which was a massive 
breach of 150 million 
identities. In contrast, 
2012 saw only one 
breach larger than 10 
million identities. 
• Although overall average 
size of a breach has 
increased, the median 
number of identities 
stolen has actually fallen 
from 8,350 in 2012 to 
6,777 in 2013. Using 
the median can be 
helpful in this scenario 
since it ignores the 
extreme values caused 
by the notable, but rare 
events that resulted in 
the largest numbers of 
identities being exposed. 
p. 14 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Overall Email Spam Rate 
Estimated Global Email Spam Volume / Day 
2012 2013 
2013 29Billion 
Pharmaceutical Email Spam 
Adult / Sex / Dating Email Spam 
2012 2013 
• Approximately 76 
percent of spam email 
was distributed by 
spam-sending botnets, 
compared with 79 
percent in 2012. 
Ongoing actions to 
disrupt a number of 
botnet activities during 
the year have helped 
to contribute to this 
gradual decline. 
• In 2013, 87 percent 
of spam messages 
contained at least 
one URL hyperlink, 
compared with 86 
percent in 2011, an 
increase of 1 percentage 
• Adult Spam dominated 
in 2013, with 70 percent 
of spam related to adult 
content. These are often 
email messages inviting 
the recipient to connect 
to the scammer through 
instant messaging, or 
a URL hyperlink where 
they are then typically 
invited to a pay-per-view 
adult-content web 
cam site. Often a bot 
responder, or a person 
working in a low-pay, 
offshore call center 
would handle any IM 
p. 15 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Bots, Email 
Number of Bots 
2013 2.3Million 
23% 25% 
Email Malware as URL 
Email Virus Rate Smaller Number = Greater Risk 
2013 1 IN 196 
2012 1 IN 291 
Email Phishing Rate Smaller Number = Greater Risk 
2013 1 IN 392 
2012 1 IN 414 
• Bot-infected computers, 
or bots, are counted if 
they are active at least 
once during the period. 
Of the bot-infected 
computer activities 
that Symantec tracks, 
they may be classified 
as actively-attacking 
bots or bots that send 
out spam, i.e. spam 
zombies. During 2013, 
Symantec struck a 
major blow against the 
ZeroAccess botnet. With 
1.9 million computers 
under its control, it is 
one of the larger botnets 
in operation at present. 
ZeroAccess has been 
largely used to engage in 
click fraud to generate 
profits for its controllers. 
• In 2013, more email-borne 
comprised hyperlinks 
that referenced 
malicious code, 
an indication that 
are attempting to 
circumvent security 
countermeasures by 
changing the vector 
of attacks from purely 
email to the web. 
• 71 percent of phishing 
attacks were related 
to spoofed financial 
organizations, compared 
with 67 percent in 
2012. Phishing attacks 
on organizations in the 
Information Services 
sector accounted for 
22 percent of phishing 
attacks in 2013
p. 16 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Android Mobile 
Malware Families 
Average Number of 
Variants Per Family 
Total Android Mobile Malware Variants 
2013 3,262 
2013 127 
Mobile Vulnerabilities 
• Currently most 
malicious code for 
mobile devices consists 
of Trojans that pose as 
legitimate applications. 
These applications are 
uploaded to mobile 
application (“app”) 
marketplaces in the 
hope that users will 
download and install 
them, often trying to 
pass themselves off 
as legitimate apps or 
• Attackers have also 
taken popular legitimate 
applications and added 
additional code to 
them. Symantec has 
classified the types of 
threats into a variety 
of categories based on 
their functionality 
• Symantec tracks the 
number of threats 
discovered against 
mobile platforms by 
tracking malicious 
threats identified by 
Symantec’s own security 
products and confirmed 
documented by mobile 

Recommended for you

ISTR Volume 18
ISTR Volume 18ISTR Volume 18
ISTR Volume 18

Symantec's Internet Security Threat Report, Volume 18 revealed a 42 percent surge during 2012 in targeted attacks compared to the prior year. Designed to steal intellectual property, these targeted cyberespionage attacks are increasingly hitting the manufacturing sector as well as small businesses, which are the target of 31 percent of these attacks. Small businesses are attractive targets themselves and a way in to ultimately reach larger companies via “watering hole” techniques. In addition, consumers remain vulnerable to ransomware and mobile threats, particularly on the Android platform.

internet securitysymantecdata breaches
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security Report

Download now to learn the latest industry trends and how to identify weak links in the security chain.

msrmidyear security report
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012

Symantec's 2011 Internet Security Threat Report, Volume 17 shows that while the number of vulnerabilities decreased by 20 percent, the number of malicious attacks continued to skyrocket by 81 percent. In addition, the report highlights that advanced targeted attacks are spreading to organizations of all sizes and variety of personnel, data breaches are increasing, and that attackers are focusing on mobile threats.

internet securitysymantecdata breaches
p. 17 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
New Unique Malicious Web Domains 
Web Attacks Blocked Per Day 
• Approximately 67 
percent of websites used 
to distribute malware 
were identified as 
legitimate, compromised 
• 10 percent of malicious 
website activity was 
classified in the 
Technology category, 7 
percent were classified 
in the Business category 
and 5 percent were 
classified as Hosting. 
• 73 percent of browser-based 
attacks were 
found on Anonymizer 
proxy websites, 
similarly, 67 percent 
of attacks found on 
Blogging websites 
involved browser-based 
p. 18 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Targeted Attacks – Spear Phishing 
• Targeted attacks aimed 
at Small Businesses 
(1-250) accounted for 
30 percent of targeted 
spear-phishing attacks. 
1 in 5 small business 
organizations was 
targeted with at least 
one spear-phishing 
email in 2013. 
• 39 percent of targeted 
spear-phishing attacks 
were sent to Large 
Enterprises comprising 
over 2,500+ employees. 
1 in 2 of which were 
targeted with at least 
one such attack. 
• The frontline in these 
attacks is moving along 
the supply chain and 
large enterprises may 
be targeted though web-based 
attacks should email-based 
attacks fail to yield the 
desired results. 
Spear-Phishing Attacks 
by Business Size 
Risk of 
251 to 2,500 
1 to 250 
1 IN 2.3 
30% 1 IN 5.2 
p. 19 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Targeted Attacks – Spear Phishing 
Industries at Greatest Risk 
of Being Targeted by Spear Phishing 
Mining 1 IN 2.7 
Public Administration (Gov.) 1 IN 3.1 
Manufacturing 1 IN 3.2 
Top Industries Attacked by Spear Phishing 
Public Administration (Government) 
Services – Professional 
Services – Non-Traditional 
• Approximately 1 in 
3 organizations in 
the Mining, Public 
Administration and 
Manufacturing sectors 
were subjected to at 
least one targeted spear-phishing 
attack in 2013. 
• The Government and 
Public Sector (aka. 
Public Administration) 
accounted for 16 
percent of all targeted 
spear-phishing email 
attacks blocked in 2013, 
compared with 12 
percent in 2012.
p. 20 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Spear-Phishing Email Campaigns 
Campaigns in 2013 +91% 779 
Recipients Per Campaign -79% 23 
Attacks Per Campaign -76% 29 
3x Average Time of Campaign longer 
than 2012 Days Spear-Phishing Emails Per Day 
• Attackers may target 
both the personal and 
professional email 
accounts of individuals 
concerned; a target’s 
work-related account 
is likely to be targeted 
more often and is known 
as spear phishing. 
• Over the past decade, 
an increasing number 
of users have been 
targeted with spear-phishing 
attacks and 
the social engineering 
has grown more 
sophisticated over time. 
• In 2013 the volume 
and intensity of 
these attacks had 
changed considerably 
from the previous 
year, prolonging the 
duration over which 
a campaign may last, 
rather than intensifying 
the attacks in one or 
two days as had been 
the case previously. 
Consequently, the 
number of attacks seen 
each day has fallen and 
other characteristics of 
these attacks suggest 
this may help to avoid 
drawing attention to an 
attack campaign that 
may be underway. 
Targeted Attacks – Spear Phishing

Recommended for you

Analyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaAnalyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - China

This IDC Country Brief discusses China, where the amount of data created, replicated, and consumed each year will grow 24-fold between 2012 and 2020, according to the 2012 IDC Digital Universe study, sponsored by EMC.

by EMC
emc corporationdigital universe
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enough

This white paper examines the need for strong authentication and explores the return on investment that can be realized in order to help organizations move toward more effective security.

by EMC
authenticationrsa securitypassword
5 main trends in cyber security for 2020
5 main trends in cyber security for 20205 main trends in cyber security for 2020
5 main trends in cyber security for 2020

# #vectorsynergy #cybersecurity #fakenews #cybersecurityreport #cybersecuritytrends #keepyourpeopleprepared

p. 21 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Targeted Attacks – Spear Phishing 
Spear-Phishing Email Cloud 
Most commonly used words in spear-phishing attacks 
• This word cloud shows the most frequently occurring words 
that have been used in targeted spear-phishing email attacks 
throughout 2013. The larger the size of the font, the more 
frequently that word was used.
p. 22 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Scanned Websites With Vulnerabilities ... 
... % of Which Were Critical 
2013 6,787 
New Vulnerabilities 
SSL and TLS protocol renogotiation 
vulnerabilities were most commonly exploited 
1 IN 8 sites 
had critical 
• Attackers generally 
have to find and exploit 
a vulnerability in a 
legitimate website in 
order to gain control and 
plant their malicious 
payload within the 
site. Compromising 
a legitimate website 
may seem to be a 
challenge for many, 
but vulnerability scans 
of public websites 
carried out in 2013 
by Symantec’s 
Website Vulnerability 
Assessment Services 
found that 77 percent 
of sites contained 
• Of this, 16 percent were 
classified as critical 
vulnerabilities that 
could allow attackers 
to access sensitive 
data, alter the website’s 
content, or compromise 
visitors’ computers. 
This means that when 
an attacker looks for a 
site to compromise, one 
in eight sites makes it 
relatively easy to gain 
• The most commonly 
exploited vulnerabilities 
related to SSL and TLS 
protocol renegotiation. 
Targeted Attacks – Web-Based
p. 23 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Targeted Attacks – Web-Based 
Websites Found With Malware 
1 IN 532 
Zero-day Vulnerabilities 
1 IN 566 
14 +64% 
23 software vulnerabilities were zero-day, 
5 of which were for Java 
97% of attacks using exploits for vulnerabilities 
identified as zero-day were Java-based 
Top-5 zero-day vulnerabilities 
Oracle Java SE CVE-2013-1493 54% 
Oracle Java Runtime Environment CVE-2013-2423 27% 
Oracle Java Runtime Environment CVE-2013-0422 16% 
Microsoft Internet Explorer CVE-2013-1347 1% 
Microsoft Internet Explorer CVE-2013-3893 <1% 
4 days 
Average time 
to patch 
19 days 
Total time of exposure 
for top 5 zero-days 
0 90 
• Malware was found 
on 1 in 566 websites 
scanned by Symantec’s 
Website Vulnerability 
Assessment Service in 
combination with the 
daily malware scanning 
• 97 percent of attacks 
using exploits for 
vulnerabilities initially 
identified as zero-days 
were Java-based. The 
total time between a 
zero-day vulnerability 
being published and 
the required patch 
being published was 
19 days for the top-five 
most-exploited zero-day 
vulnerabilities. The 
average time between 
publication and patch 
was 4 days. 
• Zero-day vulnerabilities 
are frequently used 
in watering-hole 
web-based targeted 
attacks. Attackers can 
quickly switch to using 
a new exploit for an 
unpublished zero-day 
vulnerability once an 
attack is discovered 
and the vulnerability 
p. 24 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 

Recommended for you

B istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-usB istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-us

The document summarizes key internet security trends from 2012, as analyzed by Symantec Corporation in their Internet Security Threat Report. Some of the top trends include: 1) Small businesses were increasingly targeted by attackers, with 50% of attacks aimed at businesses with less than 2,500 employees. Small businesses are seen as having weaker security defenses. 2) Malware authors sought to steal users' private information through spying on computers, mobile devices, and social networks, in order to profit through identity theft and banking fraud. Targeted attacks involved extensive profiling of victims. 3) The rise of mobile malware continued significantly, with a 58% increase in mobile malware families compared to 2011. However, mobile

Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0

This document discusses mobile malware threats facing enterprises. It begins by providing background on the rise of BYOD policies and the security challenges they pose. It then discusses the growing risk of mobile malware, citing statistics on its rapid growth rate and prevalence in apps. The document outlines common types of mobile malware like adware, spyware, and phishing. It explains how these threats can compromise enterprise data and infect networks through BYOD devices. It emphasizes the need for enterprises to adopt comprehensive security solutions to protect corporate data on personal mobile devices.

Istr19 en
Istr19 enIstr19 en
Istr19 en

This document summarizes key trends from the Symantec Internet Security Threat Report for 2013. It finds that 2013 saw a dramatic rise in large data breaches exposing over 10 million identities each. Targeted attacks increased and evolved to use more "low and slow" spear phishing campaigns. More zero-day vulnerabilities were discovered in 2013 than any other year, facilitating watering hole attacks against unpatched websites.

p. 25 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
At a Glance 
• Targeted attacks have 
become more focused 
as attackers have 
streamlined their attack 
• The global average 
number of spear-phishing 
attacks per day in 2013 
was 83. 
• Zero-day vulnerabilities, 
often used in watering-hole 
attacks, reached 
their highest levels since 
Symantec began tracking 
• Hackers were once again 
responsible for more 
data breaches than any 
other source. However, 
accidental exposure, as 
well as theft or loss, grew 
significantly in 2013. 
• There were over 552 
million identities exposed 
in data breaches during 
Targeted Attacks 
The use of malware specifically to steal sensitive or confidential information from organizations 
isn’t a new trend; it’s been around for at least the past decade. However the scale of these attacks 
has always been relatively low in order to remain below the radar of security technology used to 
safeguard against them. A targeted attack uses malware aimed at a specific user or group of users 
within a targeted organization and may be delivered through a spear-phishing email, or a form of 
drive-by download known as a watering-hole attack. No matter how these attacks are delivered they 
are designed to be low in volume, often with malicious components used exclusively in one attack. 
Their ultimate goal is to provide a backdoor for the attacker to breach the targeted organization. 
In the past these targeted attacks have relied primarily on the spear-phishing element, an email-based 
phishing attack is often aimed at an individual or small group of individuals, because 
they may have access to sensitive information through their role at a targeted organization. An 
important detail with a spear-phishing email is that it often appears to come from someone the 
recipient knows, a source they would trust, or contain subject matter the target would be interested 
in or is relevant to their role. The social engineering is always refined and well-researched, hence 
the attack may be very difficult to recognize without the right technology in place to safeguard 
against it. 
However, targeted attacks no longer rely as heavily on spear-phishing attacks in order to penetrate 
an organization’s defenses. More recently the attackers have expanded their tactics to include 
watering-hole attacks, which are legitimate websites that have been compromised for the purpose 
of installing targeted malware onto the victim’s computer. These attacks rely almost exclusively 
on client-side exploits for zero-day vulnerabilities that the attackers have in their arsenal. Once 
the vulnerability the hackers are using has been published, they will often quickly switch to using 
another exploit in order to remain undetected. 
Changes in 2013 
It’s worth looking back at the last few years to see how previous attack trends compare to the ones 
in 2013. In 2012 we witnessed a 42 percent increase in the targeted-attack rate when compared to 
the previous year. This was a measure of the average number of targeted-attack spear-phishing 
emails blocked each day. In 2013 the attack rate appears to have dropped 28 percent, returning to 
similar levels seen in 2011. 
What appears to have happened is that attacks have become more focused as the attackers 
have solidified and streamlined their attack methods. Looking at email-based attack campaigns 
in particular,01 the number of distinct campaigns identified by Symantec is up by 91 percent 
compared to 2012, and almost six times higher compared to 2011. However, the average number of 
attacks per campaign has dropped, down 76 percent when compared to 2012 and 62 percent from 
2011. This indicates that while each attack campaign is smaller, there have been many more of 
them in 2013. 
The number of recipients of spear-phishing emails during a campaign is also lower, at 23 recipients 
per campaign, down from 111 in 2012 and 61 in 2011. In contrast, these campaigns are lasting 
longer. The average duration of a campaign is 8.2 days, compared to 3 days in 2012 and 4 days in 
2011. This could indicate that the attack campaigns are becoming more focused and persistent, 
with a reduced number of attempts over a longer period of time in order to better hide the activity. 
Their ultimate 
goal is to provide 
a backdoor for the 
attacker to breach 
the targeted 
p. 26 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
• The global average daily 
rate of targeted spear-phishing 
attacks is 28 
percent lower than in 2012, 
but two percent higher 
than 2011. The figure for 
2012 was unusually high, 
and attackers seem to 
have adjusted their tactics 
in 2013 in an attempt to 
reduce their footprint. The 
average rates for 2013 
returned to levels on par 
with previous years. 
• The global average number 
of spear-phishing attacks 
per day in 2013 was 83, 
compared with 116 in 2012 
and 82 in 2011. 
• The spear-phishing attack 
rate reached a peak of 188 
attacks per day in the month 
of August, compared with 
the peak of 227 in June of 
the previous year. 
Average Number of Spear-Phishing 
Attacks Per Day, 2011–2013 
Source: Symantec 
2011 2012 2013 
J F M A M J J A S O N D 
Fig. 1 
Spear Phishing 
Spear-phishing attacks rely heavily on social engineering to improve their chances of success. 
The emails in each case are specially tailored by the attackers to spark the interest of the indi-vidual 
being targeted, with the hope that they will open them. For example, an attacker may send 
someone working in the financial sector a spear-phishing email that appears to cover some new 
financial rules and regulations. If they were targeting someone working in human resources, they 
might send spear-phishing emails that include malware-laden résumé attachments. 
We’ve also seen some fairly aggressive spear-phishing attacks. In these cases the attacker sent an 
email and then followed up with a phone call directly to the target, such as the “Francophoned” 
attack from April 2013.02 The attacker impersonated a high-ranking employee, and requested that 
the target open an attachment immediately. This assertive method of attack has been reported 
more often in 2013 than in previous years. 
Attackers will often use both the personal and professional accounts of the individual targeted, 
although statistically the victim’s work-related account is more likely to be targeted. 
Over the past decade, an increasing number of users have been targeted with spear-phishing 
attacks, and the social engineering has grown more sophisticated over time. In analyzing the 
patterns and trends in these attacks it is important to look at the profile of the organizations 
concerned, most notably to which industry sector they belong, and how large their workforce is. 
The net total number of attacks blocked in 2013 is broken down by industry in figure 4 and organi-zation 
size in figure 5.
p. 27 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
vs 2012 
vs 2011 
2011 – 2013 
Source: Symantec 
2013 2012 2011 
Campaigns 779 408 165 
29 122 -76% 78 -62% 
23 111 -81% 61 -62% Recipients per 
8.2 3 4 
Average Duration 
of a Campaign 
(in days) 
+91% +472% 
+173% +105% 
Average Number 
of Email Attacks 
Per Campagn 
Fig. 2 
• In 2013 the volume and intensity of spear phishing targeted email campaigns changed considerably 
from the previous year, extending the duration over which a campaign may last, rather than 
intensifying the attacks in one or two days as had been the case previously. Consequently, the number 
of attacks seen each day has fallen and other characteristics of these attacks suggest this may help to 
avoid drawing attention to an attack campaign that may be underway.
p. 28 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Source: Symantec 
01 INCURSION The attacker gains entry to the targeted organization. This is often preceded 
by reconnaissance activities where the attacker is looking for a suitable social engineering tactic. 
02 DISCOVERY Once the attacker has gained entry, they will seek to maintain that access 
as well as discover what data and other valuable resources they may wish to access. 
03 CAPTURE Once the valuable data has been discovered and identified, the 
attacker will find a way to collect and gather that data before trying to exfiltrate it. 
04 EXFILTRATION The attacker will find a mechanism to steal the 
data from the targeted organization. This may be by uploading it to a remote 
server or website the attackers have access to. More covert methods may 
involve encryption and steganography, to further obfuscate the exfiltration 
process, such as hiding data inside DNS request packets. 

Recommended for you

Internet security threat report 2013
Internet security threat report 2013Internet security threat report 2013
Internet security threat report 2013

The document provides statistics and analysis on internet security threats in 2012 from the Symantec Internet Security Threat Report 2013. Some key findings include: - Over 6,000 new vulnerabilities were discovered in 2012, a rise from previous years. - Targeted attacks increasingly aimed at small-to-medium sized businesses, with 31% targeting those with under 250 employees. - Mobile malware increased 58% in 2012, with the majority (59%) of all malware targeting Android devices rather than iOS devices. - 14 zero-day exploits were reported in 2012, many attributed to cyberespionage groups like the Elderwood Gang. - Social media and mobile platforms came under increasing attack from malware and phishing in 2012

Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015

Symantec reveals that nearly 1 million or around one-third of all Android apps are actually malware | Full Article:

2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security report

Trustwave investigated hundreds of data compromise incidents across 17 countries in 2015. Some key findings: - 45% of incidents were in North America, while 27% were in the Asia-Pacific region and 15% in Europe, Middle East, and Africa. - The retail industry accounted for 23% of incidents, while hospitality was 14% and food/beverage was 10%. - 40% of investigations involved corporate/internal network breaches and 38% involved e-commerce breaches. - 60% of breaches targeted payment card data, with 31% involving card track (magnetic stripe) data from POS terminals. The report provides insights into trends in compromised industries and regions, attack methods

securityinformation securityinformation technology
p. 29 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
• Public Administration03 
topped the industries 
targeted in 2013, 
comprising 16 percent of all 
• Services, both professional 
and non-traditional,04 
came in second and third, 
respectively, in the overall 
number of attacks. 
However just because an industry or organization of a particular size receives a large number of 
attacks doesn’t necessarily mean that it was at an elevated risk, or that someone working in that 
industry or organization had a high probability of being targeted. The probability was determined 
by looking at a group of people who have been targeted and comparing this number against a 
control group for that industry or organization size. Furthermore, it was important to look not 
only at the attacks themselves, but also to examine the email traffic of other customers in the same 
sectors and of the same organizational size. In this way, for the first time, Symantec was able to 
report on the odds of any particular organization being targeted in such an attack, based on their 
industry and size. 
Top-Ten Industries Targeted 
in Spear-Phishing Attacks, 2013 
Source: Symantec 
Public Administration (Gov.) 16% 
Services – Professional 
Services – Non-Traditional 
Finance, Insurance 
& Real Estate 
Transportation, Gas, 
Communications, Electric 
Fig. 4 
Politics and 
Targeted Attacks 
While correlation doesn’t 
always equal causation, 
it’s often quite interest-ing 
never-the-less. This 
is especially true in the 
amalgamous region of 
targeted attacks, where 
it’s difficult to prove 
motive. A good example 
of this came this year 
after negotiations 
concerning an energy 
partnership between two 
nation states. Sadly the 
negotiations broke down, 
but what followed was 
a significant increase in 
the number of targeted 
attacks against the 
Energy sector.
p. 30 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Spear-Phishing Attacks by Size of Targeted Organization, 2011 – 2013 
Source: Symantec 
1,501 to 2,500 
1,001 to 1,500 
501 to 1,000 
251 to 500 
50% 50% 
• Targeted attacks aimed at small businesses (1-250 employees) 
in 2013 accounted for 30 percent of all such attacks, compared 
with 31 percent in 2012 and 18 percent in 2011. Despite the 
overall average being almost unchanged, the trend shows that the 
proportion of attacks at organizations of this size was increasing 
throughout the year, peaking at 53 percent in November. 
• If businesses with 1-250 and 251-500 employees are combined, 
the proportion of attacks is 41 percent of all attacks, compared 
with 36 percent in 2012. 
• Large enterprises comprising over 2,500+ employees accounted 
for 39 percent of all targeted attacks, compared with 50 percent 
in 2012 and 2011. The frontline in these attacks moved along 
the supply chain department. Large enterprises were more likely 
to be targeted though watering-hole attacks than through spear 
1 to 250 
2011 2012 2013 
31% 30% 
Fig. 5
p. 31 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
For example, in 2013, 1 in 54 customers were targeted with at least one spear-phishing 
email. The seriousness of attempted spear-phishing attacks is even clearer, using the 
same methodology, when comparing these numbers to the annual risk of an office fire. 
The odds of a building catching fire are, at worst, around one in 161.05 
These odds change depending on the industry, the size of the organization, and an individual’s 
role within the organization. This risk can be calculated using epidemiology concepts commonly 
applied to public health issues,06 in this case applying them to the industry and job role. Epide-miology 
is frequently used in medicine to analyze how often diseases occur in different groups of 
people and why. In this way, if targeted attacks are considered to be disease agents, it is possible 
to determine which groups are more or less at risk based on exposure to the disease. In this case, 
Fig. 6 
Risk of Job Role Impact by Targeted Attack 
Sent by Spear-Phishing Email 
Source: Symantec 
Personal Assistant (Executive Assistant) 
Medium Senior Management 
• Personal assistants, people working in the media, and senior 
managers are currently most at risk of being targeted by a spear-phishing 
campaign, based on observations in 2013. 
• C-level executives, recruitment, and research and development 
are less likely to be targeted in the near future solely because 
of their job role. 
Theft in the Middle 
of the Night 
On occasion, evidence of 
a cybercrime comes from 
an unexpected source. 
One company in the 
financial sector noticed 
an unusual early morning 
money transfer on a 
particular day, and from 
a particular computer. 
The company decided to 
check the CCTV footage 
and discovered that 
there was no one sitting 
at the computer at the 
time of the transac-tion. 
A back door Trojan 
was discovered during 
the examination of the 
computer. The threat was 
removed, but not before 
the attackers behind 
the attack made off with 
more than €60,000.
p. 32 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Ratio of Organizations in an Industry 
Impacted by Targeted Attack 
Sent by Spear-Phishing Email 
Source: Symantec 
Risk 1 IN 
Mining 2.7 
Public Administration (Government) 3.1 
Manufacturing 3.2 
Wholesale 3.4 
Transportation, Communications, 
Electric, Gas & Sanitary Services 3.9 
Finance, Insurance & Real Estate 4.8 
Services — Non-Traditional 6.6 
Construction 11.3 
Agriculture, Forestry & Fishing 12.0 
we were not just focused on the organizations being targeted within a particular sector, but on 
other organizations within the same industry which may not be targeted. In this way we were able 
to more accurately determine the odds ratio for any one type of organization being targeted. It’s 
similar to the way risk is calculated for diseases such as lung cancer, and calculating the probability 
of developing the disease from exposure to tobacco smoke. 
Of course an organization’s risk will either rise or fall depending on their industry and number of 
employees (figure 8). For the individual, another factor will be their job role, as shown in figure 6. 
• Mining, Manufacturing, and 
Public Administration were 
high-risk industries based on 
observations made in 2013. 
For example, approximately 
1 in 3 
customers in these sectors 
were subjected to one 
or more targeted spear-phishing 
attacks in 2013. 
• Although only 0.9 percent 
(1 in 110) of all spear-phishing 
attacks were aimed 
at the Mining sector in 
2013, one-third of Mining 
organizations were targeted 
at least once. This indicates 
a high likelihood of being 
targeted, but the frequency 
and volume of attacks is 
relatively low compared to 
other sectors. 
• Similarly Wholesale, 
Transportation, and Finance 
may be classified as 
medium-risk industries. 
• Non-traditional services, 
Construction, and 
Agriculture fell below the 
base line, which means 
that the organizations in 
these industry sectors 
were unlikely to have been 
targeted solely for being in 
that sector. 
Fig. 7

Recommended for you


This document discusses the visibility gap in cybersecurity and how threats now originate outside traditional network perimeters. It notes that most attacks start through email, social media, and mobile devices rather than within networks. Without visibility into these channels, organizations are missing most attacks and only see threats late in the attack cycle after attackers are already inside systems. The document argues organizations need to expand their view beyond networks to properly protect against modern cyber attacks.

IBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence IndexIBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence Index

The document is a report from IBM analyzing cyber attack data from 2014. Some key findings include: - Unauthorized access incidents nearly doubled from 2013 and accounted for 37% of all incidents in 2014, likely due to vulnerabilities like Shellshock and Heartbleed. - Over 62% of incidents targeted just three industries: finance/insurance, information/communications, and retail. - More than half of all attacks came from internal sources like employees or contractors, though most internal breaches were unintentional. - The US was both the most attacked country and the origin of over half of all attacks due to its large size and internet infrastructure.

IBM X Force threat intelligence quarterly 1Q 2014
IBM X Force threat intelligence quarterly 1Q 2014IBM X Force threat intelligence quarterly 1Q 2014
IBM X Force threat intelligence quarterly 1Q 2014

The following report from IBM explores the latest Security trends—from malware delivery to mobile device risks—based on 2013 year-end data and ongoing research.

top data security solution vendors in indiaibm software indiasecurity & privacy
p. 33 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Ratio of Organizations Targeted by Industry Size 
Sent by Spear-Phishing Email 
Source: Symantec 
Risk 1 IN 
2,500+ 2.3 
1,501–2,500 2.9 
1,001–1,500 2.9 
501–1,000 3.8 
Medium 251–500 4.3 
1–250 5.2 
• The larger the company, the 
greater risk of receiving a 
spear-phishing email. 
• One in 2.3 organizations 
with 2500+ employees 
were targeted in at least 
one or more spear-phishing 
attacks, while 1 in 5 small 
or medium businesses were 
targeted in this way. 
Fig. 8 
07 Fig. 9 
Analysis of Spear-Phishing Emails 
Used in Targeted Attacks 
Source: Symantec 
Executable type 2013 2012 
.exe 31.3% 39% 
.scr 18.4% 2% 
.doc 7.9% 34% 
.pdf 5.3% 11% 
.class 4.7% <1% 
.jpg 3.8% <1% 
.dmp 2.7% 1% 
.dll 1.8% 1% 
.au3 1.7% <1% 
.xls 1.2% 5% 
• More than 50 percent of email attachments used in spear-phishing 
attacks contained executable files in 2013. 
• Microsoft Word and PDF documents were both used regularly, 
making up 7.9 and 5.3 percent of attachments respectively. 
However, these percentages are both down from 2012. 
• Java .class files also made up 4.7 percent of email attachments 
used in spear-phishing attacks.
p. 34 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Watering Holes 
In 2013, the most sophisticated form of targeted attacks made use of “watering holes”. First docu-mented 
in 2011,08 this attack technique requires the attackers to infiltrate a legitimate site visited 
by their target, plant malicious code, and then lie in wait. As a drive-by download tactic, it can 
be incredibly potent. For example, the Hidden Lynx09 attacks infected approximately 4,000 users 
in one month alone. In some cases other visitors to a watering-hole site may not be the intended 
target, and are therefore either served with other forms of malware or no malware at all, rather 
than being subjected to the attack reserved for the primary target. This illustrates that while 
effective, watering holes may be used as a longer-term tactic, requiring a degree of patience on the 
part of the attackers as they wait for their intended target to visit the site unprompted. 
To set up a watering hole, attackers generally have to find and exploit a vulnerability in a legitimate 
website in order to gain control and plant their malicious payload within the site. Compromising a 
legitimate website may seem to be a challenge for many, but vulnerability scans of public websites 
carried out in 2013 by Symantec’s Website Security Solutions division10 found that 77 percent of 
sites contained vulnerabilities. Of these, 16 percent were classified as critical vulnerabilities that 
allow attackers to either access sensitive data, alter website content, or compromise a visitor’s 
computers. This means that when an attacker looked for a site to compromise, one in eight sites 
made it relatively easy to gain access. 
When a website is compromised, the attackers are able to monitor the logs of the compromised 
site in order to see who is visiting the website. For instance, if they are targeting organizations 
in the defense industry, they may look for IP addresses of known defense contractors. If these IP 
addresses are found in the traffic logs, they may then use the website as a watering hole. 
Zero-day Vulnerabilities, Annual Total, 
2006 – 2013 
Source: Symantec 
2006 2007 2008 2009 2010 2011 2012 2013 
FZige. r1o0 - 
generally have to 
find and exploit 
a vulnerability 
in a legitimate 
website in order 
to gain control 
and plant their 
payload within 
the site.
p. 35 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Top-Five Zero-day Vulnerabilities 
Source: Symantec 
4 days 
Average time 
to patch 
19 days 
Total time of exposure 
for top 5 zero-days 
0 90 
Oracle Java SE CVE-2013-1493 
Remote Code Execution Vulnerability: 54% 
Oracle Java Runtime Environment CVE-2013-2423 
Security Bypass Vulnerability: 27% 
Oracle Java Runtime Environment CVE-2013-0422 
Multiple Remote Code Execution Vulnerabilities: 16% 
Microsoft Internet Explorer CVE-2013-1347 
Use-After-Free Remote Code Execution Vulnerability: 1% 
Microsoft Internet Explorer CVE-2013-3893 
Memory Corruption Vulnerability: <1% 
Fig. 11 
• The chart above shows the malicious activity blocked by Symantec endpoint technology for the most 
frequently exploited vulnerabilities that were identified as zero-days in 2013. 
• Within the first 5-days after publication, Symantec blocked 20,813 potential attacks, which grew to 
37,555 after 10 days. Within 30 days the total for the top five was 174,651. 
• For some zero-day vulnerabilities, there was a higher amount of malicious activity very soon after 
publication, an indication of exploits being available in the wild before the vulnerability was documented. 
For example, with CVE-2013-0422 after five days Symantec had blocked 20,484 malicious actions 
against that vulnerability, and 100,013 after just 30 days.
p. 36 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Attackers can even send the malicious payloads to particular IP address ranges they wish to 
target, in order to minimize the level of collateral damage from other people visiting the site 
which potentially draws attention to the existence of the attack. 
Watering holes rely heavily on exploiting zero-day vulnerabilities because the chances of the 
attack being discovered are low. The number of zero-day vulnerabilities which were used in 
attacks during 2013 increased, with 23 new ones discovered during the year. This is an increase 
from the 14 that were discovered in 2012, and the highest figure since Symantec began tracking 
zero-day vulnerabilities in 2006. 
In 2013 the majority of attacks that used zero-day vulnerabilities focused on Java. Java held the 
top three spots in exploited zero-day vulnerabilities, responsible for 97 percent of attacks that 
used zero-day vulnerabilities after they were disclosed. When looking at the top five zero-day 
vulnerabilities, the average exposure window between disclosure and an official patch was 3.8 
days, and comprised a total of 19 days where users were left exposed. 
One reason why watering-hole attacks are becoming more popular is that users aren’t instinc-tively 
suspicious of legitimate websites that they know and trust. In general such attacks are 
set up on legitimate websites that contain specific content of interest to the individual or group 
being targeted. The use of zero-day vulnerabilities on legitimate websites made watering holes a 
very attractive method for attackers with the resources to orchestrate such an attack. 
Network Discovery and Data Capture 
If attackers successfully compromise an organization they may traverse the network, attempt to 
gain access to the domain controller, find documents of interest, and exfiltrate the data. Down-loaders 
were popular tools used to gain further control within an organization’s network. Often 
referred to as “stage-one back doors”, these highly versatile forms of malicious code allow the 
download of other different malware, depending on what may be needed to carry out their objec-tives. 
The main reason that attackers use downloaders is that they’re lightweight and easy to 
propagate. Once a downloader enters a network it will, by definition, download more traditional 
payloads such as Trojan horses to scan the network, keyloggers to steal information typed into 
compromised computers, and back doors that can send stolen data back to the attacker. 
Once on the network, an attacker’s goal is generally to traverse it further and gain access to 
various systems. Info-stealing Trojans are one of the more common payloads that an attacker 
will deliver. These Trojans quietly sit on compromised computers gathering account details. 
Password-dumping tools are used as well, especially when encountering an encrypted cache of 
passwords. These tools allow an attacker to copy encrypted (or “hashed”) passwords and attempt 
to “pass the hash,” as it is known, to exploit potentially vulnerable systems on the network. 
The goal for the attacker is to gain elevated privileges on systems on the network that appeal to 
them, such as FTP access, email servers, domain controllers, and so on. Attackers can use these 
details to log into these systems, continue to traverse the network, or use them to exfiltrate data. 
It’s Not Just a 
Game Anymore 
Video game companies 
have become the target 
of attackers, but for 
more than just to steal 
virtual currencies, as 
we’ve seen in previous 
years. It appears there 
has been a concerted 
effort by hacking groups 
to steal the source 
code of popular games, 
particularly those in the 
online role-playing game 
(MMORPG) genre. The 
hackers appear to have 
gained access through 
forged digital certifi-cates, 
after which point 
they stole source code. 
The motive for doing so 
remains unclear, though it 
could be to monitor game 
users or simply to steal 
the intellectual property.

Recommended for you

Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud

GGV Managing Partner Glenn Solomon reviews the current state of cybersecurity, the key targets and threats, and how the landscape is evolving.

cybersecuritycyber crimecyber security
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper

This document discusses the need for organizations to shift from a prevention-focused approach to cybersecurity to one focused on rapid detection and response. It notes that most organizations have mean times to detect threats of weeks or months, leaving critical systems vulnerable. The document introduces the concept of security intelligence and outlines a threat detection and response lifecycle that organizations should optimize to reduce their mean time to detect and respond to threats. This involves processes like discovering threats, qualifying them, investigating incidents, and mitigating risks.

security engeniringsecurity intelligent
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat Report

1. The number of malicious web links grew by almost 600% worldwide according to data from Websense Security Labs. 2. 85% of malicious web links were found on legitimate web hosts that had been compromised, indicating websites can no longer be trusted based on their reputation. 3. Traditional anti-virus and firewall defenses are no longer sufficient to prevent web-borne threats, as the web serves both as an attack vector and in supporting other attack vectors like social media, mobile, and email. Advanced defenses that can identify compromised legitimate sites in real-time are needed.

web securitydata securityemail security
p. 37 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Case Study: Point of Sale Attacks 
One of the most notable incidents in 
2013 was caused by a targeted attack 
exploiting a retailer’s point of sale (PoS) 
systems. This resulted in a significant 
breach of confidential customer records. 
These PoS systems handle customer 
transactions through cash or credit 
cards. When a customer swipes their 
credit or debit card at a PoS system, 
their data is sent through the company’s 
networks in order to reach the payment 
processor. Depending on how the system 
is set up, attackers could take advantage 
of a number of flaws within the networks 
to ultimately allow them to get to their 
targeted data. 
01 First, the attacker needs to gain access to 
the corporation’s network that provides 
access to the PoS systems. 
02 Once the attacker has established a 
beachhead into the network, they will need 
to get to their targeted systems. To achieve 
this, the attacker needs to either attempt 
to exploit vulnerabilities using brute-force 
attacks or steal privileged credentials from 
an employee through an information-stealing 
03 The attacker must then plant malware 
that steals sensitive financial data, such 
as network-sniffing tools, which steal 
credit card numbers as they move through 
internal unencrypted networks, or RAM-scraping 
malware, which gather credit card 
numbers as the computer reads them. 
04 Once the malware is planted, the attacker 
needs to wait until enough financial data is 
collected before exfiltrating it. The stolen 
data is stored locally and is disguised by 
obfuscating file names and encrypting 
data. The attacker can also use the stolen 
administrator credentials to delete log files 
or disable monitoring software to cover 
their tracks. 
05 When the time comes for the attacker to 
exfiltrate the data, they may use a hijacked 
internal system to act as their staging 
server. The stolen data will be passed to this 
server and when the time comes, the details 
will be transferred through any number 
of other internal systems before reaching 
an external system under the attacker’s 
p. 38 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Source: Symantec 
01 INFILTRATION Attackers break into corporate network  
via spear phishing, vulnerable servers, and other traditional means 
02 NETWORK TRAVERSAL Attacker searches for entry point 
to the point of sale network 
03 DATA STEALING TOOLS Attacker installs malware on PoS 
systems to steal credit card data 
04 PERSISTENCE  STEALTH Malware steals data after each credit 
card transaction, accumulating large amounts of stolen data over time 
Collected data is 
exfiltrated to an 
external server such 
as a compromised 
3rd party cloud 
server for 
Attackers hijack 
internal system for 
their “staging server” 
– accumulating data 
from thousands 
of PoS systems 
Fig. 14
p. 39 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Data Breaches 
We’ve seen a shift in 2013 in the causes of data breaches. When thinking of a data breach, 
what often comes to mind are outside attackers penetrating an organization’s defense. Hacking 
continues to lead in terms of the number of breach causes, comprising 35 percent of data breaches 
in 2013, but this is down from 2012. At 28 percent, accidental disclosure is up 5 percentage points 
from 2012 and theft or loss is close behind it, up 4 percentage points to 27 percent. 
There are many situations where data is exposed by the information leaving the organization 
silently. Sometimes it’s a well-meaning employee simply hoping to work from home by sending a 
spreadsheet through third-party web-based email, a cloud service, or simply by copying the files to 
a USB drive. 
Alternatively system glitches may expose data to users who should not be able to see or share such 
material. For instance, users may be granted permissions on company storage resources that are 
higher than necessary, thus granting them too much access rather than just enough to do what 
they need. Privileged users, such as those granted administrative rights on work computers, are 
• Hacking was the leading 
source for reported 
identities exposed in 
2013: Hackers were also 
responsible for the largest 
number of identities 
exposed, responsible for 35 
percent of the incidents and 
76 percent of the identities 
exposed in data breach 
incidents during 2013. 
• The average number of 
identities exposed per data 
breach for hacking incidents 
was approximately 4.7 
• Theft or loss of a device was 
ranked third, and accounted 
for 27 percent of data 
breach incidents. 
Top Causes of Data Breach, 2013 
Source: Symantec 
Hackers 34% 
Made Public 
Theft or Loss 
of Computer 
or Drive 
Insider Theft 
of Incidents 
TOTAL 253 
Fig. 12
p. 40 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Timeline of Data Breaches, 2013 
Source: Symantec 
.3 .8 
6 8 
J F M A M J J A S O N D 
15 15 15 
Fig. 13 
• There were 253 data breach incidents recorded by the Norton Cybercrime Index for 2013, and a total of 
552,018,539 identities exposed as a result 
• The average number of identities exposed per incident was 2,181,891, compared with 604,826 in 2012 
(an increase of over 2.5 times) 
• The median number of identities exposed was 6,777 compared with 8,350 in 2012. The median is a 
useful measure as it eliminates extreme values caused by the most notable incidents, which may not 
necessarily be typical. 
• The number of incidents that resulted in 10 million or more identities being exposed in 2013 was eight, 
compared with only one in 2012.

Recommended for you

TECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat ReportTECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report

The biggest story in 2014 was, of course, the Heartbleed bug, which shook the foundations of Internet security. This wasn’t about criminals being clever; it was about the inherent vulnerabilities of human-built software, and it reminded everyone of the need for vigilance, better implementation, and more diligent website security. Of course, while Heartbleed hit the headlines, criminals were still hard at work making their own opportunities for exploitation, theft and disruption. 2014 saw criminals grow more professional, sophisticated, and aggressive in their tactics to the detriment of businesses and individuals alike.

cybercrimedata protectionsymantec intelligence report
2013 Threat Report
2013 Threat Report2013 Threat Report
2013 Threat Report

Cyberthreats broke new ground with mobile devices, while reaching deeper into social media. Online criminals also stepped up attacks via email, web and other traditional vectors.

securitytechnologyhealth care

The document discusses cyber security threats and vulnerabilities. It provides statistics on malware attacks, vulnerable areas when online, and costs of cyber crimes. Emerging technologies like moving target and remote agent technologies are aimed to constantly change networks and monitor security, but collective global measures are still needed to maximize security as cyber attacks can significantly impact individuals, organizations, and entire economies.

p. 41 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
often more responsible for breaches than external hackers. These users try to access data they 
shouldn’t have access to or tamper with protections, such as data loss prevention software meant 
to keep sensitive data from leaving the organization’s network. 
In many of these cases the employee does not believe that they are putting the company at risk. 
In fact, according to a survey conducted by Symantec and The Ponemon Institute, 53 percent of 
employees believe this practice is acceptable because it doesn’t harm the company.11 
That’s not to say that attacks from hackers have suddenly slowed. In 2013 there were three record-breaking 
data breaches, where the numbers of identities exposed was in the hundreds of millions. 
These massive breaches highlight the importance of having defenses in place to keep outside 
intruders out as well as systems set up to stop sensitive information from leaving the network. 
According to the 2013 Cost of a Data Breach study, published by Symantec and the Ponemon 
Institute,12 the cost of the average consolidated data breach incident increased from US$130 
to US$136. However, this number can vary depending on the country, where German and US 
companies experienced much higher costs at US$199 and US$188, respectively. 
Consequences of a Data Breach 
Data theft is not a victimless crime. Data breaches pose major consequences for both the corpora-tions 
that experience them and the consumers who are victims of them. 
Risks for the Corporations 
If a company suffers a major data breach, it can face severe repercussions that could impact its 
business. First, there are the reputational damages that come with a data breach. The incident 
could cause consumers to lose trust in the company and move to their competitors’ businesses. 
If the company suffered a large data breach it’s likely to receive extensive media coverage, further 
damaging the corporation’s reputation. 
If the customers decide that the company was at fault for failing to protect their information from 
theft, they could file a class action lawsuit against the breached firm. For example, a class action 
lawsuit is being taken against a health insurer over the theft of two unencrypted laptop computers 
which held data belonging to 840,000 of its members. 
Affected corporations could have other financial concerns beyond legal matters. We believe that 
on average, US companies paid US$188 per breached record over a period of two years. The only 
country hit with a bigger price tag was Germany, at US$199 per breached record. This price rose 
if the data breach was caused by a malicious attack. In these cases, US firms paid US$277 per 
breached record over two years, while German firms paid US$214 per record. These expenses 
covered detection, escalation, notification and after-the-fact response, such as offering data moni-toring 
services to affected customers. 
One US medical records company was driven to bankruptcy after a break-in which led to the 
exposure of addresses, social security numbers, and medical diagnoses of 14,000 people. When 
explaining its decision to file for Chapter 7 bankruptcy protection, the company said that the cost 
of dealing with the data breach was “prohibitive.” 
Data theft is not a 
victimless crime. 
Data breaches 
pose major 
for both the 
that experience 
them and the 
consumers who 
are victims of 
p. 42 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Risks for the Consumers 
Ultimately, consumers are the real victims of data breaches, as they face many serious risks as a 
result of this cybercrime. 
One unintended risk for consumers whose data was stolen in this way is that their other online 
accounts could be compromised. Attackers use a victim’s personal details to try to gain access 
to other accounts of more value, for example, through password reset features on websites. 
Depending on the stolen information, attackers could use the data to authorize bank account 
transfers to accounts under their control. They could also use victims’ financial details to create 
fraudulent credit or debit cards and steal their money. 
Consumers’ own lax password habits could also cause several of their accounts to be compromised 
as the result of a data breach. If an attacker manages to obtain email addresses and passwords for 
one service as a result of a data breach, they could use this data to attempt to log in to other online 
Medical identity theft could have a huge impact on the consumer, potentially costing victims 
thousands of dollars, putting their health coverage at risk, causing legal problems, or leading to the 
creation of inaccurate medical records. Attackers can use health insurance information, personal 
details, and social security numbers to make false claims on their victims’ health insurance. They 
could take advantage of this data to get free medical treatment at the victims’ cost, or even to 
obtain addictive prescription drugs for themselves or to sell to others. According to our data, the 
healthcare sector contained the largest number of disclosed data breaches in 2013 at 37 percent of 
those disclosed. 
Why does it appear that the Healthcare sector is subject to a higher number of data breaches? One 
consideration is that few other industries can lay claim to needing to store such a variety of person-ally 
identifiable information about clients. By targeting a hospital’s records, an attacker can easily 
gather a lot of personal information from these sources, especially if their goal is identity theft. 
On the other hand, the healthcare industry is one of the most highly regulated industries, and 
required to disclose when and where a breach occurs. These sorts of disclosures garner lots of 
media attention. In contrast, many industries are less forthcoming when a breach occurs. For 
instance, if a company has trade secrets compromised, which doesn’t necessarily impact clients or 
customers directly, they may not be quite as forthcoming with the information. Whatever the case, 
at 44 percent Healthcare continues to top our list of industries most impacted by data breaches. 
Digital Privacy Concerns 
If there ever was any question that governments are monitoring Internet traffic, a spotlight was 
cast on the subject in 2013. A variety of leaks during the year showed that, for better or for worse, 
there are agencies in the world who are largely gathering anything and everything they can. 
In some cases it’s one nation state monitoring another. In others it’s a nation state monitoring the 
communications of its own citizens. While some governments have been thrust into the spotlight 
more than others, there’s no question that it is happening in many places. Online monitoring was a 
major security and privacy talking point in 2013. 
From June 2013, several news reports were released containing new information on the US 
National Security Agency’s (NSA) data surveillance programs. More are yet to come, considering 
the sheer magnitude of documents leaked by Edward Snowden, the former NSA contractor who 
released the data. The documents claimed that over the course of several years the NSA collected 
metadata from phone calls and major online services, accessed the fiber-optic networks that 
Medical identity 
theft could have 
a huge impact on 
the consumer, 
costing victims 
thousands of 
dollars, putting 
their health 
coverage at 
risk, causing 
legal problems 
or leading to 
the creation 
of inaccurate 
medical records.
p. 43 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
connected global data centers, attempted to circumvent widely-used Internet encryption technolo-gies, 
and stored vast amounts of metadata gathered as part of these programs. 
The US wasn’t the only country engaged in cyber-espionage activities in 2013. The Snowden leaks 
also pointed the finger at the United Kingdom’s Government Communications Headquarters 
(GCHQ), and the monitoring activities of other European spying agencies have come to light as 
well. In other parts of the globe, Symantec uncovered a professional hackers-for-hire group with 
advanced capabilities known as Hidden Lynx. The group may have worked for nation states, as 
the information that they targeted includes knowledge and technologies that would benefit other 
countries. Russia’s intelligence forces were also accused of gaining access to corporate networks in 
the US, Asia, and Europe. 
What’s important to note is that the released data leading to many of the year’s online monitor-ing 
stories was brought to the public from someone who was a contractor rather than a full-time 
employee, and considered a trusted member of the organization. These organizations also 
appeared to lack strong measures in place to prevent such data leaks, such as data loss prevention 
Unlike external attackers, insiders may already possess privileged access to sensitive customer 
information, meaning they don’t have to go to the trouble of stealing login credentials from 
someone else. They also have knowledge of the inner workings of a company, so if they know that 
their organization has lax security practices they may believe that they could get away with data 
theft unscathed. Our recent research conducted with the Ponemon Institute says that 51 percent of 
employees claim that it’s acceptable to transfer corporate data to their personal computers, as their 
organizations don’t strictly enforce data security policies. Insiders could earn a lot of money for 
selling customer details, which may be motivation enough to risk their careers. 
There are two big issues with online monitoring today, not just for governments, but also for 
organizations and ordinary citizens: Personal digital privacy, and the use of malware or spyware. 
It’s clear that governments are monitoring communications on the internet, leading more Internet 
users to look into encryption to protect their communications and online activities. What’s more 
troubling for those concerned about safeguarding their privacy is that nation states have largely 
adopted the same techniques as traditional attackers, using exploits and delivering malicious 
binaries. From a security perspective, there is very little difference between these techniques, 
targeted attacks, and cybercrime in general. 
If there ever was 
any question that 
are monitoring 
Internet traffic, 
a spotlight has 
been cast on the 
subject in 2013
p. 44 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 

Recommended for you

Cyber Security Report 2019
Cyber Security Report 2019Cyber Security Report 2019
Cyber Security Report 2019

The document summarizes key findings from Symantec's 2019 Internet Security Threat Report. It describes the rise of formjacking attacks that steal credit card details from compromised websites. It also discusses the decline of ransomware and cryptojacking in 2018 but the continued use of living-off-the-land techniques by targeted attackers. Cloud security remains a challenge as misconfigured storage buckets expose over 70 million records. Social media also continues to be a battleground for election interference despite increased security efforts during the 2018 US midterms.


This document discusses cyber security challenges posed by emerging technologies and trends. It summarizes that securing information has become a major challenge due to technologies enabling widespread data sharing. New threats include advanced persistent threats targeting specific systems and the movement of data to cloud services and mobile networks. Emerging technologies like cloud computing, mobile computing and the new IPv6 internet protocol also present security issues. Strong encryption, integrated security systems, mobile security, and updated policies are needed to address evolving cyber threats.

Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112

The document discusses 5 of the most costly network security threats faced by enterprises: 1) botnets, 2) phishing, 3) malware, 4) distributed denial of service (DDoS) attacks, and 5) increasingly sophisticated attacks. It recommends implementing key layers of control through network perimeter protections, cloud-based security services, mobile device security, and partnering with a managed security provider to help prevent threats and do more with less.

p. 45 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
E-crime and Cyber Security 
The use of computers and electronic communications equipment in an attempt to commit criminal 
activities, often to generate money, is generally referred to as e-crime and it continues to play a 
pivotal role in the threat landscape. The scope of what is covered by e-crime has also changed and 
expanded over the years and now includes a variety of other potentially illegal activities that may 
be conducted online, such as cyber bullying, the hijacking of personal data, and the theft of intel-lectual 
The threats used to carry out the more traditional e-crime attacks rely heavily on social engineer-ing 
in order to succeed, and may be delivered in one of two ways; through web-based activity, 
drive-by downloads, or by email; similar to the way spam campaigns are conducted. 
The criminals behind these e-crime attacks are well organized, having a sophisticated malicious 
distribution network behind them. This plays out in a format where different attackers carry out 
different tasks. One group will focus on compromising computers, another will configure and 
administer those computers to carry out various malicious activities, while yet another will broker 
deals for renting the use of those compromised computers to other cybercriminals. 
Botnets and the Rental Market 
Cybercriminals involved in e-crime generally start out by working to get malware onto computers, 
turning them into “zombies” with the aim of adding them to larger networks of similarly compro-mised 
computers, called botnets, or “robot networks”. A botnet can be easily controlled from 
a central location, either through a command and control (CC) server or a peer to peer (P2P) 
network. Zombie computers connected to the same CC channels become part of the same botnet. 
Botnets are an extremely potent asset for criminals because they can be used for a wide variety of 
purposes, such as sending spam emails, stealing banking information, conducting a distributed 
denial-of-service (DDoS) attacks against a website, or a variety of other malicious activities. They 
have also become a core tool for administering compromised computers that are rented to yet 
another third party for malicious purposes. 
Adding a computer to a botnet is generally just the first step. The attackers seek out other cyber-criminals 
in the hope that they can lease the botnets for various purposes. This rental style gives 
the initial attacker a lot of leverage and flexibility concerning how they monetize and use the 
computers they’ve compromised and look after. Configurations can vary widely, focused on types of 
computers, regions, languages, or other features that the buyer is looking to gain access to. Prices 
also vary depending on the length of rental and the job for which the computers are to be used. 
For example, infections in some countries are considered more valuable than others. In the case 
of click fraud, an infection will create fake user clicks on advertisements to earn affiliate fees. 
American and UK computers tend to be preferred because pay-per-click advertisers in these 
countries will pay more. The same applies to banking Trojans, which are generally more focused on 
targeting Western bank accounts. 
The good news is that there were a number of takedowns that occurred in 2013. Of particular note 
are the efforts to take down the Bamital and ZeroAccess botnets. 
Bamital was taken down in February, thanks to a cooperative effort on the part of Symantec, 
Microsoft, Spain’s Civil Guardia, and Catalunyan CERT (CESICAT).This botnet had been respon-sible 
for a significant amount of click-fraud traffic, generating upwards of three million clicks 
per day at its peak.13 To perform click fraud, the botnet would hijack the search results typed into 
At a Glance 
• The criminals behind 
e-crime have set up 
sophisticated malicious 
distribution networks. 
• The monthly volume 
of ransomware has 
increased by over six 
times since the beginning 
of 2013. 
• Web attack toolkits 
continue to be a primary 
method for compromis-ing 
computers, even with 
the arrest of the alleged 
creator of the Blackhole 
exploit kit in 2013. 
• The number of vulner-abilities 
disclosed has 
reached record levels in 
Botnets are 
an extremely 
potent asset for 
criminals because 
they can be used 
for a wide variety 
of purposes
p. 46 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Fig. 1 
Malicious Activity by Source: Bots, 2012–2013 
Source: Symantec 
Country/Region 2013 Bots Rank 2013 Bots % 2012 Bots Rank 2012 Bots % 
United States 1 20.0% 1 15.3% 
China 2 9.1% 2 15.0% 
Italy 3 6.0% 5 7.6% 
Taiwan 4 6.0% 3 7.9% 
Brazil 5 5.7% 4 7.8% 
Japan 6 4.3% 6 4.6% 
Hungary 7 4.2% 8 4.2% 
Germany 8 4.2% 9 4.0% 
Spain 9 3.9% 10 3.2% 
Canada 10 3.5% 11 2.0% 
• Unsurprisingly, the US and 
China have the most densely 
populated bot populations, 
largely owing to their large 
Internet populations. The US 
population are avid users of 
the Internet, with 78 percent 
Internet penetration, but 
undoubtedly their keen use 
of the Internet contributes to 
their popularity with malware 
authors. China also has the 
largest population of Internet 
users in the Asia region, 
with 40 percent Internet 
penetration and accounting 
for approximately 50 percent 
of the Internet users in the 
Asia region.14 
• Italy has a lower percentage 
of bots in the country, but is 
ranked third highest in 2013, 
compared with fifth in 2012. 
• The US, Germany, Spain 
and Canada all increased 
their relative proportions 
of the world’s bots in 2013, 
while the proportions in the 
other geographies listed has 
compromised computers, redirecting the users to predetermined pay-per-click sites, with the goal 
of making money off those clicks. When a computer is used to perform click fraud, the user will 
rarely notice. The fraud consumes few computer resources to run, and at the most takes up extra 
bandwidth with the clicks. The attackers make money from pay-per-click advertisers and publish-ers— 
not from the user. This is in contrast with other forms of malware such as ransomware, where 
it is clear that an infection has occurred. A computer may be used in a click-fraud operation for 
an extended period of time, performing its activity invisibly during the daily operation of the 
The partial takedown during the year made a lasting impact on the operations of the ZeroAccess 
botnet. Symantec security researchers looking at the threat discovered a flaw in ZeroAccess that 
could allow them to sinkhole computers within the botnet. The operation succeeded in liberating 
approximately half a million ZeroAccess clients from the botnet network.15 
At that time, ZeroAccess was one of the larger botnets in existence, and one that used P2P commu-nications 
to maintain links between clients. These types of P2P botnets tend to be quite large 
overall; Helios and Zbot (a.k.a. GameOver Zeus) are two other examples of large botnets that use 
similar communication mechanisms. It isn’t entirely clear if these botnets are big because they 
utilize P2P, or they utilize P2P because they’re big. However, using P2P for communications does 
make it more difficult to take down a botnet, given the lack of a centralized CC server. 
Large botnets like Cutwail and Kelihos have made their presence felt in the threat landscape 
this year by sending out malicious attachments. The threats are generally like banking Trojans 
or downloaders, such as Downloader.Ponik and Downloader.Dromedan (also called Pony and 
Andromeda respectively), which download more malware. 
Trojan.Zbot (a.k.a. Zeus) continues to make an impact in the botnet world. Having its malicious 
payload based on easy-to-use toolkits has allowed Zbot to maintain its popularity with threat 
actors. In 2013 we’ve seen Zbot being packed in different ways and at different times in order to 
evade detection. These packing techniques appear almost seasonal in their approach to evading 
detection, but underneath it all it’s always the same Zeus code base.
p. 47 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Fig. 2 
Top-Ten Botnets, 2013 
Source: Symantec 
Spam Botnet 
Percentage of 
Botnet Spam Estimated Spam Per Day Top Sources of Spam From Botnet 
KELIHOS 46.90% 10.41BN Spain 8.4% United States 7.2% India 6.6% 
CUTWAIL 36.33% 8.06BN India 7.7% Peru 7.5% Argentina 4.8% 
DARKMAILER 7.21% 1.60BN Russia 12.4% Poland 8.3% United States 8.1% 
MAAZBEN 2.70% 598.12M China 23.6% United States 8.2% Russia 4.8% 
DARKMAILER3 2.58% 573.33M United States 18.2% France 10.4% Poland 7.5% 
UNKNAMED 1.17% 259.03M China 35.1% United States 10.0% Russia 7.5% 
FESTI 0.81% 178.89M China 21.9% Russia 5.8% Ukraine 4.7% 
DARKMAILER2 0.72% 158.73M United States 12.6% Belarus 8.3% Poland 6.6% 
GRUM 0.53% 118.00M Russia 14.5% Argentina 6.9% India 6.9% 
GHEG 0.35% 76.81M Poland 17.4% Vietnam 12.1% India 11.5% 
• 76 percent of spam was sent from spam botnets, down from 79 percent in 2012. 
• It is worth noting that while Kelihos is the name of a spam-sending botnet, Waledac is the name of the 
malware used to create it. Similarly, Cutwail is another the spam-sending botnet and Pandex is the 
name of the malware involved.
p. 48 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Ransomware Over Time, 2013 
Source: Symantec 
112 107 138 141 
J F M A M J J A S O N D 
Ransomware: When Data Becomes a Hostage to Fortune 
In October 2013, the US Federal Bureau of Investigation issued a warning about a new type of 
malware that had appeared. The threat, known as CryptoLocker, encrypted a victim’s documents 
and demanded payment in return for the decryption key. Two weeks later, the UK equivalent of the 
FBI, the National Crime Agency, also issued a public warning about CryptoLocker. It isn’t often that 
one piece of malware mobilizes law enforcement agencies across the world, and it is indicative of the 
level of panic created by CryptoLocker during 2013. 
Despite the hype, CryptoLocker is not a completely new malware. Instead it is the latest evolution of 
a family of threats known as ransomware. Ransomware first came to prominence a decade ago. The 
business model usually involves the victim’s computer being locked. Attackers demand a ransom in 
order to remove the infection. 
However, CryptoLocker has managed to capture the public imagination because it represents the 
perfect ransomware threat: It encrypts the user’s data and, unlike most malware infections, no fix 
can rescue it. CryptoLocker uses strong encryption, meaning the victim is left with the unpalatable 
choice of saying goodbye to their valuable personal data or paying the attackers a ransom fee. 
Symantec noticed a significant upsurge in the number of ransomware attacks during 2013. During 
January we stopped over 100,000 infection attempts. By December that number had risen more 
than six-fold. There was a noticeable uptick in detection from the month of July onwards, peaking in 
CryptoLocker first began to circulate in September, and while CryptoLocker detections grew quickly 
(by 30 percent in December alone), the number of definitive CryptoLocker detections is still a very 
small proportion of overall ransomware detections. For example, in December only 0.2 per cent 
(1 in 500) of all ransomware detections by Symantec was indisputably identified as CryptoLocker. 
• Monthly ransomware activity 
increased by 500 percent 
from 100,000 in January 
to 600,000 in December, 
increasing to six times its 
previous level. 
Fig. 3

Recommended for you

5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threats

The document discusses 5 of the most costly network security threats faced by enterprises: 1) botnets, 2) phishing, 3) malware, 4) distributed denial of service (DDoS) attacks, and 5) increasingly sophisticated attacks. It recommends implementing key layers of control through network perimeter protections, cloud-based security services, mobile device security, and endpoint compliance to effectively prevent and mitigate these threats. Outsourcing security functions to a managed security services provider can help organizations do more with less by avoiding in-house technology and staffing costs.

Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economy

As we enter the digital economy, companies will quickly realize that the differentiator in the digital economy is information and information being a valuable resource is subject to theft, hacking, phishing and a host of other issues which compromise a company’s ability to participate in the digital economy. Cybersecurity misfires compromise the trust of buyers and partners necessary to participate in the digital economy. It is up to every company to ensure that the information shared with them is protected to the best of their ability and proactively notify persons and organizations who entrust their information necessary to transact business (any personal identity information including but not limited to addresses, credit card information, social security numbers, account information, credit information, medical records, etc.) with any potential compromises which can yield harm to them by that information either being used maliciously or shared with others. The digital economy is different than other versions of commerce because in the digital economy, information is the lifeblood of digital commerce that passes through the hands of many platforms involved in a digital event. Each of these platforms are an opportunity to wreak havoc on your well-intended but incomplete intents to protect the information contained within the network you control. In the digital economy, it is not only the network you control, but the platforms that touch the personal data entrusted to you as a means of enabling digital commerce, and several techniques have begun to emerge to protect personal information contained within your information domain and the domain of platforms participating in digital commerce. Because the life blood of the digital economy is information, information hacked in the digital economy is akin to shrinkage in the legacy economy. Both are means to directly attack your bottom line, whether it is redirecting customers elsewhere because they don’t trust your privacy program, ransomware which makes your site or one of your partner platform sites dangerous to use or some other reason which challenges your ability to participate in the digital economy. Shrinking the potential market share because of information safety and security challenges is a disruption, making cyber-security a disruptive activity, particularly if it is not dealt with swiftly. If your cyber-security program is focused entirely on protecting the information housed in your four walls, you have exposed yourself to problems you will have difficulty in identifying both the source and the entry point of these issues.

digital economyinformation managementinformation economics
Combating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced AnalyticsCombating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced Analytics

Using an AI-powered analytics platform, IT organizations can shift from a reactive approach to security breaches, to proactively identifying increasingly sophisticated threat vectors and quickly resolving exploitable vulnerabilities.

p. 49 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
Fig. 4 Browser-based ransomware threat, Browlock. 
However, this statistic only tells part of the story, and its prevalence may be higher. CryptoLocker is 
often blocked by intrusion prevention systems (IPS) which may simply identify it as generic ransom-ware 
rather than a specific variant. 
Ransomware, including CryptoLocker, continues to prove lucrative for attackers. Symantec research 
indicates that on average, 3 percent of infected users will pay the ransom. These figures tally with 
work done by other researchers.16 
Analysis by Symantec of the ransoms demanded by CryptoLocker infections indicates that most 
variants demand US$100 to $400 for a decryption key. This is roughly in line with the ransom 
amount demanded by other ransomware variants. Although CryptoLocker is a more effective threat, 
attackers have yet to take advantage of this by demanding larger ransoms. 
The amount of money being paid in ransom is difficult to assess, however some efforts have been 
made to track payments made through Bitcoin. All Bitcoin transactions are logged as public record, 
and searching for Bitcoin addresses used to collect ransom can yield some insight. From the small 
number of Bitcoin addresses analyzed, it is clear that ransomware distributors have without a doubt 
earned tens of millions over the last year. 
Analysis of ransom amounts is complicated somewhat by the fact that many variants demand 
payment in Bitcoin. Our analysis of CryptoLocker ransom demands found that attackers generally 
seek between 0.5 and 2 Bitcoin. Lower ransom demands began appearing near the end of 2013. This 
reduction had less to do with any newfound altruism on the part of attackers and more to do with 
the soaring value of Bitcoin. The virtual currency was trading at just over US$100 when CryptoLock-er 
first appeared in September. By December its value had increased to over US$1,000. 
continues to 
prove lucrative 
for attackers. 
research indicates 
that on average, 
3 percent of 
infected users will 
pay the ransom.
p. 50 
Symantec Corporation 
Internet Security Threat Report 2014 :: Volume 19 
This suggests that attackers have concluded that US$100 to $400 is the optimum ransom amount, 
and they will move to adjust their demand to avoid pricing themselves out of the market. Some 
attackers have also refined their ransom tactics by introducing a second, larger ransom of 10 Bitcoin 
for victims who miss the original 72 hour deadline. The attackers appear to have concluded that 
some potential opportunities were left unexploited by their original business model, with some 
victims willing to pay significant amounts for the return of valuable data. This higher ransom tier 
may also have the secondary purpose of exerting additional pressure on victims to pay within the 
Meanwhile, older ransomware attack techniques have started to seep into markets previously 
unexploited. More localized content, based on location data, has started to appear in Latin American 
countries. In many ways, this form of ransomware is similar to what has been seen in English-speak-ing 
countries in previous years. The reasons behind this are likely precipitated by the increasing 
availability of online payment providers in these regions. With easy options for payment, ransom-ware 
has begun to appear in these areas, with the Reventon and Urausy versions already having 
been discovered with Spanish variants. 
In the grand scheme of the threat landscape, ransomware does not make up a huge percentage of 
overall threats, but it clearly does serious damage particularly to the victims who may not have 
backed-up their data to begin with. In the future, new ransomware schemes may emerge. Since some 
groups have had success with it, others may jump on the bandwagon. Toolkits for creating these 
types of ransomware have been developed. Browser-based ransomware also began to appear near 
the end of the year, which uses JavaScript to prevent a user from closing the browser tab,17 and more 
of these ransomware-type scams will likely be seen in the future. 
Banking Trojans and Heists 
Banking Trojans are a fairly lucrative prospect for attackers. Today’s threats continue to focus 
on modifying banking sessions and injecting extra fields in the hope of either stealing sensitive 
banking details or hijacking the session. Some of the more common banking Trojans include Trojan. 
Tiylon18 and a variant of the Zbot botnet, called Gameover Zeus. Symantec’s State of Financial 
Trojans 2013 whitepaper19 concluded that in the first three quarters of 2013, the number of banking 
Trojans tripled. More than half of these attacks were aimed at the top 15 financial institutions, 
though over 1,400 institutions have been targeted in 88 countries. While browser-based attacks are 
still common, mobile threats are also used to circumvent authentication through SMS messages, 
where the attacker can intercept text messages from the victim’s bank. 
The most common form of attack continues to be financial Trojans which perform a Man-In-The- 
Browser (MITB) attack on the client’s computer during an online banking session. Symantec 
analyzed 1,086 configuration files of 8 common financial Trojans. The malware was configured to 
scan for URLs belonging to 1,486 different organizations. All of the top 15 targeted financial institu-tions 
were present in more than 50 percent of the analyzed configuration files. 
In addition to those attacks, Symantec observed an increase in hardware-supported attacks in 2013. 
Besides the still popular skimming attacks, a new piece of malware was discovered named Backdoor. 
Ploutus which targeted ATMs. Initially discovered in Mexico, the malware soon spread to other 
countries, with English versions emerging later. 
The malware allows for criminals to effectively empty infected ATMs of cash. The malware is 
applied to the ATM by physically inserting a malicious CD-ROM and causing the machine to boot 
from it. While booting, the malware is installed onto the system. The attacker can then use specific 
key combinations on the keypad to interact with the malware and initiate the ultimate goal – to 
In the grand 
scheme of the 
threat landscape, 
ransomware does 
not make up a 
huge percentage 
of overall threats, 
but it clearly does 
serious damage, 
particularly to the 
victims who may 
not have backed-up 
their data to 
begin with.
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwc Cyber security for telecommunications companies The rewards and risks of the cloud, devices, and data The fastest growing sources of security incidents, increase over 2013 Security strategies for evolving technologies Strategic initiatives to improve cybersecurity

telecommunicationcybertreathsecurity risks
Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of Broadcom

Symantec Enterprise Security Products are now part of Broadcom. The consumer division of Symantec Corp. is now NortonLifeLock Inc. -- a standalone company dedicated to consumer cyber safety.

Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...

Youth in foster care face unique risks to their identity.In this webinar we discuss the risks, as well as tips for better protection. Watch on demand here:

foster careidentity theftsymantec
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect IT

Learn how to protect your data during Symantec's National Cyber Security Awareness Month webinar with the Identity Theft Resource Center and Infolock.To watch on demand

national cyber security awareness monthcybersecurityit security
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure IT

Symantec, TechSoup and the Michigan Small Business Development Center share how to apply added layers of security to your devices and online accounts. Watch on-demand recording here:

national cyber security awareness monthsymantectechsoup
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own IT

View this webinar from Symantec and NCSAM partners, the National PTA, Connect Safety and the National Cyber Security Alliance, to learn how to protect the devices you use day to day. Watch on demand here:

cybersecuritynational cyber security awareness monthprivacy
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)

On January 1, 2020, one of the strictest privacy laws in the US, the California Consumer Privacy Act (CCPA), will come into effect. What should governance, risk and compliance executives know in order to prepare for CCPA? Watch the on demand recording here:

ccpacalifornia consumer privacy actgdpr
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK

Targeted ransomware attacks have grown significantly in recent years, targeting organizations specifically. These attacks spread to pre-selected organizations through methods like spear phishing and exploiting vulnerabilities. They encrypt files on multiple computers within an organization, demanding high ransom amounts from the few victims affected. The document discusses the growth of targeted ransomware gangs since 2017 and recommends defenses like backing up data, securing remote access points, and using PowerShell monitoring to help detect these threats.

targeted attackstargeted ransomwaremitre
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar

This webinar will explore the less-discussed topics of a mobile security strategy that everyone should understand – before it’s too late. Watch on-demand here:

symantecmobile securitymobile security. mobility protection
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat Report

Symantec 2019 Cloud Security Threat Report: Understand the Latest Cloud Security Trends. Watch the webinar on demand here:

cloud securitycloud threatssymantec
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat Report

Adapting to the New Reality of Evolving Cloud Threats. Download the complete report here:

cloud securitycloud threatsthreat report
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...

An online gaming company experienced a potential network breach but lacked the tools to investigate what happened. Network forensics tools are needed to quickly detect breaches, determine scope and source, and speed response times. Security analytics provides integrated network monitoring, packet capture, and threat intelligence to give full visibility into network activity and reconstruct evidence for focused incident response. It reduces uncertainty and delays compared to using fragmented, log-based tools lacking rich network data and context.

cloud securitynetwork forensicsdata breach
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...

Symantec cloud security experts discuss implementing Zero Trust security policies across Web, email, and cloud application access. Watch recording here:

zero trustcloud securitycybersecurity
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar |  Tips for Successful CASB ProjectsSymantec Webinar |  Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects

There is an art to securely using cloud apps and services, including SaaS, PaaS, and IaaS. In this Symantec webcast, hear from Steve Riley, a Gartner senior director analyst who focuses on public cloud security, and Eric Andrews, Symantec’s vice president of cloud security, as they share best practices with practical tips for deploying CASB. Watch here:

cloud securitycasbcloud access security broker
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?

The document discusses the benefits of network forensics and security analytics solutions. It describes how an online gaming company struggled to determine if they were breached due to lacking network visibility. It then outlines how security analytics can provide complete network visibility by passively capturing all network traffic and enriching it with threat intelligence to help speed incident detection and response. The document advocates that organizations should retain at least 30 days of network traffic data for investigations. It also describes how security analytics works and the different deployment options available. Real customer examples are then provided where advanced threat assessments uncovered security issues and helped customers strengthen their security posture.

cyber threatscybersecurityadvanced threat protection
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year On

Learn if you’ve got the right security strategy, and investment plan, to protect your organization and ensure regulatory compliance with the General Data Protection Regulation (GDPR). Watch now here:

gdpreu gdprgeneral data protection regulation
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019

The document appears to be a report on internet security threats in 2019. It discusses the rise of cryptojacking malware infecting apps on the Microsoft Store and notes that cryptojacking was patched in April 2018. It also discusses a supply chain attack on Ticketmaster that resulted in formjacking. The report examines the underground economy fueled by criminal hacking and estimates underground cybercrime profits to be over $1.5 billion for 2018 alone. It provides statistics on stolen credit card numbers and estimates criminals could earn over $2.2 million per month selling access to stolen credit cards on just 10 websites.

cybersecuritycyber threatsransom ware
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines

Download AWS Security Best Practices Guide with Cloud Configuration Checklist

cloud securitypublic cloud securitysecurity for public cloud workloads
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...

The document discusses building a zero trust program on a solid platform. It emphasizes that a zero trust approach requires considering six interrelated areas: data, networks, workloads, devices, people/workforce, and analytics & automation. A platform that integrates capabilities across these areas provides improved security outcomes, reduces complexity, and simplifies automation compared to a fragmented approach. The document uses Symantec's integrated cyber defense platform as an example and demonstrates how it can operationalize zero trust strategies.

zero trustcybersecurityinformation security
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...

First-hand insights on the newest cloud-delivered endpoint security solutions. Hear from Joakim Liallias, Symantec and special guest speakers Sundeep Vijeswarapu from PayPal and top industry analyst Fernando Montenegro, 451 Research. Listen here:

endpoint securitycloud securitycybersecurity
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear

Learn how Symantec Endpoint Protection & Response (EDR) and the MITRE ATT&CK framework can expose and thwart persistent adversaries like APT28 otherwise known as Fancy Bear. Watch Webinar here:

cybersecuritycyber threats
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

20240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 202420240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 2024

Everything that I found interesting about machines behaving intelligently during June 2024

What's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptxWhat's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptx

This is a slide deck that showcases the updates in Microsoft Copilot for May 2024

microsoftmicrosoft copilot
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy

Not so much to say

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

20240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 202420240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 2024

Everything that I found interesting last month about the irresponsible use of machine intelligence

Cookies program to display the information though cookie creation
Cookies program to display the information though cookie creationCookies program to display the information though cookie creation
Cookies program to display the information though cookie creation

Java Servlet programs

20240702 Présentation Plateforme GenAI.pdf
20240702 Présentation Plateforme GenAI.pdf20240702 Présentation Plateforme GenAI.pdf
20240702 Présentation Plateforme GenAI.pdf

Support en anglais diffusé lors de l'événement 100% IA organisé dans les locaux parisiens d'Iguane Solutions, le mardi 2 juillet 2024 : - Présentation de notre plateforme IA plug and play : ses fonctionnalités avancées, telles que son interface utilisateur intuitive, son copilot puissant et des outils de monitoring performants. - REX client : Cyril Janssens, CTO d’ easybourse, partage son expérience d’utilisation de notre plateforme IA plug & play.

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence

Our Linux Web Hosting plans offer unbeatable performance, security, and scalability, ensuring your website runs smoothly and efficiently. Visit-

cheap linux hosting
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf

In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.

social media hackerfacebook hackerhire a instagram hacker
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf

Presented at Gartner Data & Analytics, London Maty 2024. BT Group has used the Neo4j Graph Database to enable impressive digital transformation programs over the last 6 years. By re-imagining their operational support systems to adopt self-serve and data lead principles they have substantially reduced the number of applications and complexity of their operations. The result has been a substantial reduction in risk and costs while improving time to value, innovation, and process automation. Join this session to hear their story, the lessons they learned along the way and how their future innovation plans include the exploration of uses of EKG + Generative AI.

neo4jneo4j webinarsgraph database
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Pigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdfPigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdf

Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment. How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.

pigging solutionsprocess piggingproduct transfers
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx

MuleSoft Meetup on APM and IDP

Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry

Are you interested in dipping your toes in the cloud native observability waters, but as an engineer you are not sure where to get started with tracing problems through your microservices and application landscapes on Kubernetes? Then this is the session for you, where we take you on your first steps in an active open-source project that offers a buffet of languages, challenges, and opportunities for getting started with telemetry data. The project is called openTelemetry, but before diving into the specifics, we’ll start with de-mystifying key concepts and terms such as observability, telemetry, instrumentation, cardinality, percentile to lay a foundation. After understanding the nuts and bolts of observability and distributed traces, we’ll explore the openTelemetry community; its Special Interest Groups (SIGs), repositories, and how to become not only an end-user, but possibly a contributor.We will wrap up with an overview of the components in this project, such as the Collector, the OpenTelemetry protocol (OTLP), its APIs, and its SDKs. Attendees will leave with an understanding of key observability concepts, become grounded in distributed tracing terminology, be aware of the components of openTelemetry, and know how to take their first steps to an open-source contribution! Key Takeaways: Open source, vendor neutral instrumentation is an exciting new reality as the industry standardizes on openTelemetry for observability. OpenTelemetry is on a mission to enable effective observability by making high-quality, portable telemetry ubiquitous. The world of observability and monitoring today has a steep learning curve and in order to achieve ubiquity, the project would benefit from growing our contributor community.

cloudcloud native observabilitycloud native
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...

This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator. Link to presentation recording and slides: Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.

a11yaccessibilityalt text
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition

The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.

WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck

YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well. Some facts about WPRiders and why we are one of the best firms around: More than 700 five-star reviews! You can check them here. 1500 WordPress projects delivered. We respond 80% faster than other firms! Data provided by Freshdesk. We’ve been in business since 2015. We are located in 7 countries and have 22 team members. With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce. Our team members are: - highly experienced developers (employees & contractors with 5 -10+ years of experience), - great designers with an eye for UX/UI with 10+ years of experience - project managers with development background who speak both tech and non-tech - QA specialists - Conversion Rate Optimisation - CRO experts They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals. At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.

web development agencywpriderswordpress development
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time

Is your patent a vanity piece of paper for your office wall? Or is it a reliable, defendable, assertable, property right? The difference is often quality. Is your patent simply a transactional cost and a large pile of legal bills for your startup? Or is it a leverageable asset worthy of attracting precious investment dollars, worth its cost in multiples of valuation? The difference is often quality. Is your patent application only good enough to get through the examination process? Or has it been crafted to stand the tests of time and varied audiences if you later need to assert that document against an infringer, find yourself litigating with it in an Article 3 Court at the hands of a judge and jury, God forbid, end up having to defend its validity at the PTAB, or even needing to use it to block pirated imports at the International Trade Commission? The difference is often quality. Quality will be our focus for a good chunk of the remainder of this season. What goes into a quality patent, and where possible, how do you get it without breaking the bank? ** Episode Overview ** In this first episode of our quality series, Kristen Hansen and the panel discuss: ⦿ What do we mean when we say patent quality? ⦿ Why is patent quality important? ⦿ How to balance quality and budget ⦿ The importance of searching, continuations, and draftsperson domain expertise ⦿ Very practical tips, tricks, examples, and Kristen’s Musts for drafting quality applications

patentspatent applicationpatent prosecution
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...

Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge. You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter. The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.

Password Rotation in 2024 is still Relevant
Password Rotation in 2024 is still RelevantPassword Rotation in 2024 is still Relevant
Password Rotation in 2024 is still Relevant

Password Rotation in 2024 is still Relevant

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

20240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 202420240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 2024

Everything that I found interesting about engineering leadership last month

Mitigating the Impact of State Management in Cloud Stream Processing Systems
Mitigating the Impact of State Management in Cloud Stream Processing SystemsMitigating the Impact of State Management in Cloud Stream Processing Systems
Mitigating the Impact of State Management in Cloud Stream Processing Systems

Stream processing is a crucial component of modern data infrastructure, but constructing an efficient and scalable stream processing system can be challenging. Decoupling compute and storage architecture has emerged as an effective solution to these challenges, but it can introduce high latency issues, especially when dealing with complex continuous queries that necessitate managing extra-large internal states. In this talk, we focus on addressing the high latency issues associated with S3 storage in stream processing systems that employ a decoupled compute and storage architecture. We delve into the root causes of latency in this context and explore various techniques to minimize the impact of S3 latency on stream processing performance. Our proposed approach is to implement a tiered storage mechanism that leverages a blend of high-performance and low-cost storage tiers to reduce data movement between the compute and storage layers while maintaining efficient processing. Throughout the talk, we will present experimental results that demonstrate the effectiveness of our approach in mitigating the impact of S3 latency on stream processing. By the end of the talk, attendees will have gained insights into how to optimize their stream processing systems for reduced latency and improved cost-efficiency.

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government Sector

Recommended for you

More Related Content

What's hot

RSA 2013 Session: Mobile Security Smackdown: How Government “Pwned” The Priva...
RSA 2013 Session: Mobile Security Smackdown: How Government “Pwned” The Priva...RSA 2013 Session: Mobile Security Smackdown: How Government “Pwned” The Priva...
RSA 2013 Session: Mobile Security Smackdown: How Government “Pwned” The Priva...
5 Cybersecurity threats in Public Sector
5 Cybersecurity threats in Public Sector5 Cybersecurity threats in Public Sector
5 Cybersecurity threats in Public Sector
Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
Shawn Crimson
RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014
Topsec email security 2016
Topsec email security 2016Topsec email security 2016
Topsec email security 2016
[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMS
Paul Walsh
Data security for healthcare industry
Data security for healthcare industryData security for healthcare industry
Data security for healthcare industry
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts
ISTR Volume 18
ISTR Volume 18ISTR Volume 18
ISTR Volume 18
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security Report
Cisco Security
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012
Analyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaAnalyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - China
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enough
5 main trends in cyber security for 2020
5 main trends in cyber security for 20205 main trends in cyber security for 2020
5 main trends in cyber security for 2020
Agnieszka Guźniczak-Beim
B istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-usB istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-us
Комсс Файквэе
Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0
Javier Gonzalez

What's hot (20)

RSA 2013 Session: Mobile Security Smackdown: How Government “Pwned” The Priva...
RSA 2013 Session: Mobile Security Smackdown: How Government “Pwned” The Priva...RSA 2013 Session: Mobile Security Smackdown: How Government “Pwned” The Priva...
RSA 2013 Session: Mobile Security Smackdown: How Government “Pwned” The Priva...
5 Cybersecurity threats in Public Sector
5 Cybersecurity threats in Public Sector5 Cybersecurity threats in Public Sector
5 Cybersecurity threats in Public Sector
Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014
Topsec email security 2016
Topsec email security 2016Topsec email security 2016
Topsec email security 2016
[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world[Infographic] 7 Cyber attacks that shook the world
[Infographic] 7 Cyber attacks that shook the world
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMS
Data security for healthcare industry
Data security for healthcare industryData security for healthcare industry
Data security for healthcare industry
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts
ISTR Volume 18
ISTR Volume 18ISTR Volume 18
ISTR Volume 18
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security Report
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012
Symantec Internet Security Threat Report 2011 Trends Volume 17 April 2012
Analyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaAnalyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - China
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enough
5 main trends in cyber security for 2020
5 main trends in cyber security for 20205 main trends in cyber security for 2020
5 main trends in cyber security for 2020
B istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-usB istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-us
Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0

Similar to Symantec's Internet Security Threat Report for the Government Sector

Istr19 en
Istr19 enIstr19 en
Istr19 en
Anjoum .
Internet security threat report 2013
Internet security threat report 2013Internet security threat report 2013
Internet security threat report 2013
Karim Shaikh
Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015
Waqas Amir
2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security report
Marco Antonio Agnese
Ken Spencer Brown
IBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence IndexIBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence Index
Andreanne Clarke
IBM X Force threat intelligence quarterly 1Q 2014
IBM X Force threat intelligence quarterly 1Q 2014IBM X Force threat intelligence quarterly 1Q 2014
IBM X Force threat intelligence quarterly 1Q 2014
IBM Software India
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
GGV Capital
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat Report
Kim Jensen
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat ReportTECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
2013 Threat Report
2013 Threat Report2013 Threat Report
2013 Threat Report
Envision Technology Advisors
Cyber Security Report 2019
Cyber Security Report 2019Cyber Security Report 2019
Cyber Security Report 2019
Omar Bshara
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112
Erik Ginalick
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threats
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economy
Mark Albala
Combating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced AnalyticsCombating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced Analytics
As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwc
Mert Akın

Similar to Symantec's Internet Security Threat Report for the Government Sector (20)

Istr19 en
Istr19 enIstr19 en
Istr19 en
Internet security threat report 2013
Internet security threat report 2013Internet security threat report 2013
Internet security threat report 2013
Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015Symantec Internet Security Threat Report Volume 2015
Symantec Internet Security Threat Report Volume 2015
2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security report
IBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence IndexIBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence Index
IBM X Force threat intelligence quarterly 1Q 2014
IBM X Force threat intelligence quarterly 1Q 2014IBM X Force threat intelligence quarterly 1Q 2014
IBM X Force threat intelligence quarterly 1Q 2014
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat ReportTECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
TECHNICAL WHITE PAPER▶ Symantec Website Security Threat Report
2013 Threat Report
2013 Threat Report2013 Threat Report
2013 Threat Report
Cyber Security Report 2019
Cyber Security Report 2019Cyber Security Report 2019
Cyber Security Report 2019
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threats
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economy
Combating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced AnalyticsCombating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced Analytics
As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwc

More from Symantec

Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of Broadcom
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat Report
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat Report
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar |  Tips for Successful CASB ProjectsSymantec Webinar |  Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year On
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear

More from Symantec (20)

Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of Broadcom
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat Report
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat Report
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar |  Tips for Successful CASB ProjectsSymantec Webinar |  Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year On
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear

Recently uploaded

20240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 202420240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 2024
Matthew Sinclair
What's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptxWhat's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptx
Stephanie Beckett
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
20240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 202420240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 2024
Matthew Sinclair
Cookies program to display the information though cookie creation
Cookies program to display the information though cookie creationCookies program to display the information though cookie creation
Cookies program to display the information though cookie creation
20240702 Présentation Plateforme GenAI.pdf
20240702 Présentation Plateforme GenAI.pdf20240702 Présentation Plateforme GenAI.pdf
20240702 Présentation Plateforme GenAI.pdf
Sally Laouacheria
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdfPigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
Eric D. Schabell
Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...
BookNet Canada
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
Yevgen Sysoyev
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
Lidia A.
Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
Aurora Consulting
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Chris Swan
Password Rotation in 2024 is still Relevant
Password Rotation in 2024 is still RelevantPassword Rotation in 2024 is still Relevant
Password Rotation in 2024 is still Relevant
Bert Blevins
20240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 202420240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 2024
Matthew Sinclair
Mitigating the Impact of State Management in Cloud Stream Processing Systems
Mitigating the Impact of State Management in Cloud Stream Processing SystemsMitigating the Impact of State Management in Cloud Stream Processing Systems
Mitigating the Impact of State Management in Cloud Stream Processing Systems

Recently uploaded (20)

20240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 202420240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 2024
What's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptxWhat's New in Copilot for Microsoft365 May 2024.pptx
What's New in Copilot for Microsoft365 May 2024.pptx
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
20240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 202420240705 QFM024 Irresponsible AI Reading List June 2024
20240705 QFM024 Irresponsible AI Reading List June 2024
Cookies program to display the information though cookie creation
Cookies program to display the information though cookie creationCookies program to display the information though cookie creation
Cookies program to display the information though cookie creation
20240702 Présentation Plateforme GenAI.pdf
20240702 Présentation Plateforme GenAI.pdf20240702 Présentation Plateforme GenAI.pdf
20240702 Présentation Plateforme GenAI.pdf
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdfPigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdf
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
WPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide DeckWPRiders Company Presentation Slide Deck
WPRiders Company Presentation Slide Deck
Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Password Rotation in 2024 is still Relevant
Password Rotation in 2024 is still RelevantPassword Rotation in 2024 is still Relevant
Password Rotation in 2024 is still Relevant
20240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 202420240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 2024
Mitigating the Impact of State Management in Cloud Stream Processing Systems
Mitigating the Impact of State Management in Cloud Stream Processing SystemsMitigating the Impact of State Management in Cloud Stream Processing Systems
Mitigating the Impact of State Management in Cloud Stream Processing Systems

Symantec's Internet Security Threat Report for the Government Sector

  • 1. 2013 Trends, Volume 19, Published April 2014 INTERNET SECURITY THREAT REPORT GOVERNMENT 2014
  • 2. p. 2 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 CONTENTS 4 Introduction 5 Executive Summary 8 2013 SECURITY TIMELINE 9 2013 Security Timeline 11 2013 IN NUMBERS 12 Breaches 14 Spam 15 Bots, Email 16 Mobile 17 Web 18 Targeted Attacks – Spear Phishing 22 Targeted Attacks – Web-Based 24 TARGETED ATTACKS + DATA BREACHES 25 Targeted Attacks 26 Average Number of Spear-Phishing Attacks Per Day, 2011 – 2013 27 Email Campaigns, 2011 – 2013 28 Targeted Attack Key Stages 29 Top-Ten Industries Targeted in Spear-Phishing Attacks 30 Spear-Phishing Attacks by Size of Targeted Organization, 2011 – 2013 31 Risk of Job Role Impact by Targeted Attack Sent by Spear-Phishing Email 32 Ratio of Organizations in an Industry Impacted by Targeted Attack Sent by Spear-Phishing Email 33 Ratio of Organizations Targeted by Industry Size Sent by Spear-Phishing Email 33 Analysis of Spear-Phishing Emails Used in Targeted Attacks 34 Zero-day Vulnerabilities, Annual Total, 2006 – 2013 35 Top-Five Zero-day Vulnerabilities 38 Point of Sale Breach Stages 39 Data Breaches 39 Top Causes of Data Breach 40 Timeline of Data Breaches 44 E-CRIME + MALWARE DELIVERY TACTICS 45 E-crime and Cyber Security 46 Malicious Activity by Source: Bots, 2012–2013 47 Top-Ten Botnets 48 Ransomware Over Time 51 Top-Ten Malware 53 Threat Delivery Tactics 54 Timeline of Web Attack Toolkit Use, Top-Five 54 Top Web Attack Toolkits by Percent 55 Web Attacks Blocked Per Day 56 Most Frequently Exploited Websites 58 Zero-Day Vulnerabilities 58 Total Number of Vulnerabilities, 2006 – 2013 60 Plug-in Vulnerabilities Over Time 60 Browser Vulnerabilities, 2011 – 2013
  • 3. p. 3 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 61 Proportion of Email Traffic Containing URL Malware, 2013 vs 2012 61 Proportion of Email Traffic in Which Virus Was Detected, 2013 vs 2012 62 Top-Ten Mac OSX Malware Blocked on OSX Endpoints 63 SOCIAL MEDIA + MOBILE THREATS 64 Social Media 65 Social Media 69 Mobile 70 Number of Android Variants Per Family, 2013 vs 2012 70 Mobile Malware Families by Month, Android, 2013 vs 2012 72 Mobile Threat Classifications 74 Mobile Vulnerabilities by Percent 75 Top-Five Types of Madware Functionality Percentage of Ad Libraries 77 PHISHING + SPAM 78 Spam and Phishing 78 Phishing Rate, 2013 vs 2012 79 Number of Phishing URLs on Social Media 81 Global Spam Volume Per Day 81 Global Spam Rate, 2013 vs 2012 83 LOOKING AHEAD 84 Looking Ahead 86 RECOMMENDATIONS + BEST PRACTICE GUIDELINES 87 Best Practice Guidelines for Businesses 89 Best Practice Guidelines for Consumers 90 SANS Critical Security Controls 94 Footnotes 96 Contributors 97 About Symantec 97 More Information
  • 4. p. 4 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 Introduction Symantec has established the most comprehensive source of Internet threat data in the world through the Symantec™ Global Intelligence Network, which is made up of more than 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in over 157 countries and territories through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Services, Norton™ consumer products, and other third-party data sources. In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 60,000 recorded vulnerabilities (spanning more than two decades) from over 19,000 vendors representing over 54,000 products. Spam, phishing, and malware data is captured through a variety of sources including the Symantec Probe Network, a system of more than 5 million decoy accounts,, and a number of other Symantec security technologies. Skeptic™, the proprietary heuristic technology, is able to detect new and sophisticated targeted threats before they reach customers’ networks. Over 8.4 billion email messages are processed each month and more than 1.7 billion web requests filtered each day across 14 data centers. Symantec also gathers phishing information through an extensive anti-fraud community of enterprises, security vendors, and more than 50 million consumers. Symantec Trust Services provides 100 percent availability and processes over 6 billion Online Certificate Status Protocol (OCSP) look-ups per day, which are used for obtaining the revocation status of X.509 digital certificates around the world. These resources give Symantec analysts unparalleled sources of data with which to identify, analyze, and provide informed commen-tary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the annual Symantec Internet Security Threat Report, which gives enterprises, small business-es, and consumers essential information to secure their systems effectively now and into the future.
  • 5. p. 5 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 Executive Summary One of the major challenges for government in 2013 has been how to prepare for attacks against the supply chain that have increased in sophistication throughout the year. In the last ISTR, Symantec identified a growing shift towards highly targeted malware attacks being sent in email to small-to-medium-sized businesses, which now appears to have reached a plateau. Moreover, although the overall volume of such email-based attacks overall has returned to 2011 levels, they have become much more subtle and harder to identify without the right technology in place. The frontline in these attacks is still moving along the supply chain; meanwhile, large enterprises may be targeted through web-based “watering-hole” attacks should email-based spear-phishing attacks fail to yield the desired results. For the past decade, the threat landscape has been very aware of highly targeted attacks, most notably the carefully targeted spear-phishing emails that rely on sophisticated social engineering as well as state-of-the-art malware; however, this landscape is shifting and the nature of the attacks are less defined by their tactics, and more by their outcome. So when we narrow our focus on only the email aspect of targeted attacks, we may be blind to the other means by which breaches occur, such as the use of social media and watering-hole attacks. The most important trends in 2013 were: Data Breaches, Privacy and Trust With privacy issues and data breach revelations dominating the headlines not only in the industry media, but also in the mainstream press, 2013 has sounded a loud clarion call for people and businesses to take a more serious look at their online information, and to keep it private and secure. The headlines in 2013 were not only peppered by the revelations about how governments were keeping track of their citizens online, but also increasingly dominated by the large number of data breaches and even larger volume of identities being leaked. In 2013, the number of data breach incidents increased by 62 percent since 2012, with the number of online identities being exposed growing by as much as five times. It’s no longer a matter of having a secure password, but who you trust to keep your credentials safe and secure. The number of incidents that resulted in 10 million or more identities being exposed was eight, compared with five in 2012. The most common cause of breach incidents was hacking, which was the reason for 35 percent of the incidents recorded in the Norton Cybercrime Index for 2013. Moreover, accidental disclosure and theft or loss of a device were close behind, making up 28 and 27 percent of breaches, respectively. Fundamentally, the number of breach incidents is higher than ever before, and the challenge for organizations and individu-als alike is to make sure they do not become counted in the next wave of statistics. Among the greatest concerns is who has access to sensitive data, and how that data may be used. A security breach at a major organization may have serious conse-quences not only for itself but also for its customers; personal information stolen in an online hack may later be used in the commission of fraud or to gain unauthorized access to online accounts. As a result, the adoption of encryption technology is likely to grow in 2014/15, not only for use in securing data on devices, but also for securing online transactions. The use of personal VPNs is already growing, as concerned users become wary about the traffic that may be exposed through their Wi-Fi hotspot.
  • 6. p. 6 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 Executive Summary VPNs are not new, but they have traditionally been the preserve of businesses seeking to safeguard its employees’ data when working remotely. Newer and faster encryption protocols will also be in demand, so even if your data is exposed or your device falls into the wrong hands, you can be assured that it cannot be exploited by the criminals. The Value of Data The threat from governments potentially gathering our personal data in the routine business of safeguarding our national security was a major concern to many individuals and busi-nesses. In 2013 the value of our data was also being challenged by cybercriminals, who were escalating the stakes to see how much financial value we put on our own data. Ransomware-type malware volumes increased by 500 percent from 100,000 to over 600,000 by the end of the year, an increase of over six times its previous level. As more and more personal data is online and in the cloud than ever before and consumers are sharing more data with each other, businesses and governments have to routinely handle massive quantities of personal information safely. But do the owners of this data take sufficient protective measures to safeguard the data on their own computers and devices? Cyber-criminals are increasingly seeing the value of this information for financial crime, identity theft, and other acts of fraud. Personal data is a very attractive commodity for cybercrimi-nals, who have developed business models to sell them. Huge amounts of personal data is being harvested and sold to other malicious parties, details including names, addresses, social security numbers, health insurance details, and credit card information. One of the biggest breaches this year was caused by an attack against a major retailer’s point of sale (PoS) system. These systems handle customer transactions through cash or credit cards. When a customer swiped their credit or debit card at a PoS system, their data was sent through the company’s networks in order to reach the payment processor. Depending on how the system was set up, attackers could take advantage of a number of flaws within these networks to ultimately steal their targeted data. Targeted Spear-Phishing Emails In 2012, we saw increasing numbers of targeted attacks using email, but when these attacks were thwarted the attackers would intensify their volume, perhaps change the social engineering, or change the exploits, or even adapt the malware. But in 2013, if a spear-phishing attack was unsuccessful, after a few attempts the attacker may be more likely to shift to a different tactic alto-gether such as a watering hole attack, or baiting the intended target by seeking to connect with them over social media. The largest percentage of email-based spear-phishing attacks overall were still being directed at large enterprises (comprised of over 2,500 employees) at 39 percent compared with 50 percent in 2012, the industry sector most targeted in 2013 was Government and Public Sector (a.k.a. Public Administration), and accounted for 16 percent of all targeted spear-phishing email attacks blocked in 2013, compared with 12 percent in 2012. In 2013, targeted email attacks aimed at Small Businesses (1-250) accounted for 30 percent of all such attacks blocked by the company, compared with 31 percent in 2012 and 18 percent in 2011. Despite the overall average being almost unchanged, the trend through the year reveals that the proportion of attacks against small businesses has increased throughout the year, peaking at 53 percent in November. Watering-Hole Attacks and Exploiting Zero-Day Vulnerabilities Watering-hole attacks were first described in the 2012 Symantec Internet Security Threat Report (ISTR), and as a threat they can be among the most dangerous. Watering holes are legitimate websites that have been compromised, but not by cybercrimi-nals who have planted a traditional web-attack toolkit, such as Blackhole or Cool Exploit Kit; rather these websites are trapped with exploits for as yet undiscovered zero-day vulnerabilities. Once these exploits are discovered and the vulnerabilities patched, the perpetrators will quickly adapt by using another exploit for another zero-day. As these attacks rely on zero-day vulnerabilities in order to go undiscovered, it is all the more worrying to report an increase in the number of zero-day vulnerabilities from 14 in 2012 to 23 in 2013. There were more zero-day vulnerabilities discovered in 2013 than in any previous year since Symantec began tracking them, and more than the past two years combined.
  • 7. p. 7 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 Executive Summary For 2013 the majority of attacks using zero-day vulnerabilities focused on Java. Not only did Java hold the top three spots in exploited zero-day vulnerabilities, it was responsible for 97 percent of attacks that used zero-day vulnerabilities after they were disclosed. When looking at the top five zero-day vulnera-bilities, the average exposure window between disclosure and an official patch was 3.8 days, comprising a total of 19 days where users were left exposed. Compromising a legitimate website may seem to be a challenge for many, but vulnerability scans of public websites carried out in 2013 by Symantec’s Website Security Solutions division found that 77 percent of websites contained vulnerabilities. Of these, 16 percent were classified as critical vulnerabilities that could allow attackers to access sensitive data, alter the website’s content, or compromise visitors’ computers. This means that when an attacker looks for a site to compromise, one in eight sites makes it relatively easy to gain access. Social Networking and Mobile Threats Some of the most popular applications used on mobile devices are for social networking, and as the various social networking sites vie for our attention, new ones continue to emerge. These are quickly adopted by teenagers and young adults, who have little sense of loyalty to some of the more established networks, which are increasingly being dominated by the older generations and their parents. In 2013, cybercriminals have sought to exploit the data we share online through social media, and as these sites become increasingly interconnected the security of our data and personal information online becomes more important than ever. Fake offers dominated the social media landscape in 2013, making up 81 percent of all social media related attacks, up from 56 percent in 2012. Furthermore, the greatest risk for a compromised mobile device was being spied on; this tactic was found in 60 percent of mobile threats in 2013 compared with 20 percent in 2012. Approximate-ly 36 percent of malware was designed to steal data in 2013, compared with 46 percent in 2012. The individual can be spied on through the collection of SMS messages or phone call logs, tracking GPS coordinates, recording phone calls, or by gathering photos and video taken with the device. Social networking also has an important role to place in the social engineering tactics employed in some targeted attacks, and not only by the cyber-criminals as revealed in some of the documents published by Edward Snowden in 2013. For example, a potential target may be exposed to a malicious social media profile that could result in malware being deployed on their computer. Social media also enables a potential attacker to find out who works for a targeted organization using profes-sional social networking sites, such as LinkedIn. IT and network administrators may be the most attractive targets because of the type of privileged information they may have access to, due to the nature of their roles. It’s through these and other means that watering-hole attacks could be expected to take the place of the more traditional email-based attacks. Internet of Things There has been much talk of the “Internet of Things” (or IoT) in 2013, and the first signs of attacks intended for these emerging technologies appeared in 2013. The IoT is the name given to the idea that more devices are being connected to the Internet beyond the traditional computers: Consoles, tablets and mobile devices, smart TVs and refrigerators, cameras, home security systems, and baby monitors. IoT is the way the Internet is moving, and people are as likely to become connected through tablets and smartphones as laptops and PCs, and more people will be watching TV streamed across the Internet into their living rooms rather than on their computers. As the popular-ity of these previously “dumb” devices increases, so will the attention they garner from security researchers. As vulner-abilities are discovered in recently-innovated internet-enabled devices, the challenge of applying patches to fix them will grow. E-crime In 2013 much of the efforts of cybercriminals were narrowed to carving out particular areas of focus for e-crime related activi-ties. These criminals found themselves with a great deal to choose from; some administered web attack toolkits while others rented out botnets to third parties. Spam campaigns shifted further away from the traditional pharmaceutical spam, exploit-ing people’s desires and needs with more adult-orientated spam. Ransomware, which grew by 500 percent (an increase of six times) in 2013 was perhaps the most notable and brazen growth areas in 2013. Cyber-criminals directly extorted money from users by holding their personal data as hostage for ransom, and even adopting alternative and anonymous payment systems such as Bitcoin.
  • 8. p. 8 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 SECURITY TIMELINE 2013 SECURITY TIMELINE
  • 9. p. 9 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 Security Timeline 01January • Elderwood Project found using new Internet Explorer Zero-Day Vulner-ability (CVE-2012-4792) • Java Zero-Day found in Cool Exploit Kit (CVE-2013-0422) • Android.Exprespam potentially infects thousands of devices • Backdoor.Barkiofork used to target Aerospace and Defense industries 02February • Bamital botnet taken down • Adobe zero-day used in “LadyBoyle” attack (CVE-2013-0634) • Cross-platform toolkit for creating the remote access tool (RAT) “Frutas” discovered • Fake Adobe Flash update discovered installing ransomware and perform-ing click fraud • Bit9 suffers security breach, code-signing SSL certificates stolen 03March • Android Malware spams victims’ contacts • “Facebook Black” scam spreads on Facebook • Blackhole Exploit Kit takes advantage of financial crisis in Cyprus • Several South Korean banks and local broadcasting organizations impacted by cyber attack. 04April • #OpIsrael hacktivism campaign targets Israeli websites • NPR, Associated Press, and various Twitter accounts hacked by Syrian Electronic Army (SEA) • Distributed Denial of Service attacks hit Reddit and European banks • WordPress plugin vulnerability discovered, allowing PHP injection • LivingSocial resets passwords for 50 million accounts after data breach 05May • A US Department of Labor website becomes victim of a watering-hole attack • Cybercriminals steal more than $1 million from a Washington state hospital • SEA hacks twitter accounts of The Onion, E! Online, The Financial Times, and Sky • New Internet Explorer 8 Zero-Day Vulnerability used in watering-hole attack (CVE-2012-4792) • #OpUSA hacktivism campaign launches against US websites • Seven men were arrested in New York in connection with their role in international cyber attacks which resulted in theft of $45 million across 26 different countries. 06June • Microsoft and FBI disrupt Citadel botnets • A surveillance scandal emerges in the United States, as a former Government security contractor releases classified documents • Zero-day vulnerability found in most browsers across PC, Mac, mobile, and game consoles • Anonymous launches #OpPetrol attack on international oil and gas companies • 65 websites compromised to host malicious ads with ZeroAccess Trojan • FakeAV discovered on Android phones 07July • Ubisoft hacked: user account infor-mation stolen • France caught up in PRISM scandal as data snooping allegations emerge • New exploit kit targets flaws in Internet Explorer, Java, and Adobe Reader • FBI-style ransomware discovered targeting OSX computers • Android Master Key vulnerability used in the wild • Viber and Thomson Reuters latest victims of SEA attacks
  • 10. p. 10 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 SECURITY TIMELINE 2013 Security Timeline 08August • Channel 4 blog, New York Post, SocialFlow, Washington Post, New York Times, impacted by SEA attacks • DNS hijack caused thousands of sites to redirect users to exploit kit • Two new ransomware scams found: One that changes Windows login credentials on Chinese systems, another that takes advantage of the NSA PRISM controversy • Fake ‘Instagram for PC’ leads to survey scam • Attackers targeted banks’ wire payment switch to steal millions • Francophoned social engineer-ing ushers in a new era of targeted attacks 09September • Syrian Electronic Army compro-mises US Marine Corps’ website, Fox Twitter accounts, supposedly using Mac Trojan • ATMs discovered that dispense cash to criminals • Ransomware called “Cryptolocker” surfaces that encrypts victims’ files and demands payment to decrypt them • Symantec lifts lid on professional hackers-for-hire group Hidden Lynx • Belgian telecom compromised in alleged cyber espionage campaign • Symantec Security Response sinkholes ZeroAccess botnet 10October • The Silk Road marketplace taken offline, resurfaces by end of month • SEA attacks GlobalPost and Qatar websites, US Presidential staff emails • Adobe confirms security breach, 150 million identities exposed • Blackhole and Cool Exploit Kit author arrested • WhatsApp, AVG, Avira defaced by hacker group KDMS • New ransomware demands Bitcoins for decryption key 11November • Second Android master key vulner-ability discovered • Microsoft zero-day vulnerability being used in targeted attacks and e-crime scams (CVE-2013-3906) • SEA hacks in retaliation for article that supposedly names members • Anonymous claims to have hacked UK Parliament Wi-Fi during London protest • Linux worm that targets “Internet of Things” discovered • Target confirms data breach leading to the exposure of 110 million identities. 12December • Data of 20 million Chinese hotel guests leaked • Cross-site scripting vulnerability found in wind turbine control appli-cation • Imitation versions of Cryptolocker discovered, attempt to capitalize on original’s success • 105 million South Korean accounts exposed in credit card security breach
  • 11. p. 11 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 IN NUMBERS 2013 IN NUMBERS
  • 12. p. 12 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 IN NUMBERS Breaches Breaches With More Than 10 Million Identities Exposed 1 +700% 82012 2013 Top-Ten Types of Information Breached 01 Real Names 02 Birth Dates 03 Government ID Numbers (Social Security) 04 Home Address 05 Medical Records 06 Phone Numbers 07 Financial Information 08 Email Addresses 09 User Names & Passwords 10 Insurance • Mega Breaches were data breach incidents that resulted in the personal details of at least 10 million identities being exposed in an individual incident. There were eight in 2013, compared with only one in 2012.
  • 13. p. 13 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 IN NUMBERS Total Breaches Total Identities Exposed 253 2013 +62% +493% 156 2012 Average Identities Exposed / Breach 2013 2,181,891 Median Identities Exposed / Breach +261% -19% 2013 6,777 2012 8,350 2012 604,826 552Million 2013 93Million 2012 • Hacking continued to be the primary cause of data breaches in 2013. Hacking can undermine institutional confidence in a company, exposing its attitude to security and the loss of personal data in a highly public way can result in damage to an organization’s reputation. Hacking accounted for 34 percent of data breaches in 2013. • In 2013, there were eight data breaches that netted hackers 10 million or more identities, the largest of which was a massive breach of 150 million identities. In contrast, 2012 saw only one breach larger than 10 million identities. • Although overall average size of a breach has increased, the median number of identities stolen has actually fallen from 8,350 in 2012 to 6,777 in 2013. Using the median can be helpful in this scenario since it ignores the extreme values caused by the notable, but rare events that resulted in the largest numbers of identities being exposed. Breaches
  • 14. p. 14 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 IN NUMBERS -3% pts Overall Email Spam Rate Estimated Global Email Spam Volume / Day -3% pts +15% pts 66% 2012 2013 2013 29Billion Pharmaceutical Email Spam Adult / Sex / Dating Email Spam 70% 69% 2012 18% 2013 21% 55% 2012 2013 -3% 2012 30Billion • Approximately 76 percent of spam email was distributed by spam-sending botnets, compared with 79 percent in 2012. Ongoing actions to disrupt a number of botnet activities during the year have helped to contribute to this gradual decline. • In 2013, 87 percent of spam messages contained at least one URL hyperlink, compared with 86 percent in 2011, an increase of 1 percentage point. • Adult Spam dominated in 2013, with 70 percent of spam related to adult content. These are often email messages inviting the recipient to connect to the scammer through instant messaging, or a URL hyperlink where they are then typically invited to a pay-per-view adult-content web cam site. Often a bot responder, or a person working in a low-pay, offshore call center would handle any IM conversation. Spam
  • 15. p. 15 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 IN NUMBERS Bots, Email Number of Bots 2013 2.3Million 2012 3.4Million -33% 23% 25% 2012 2013 Email Malware as URL +2% pts Email Virus Rate Smaller Number = Greater Risk 2013 1 IN 196 2012 1 IN 291 Email Phishing Rate Smaller Number = Greater Risk 2013 1 IN 392 2012 1 IN 414 • Bot-infected computers, or bots, are counted if they are active at least once during the period. Of the bot-infected computer activities that Symantec tracks, they may be classified as actively-attacking bots or bots that send out spam, i.e. spam zombies. During 2013, Symantec struck a major blow against the ZeroAccess botnet. With 1.9 million computers under its control, it is one of the larger botnets in operation at present. ZeroAccess has been largely used to engage in click fraud to generate profits for its controllers. • In 2013, more email-borne malware comprised hyperlinks that referenced malicious code, an indication that cybercriminals are attempting to circumvent security countermeasures by changing the vector of attacks from purely email to the web. • 71 percent of phishing attacks were related to spoofed financial organizations, compared with 67 percent in 2012. Phishing attacks on organizations in the Information Services sector accounted for 22 percent of phishing attacks in 2013
  • 16. p. 16 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 IN NUMBERS Mobile Android Mobile Malware Families Average Number of Variants Per Family 57 2013 -45% -14% +50% 103 2012 57 2013 38 2012 Total Android Mobile Malware Variants 2013 3,262 2012 3,783 -69% 2013 127 2012 416 Mobile Vulnerabilities • Currently most malicious code for mobile devices consists of Trojans that pose as legitimate applications. These applications are uploaded to mobile application (“app”) marketplaces in the hope that users will download and install them, often trying to pass themselves off as legitimate apps or games. • Attackers have also taken popular legitimate applications and added additional code to them. Symantec has classified the types of threats into a variety of categories based on their functionality • Symantec tracks the number of threats discovered against mobile platforms by tracking malicious threats identified by Symantec’s own security products and confirmed vulnerabilities documented by mobile vendors.
  • 17. p. 17 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 IN NUMBERS New Unique Malicious Web Domains 2013 2012 2011 56,158 74,001 55,000 -24% Web Attacks Blocked Per Day 2013 2012 2011 464,100 190,000 568,700 +23% Web • Approximately 67 percent of websites used to distribute malware were identified as legitimate, compromised websites. • 10 percent of malicious website activity was classified in the Technology category, 7 percent were classified in the Business category and 5 percent were classified as Hosting. • 73 percent of browser-based attacks were found on Anonymizer proxy websites, similarly, 67 percent of attacks found on Blogging websites involved browser-based exploits.
  • 18. p. 18 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 IN NUMBERS Targeted Attacks – Spear Phishing • Targeted attacks aimed at Small Businesses (1-250) accounted for 30 percent of targeted spear-phishing attacks. 1 in 5 small business organizations was targeted with at least one spear-phishing email in 2013. • 39 percent of targeted spear-phishing attacks were sent to Large Enterprises comprising over 2,500+ employees. 1 in 2 of which were targeted with at least one such attack. • The frontline in these attacks is moving along the supply chain and large enterprises may be targeted though web-based watering-hole attacks should email-based spear-phishing attacks fail to yield the desired results. TARGETED ATTACKS SPEAR PHISHING Spear-Phishing Attacks by Business Size Risk of Being Targeted 50% 19% 31% 2012 Large Enterprises 2,501+ Employees Medium Business 251 to 2,500 Small Business (SMB) 1 to 250 1 IN 2.3 39% 31% 30% 1 IN 5.2 2013
  • 19. p. 19 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 IN NUMBERS Targeted Attacks – Spear Phishing Industries at Greatest Risk of Being Targeted by Spear Phishing Mining 1 IN 2.7 Public Administration (Gov.) 1 IN 3.1 Manufacturing 1 IN 3.2 Top Industries Attacked by Spear Phishing Public Administration (Government) Services – Professional Services – Non-Traditional 16% 15% 14% • Approximately 1 in 3 organizations in the Mining, Public Administration and Manufacturing sectors were subjected to at least one targeted spear-phishing attack in 2013. • The Government and Public Sector (aka. Public Administration) accounted for 16 percent of all targeted spear-phishing email attacks blocked in 2013, compared with 12 percent in 2012.
  • 20. p. 20 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 IN NUMBERS Spear-Phishing Email Campaigns Campaigns in 2013 +91% 779 Recipients Per Campaign -79% 23 Attacks Per Campaign -76% 29 3x Average Time of Campaign longer 8 than 2012 Days Spear-Phishing Emails Per Day 116 2012 83 2013 -28% • Attackers may target both the personal and professional email accounts of individuals concerned; a target’s work-related account is likely to be targeted more often and is known as spear phishing. • Over the past decade, an increasing number of users have been targeted with spear-phishing attacks and the social engineering has grown more sophisticated over time. • In 2013 the volume and intensity of these attacks had changed considerably from the previous year, prolonging the duration over which a campaign may last, rather than intensifying the attacks in one or two days as had been the case previously. Consequently, the number of attacks seen each day has fallen and other characteristics of these attacks suggest this may help to avoid drawing attention to an attack campaign that may be underway. Targeted Attacks – Spear Phishing
  • 21. p. 21 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 IN NUMBERS Targeted Attacks – Spear Phishing Spear-Phishing Email Cloud Most commonly used words in spear-phishing attacks • This word cloud shows the most frequently occurring words that have been used in targeted spear-phishing email attacks throughout 2013. The larger the size of the font, the more frequently that word was used.
  • 22. p. 22 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 IN NUMBERS TARGETED ATTACKS WEB-BASED Scanned Websites With Vulnerabilities ... ... % of Which Were Critical +28% +25% pts 2013 6,787 2012 5,291 New Vulnerabilities SSL and TLS protocol renogotiation vulnerabilities were most commonly exploited 53% 2012 -8% pts 24% 2012 77% 2013 16% 2013 1 IN 8 sites had critical unpatched vulnerabilities • Attackers generally have to find and exploit a vulnerability in a legitimate website in order to gain control and plant their malicious payload within the site. Compromising a legitimate website may seem to be a challenge for many, but vulnerability scans of public websites carried out in 2013 by Symantec’s Website Vulnerability Assessment Services found that 77 percent of sites contained vulnerabilities. • Of this, 16 percent were classified as critical vulnerabilities that could allow attackers to access sensitive data, alter the website’s content, or compromise visitors’ computers. This means that when an attacker looks for a site to compromise, one in eight sites makes it relatively easy to gain access. • The most commonly exploited vulnerabilities related to SSL and TLS protocol renegotiation. Targeted Attacks – Web-Based
  • 23. p. 23 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 2013 IN NUMBERS Targeted Attacks – Web-Based Websites Found With Malware 1 IN 532 2012 Zero-day Vulnerabilities 1 IN 566 2013 14 +64% 2012 23 2013 23 software vulnerabilities were zero-day, 5 of which were for Java 97% of attacks using exploits for vulnerabilities identified as zero-day were Java-based Top-5 zero-day vulnerabilities Oracle Java SE CVE-2013-1493 54% Oracle Java Runtime Environment CVE-2013-2423 27% Oracle Java Runtime Environment CVE-2013-0422 16% Microsoft Internet Explorer CVE-2013-1347 1% Microsoft Internet Explorer CVE-2013-3893 <1% 4 days Average time to patch 19 days Total time of exposure for top 5 zero-days NUMBER OF DAYS AFTER VULNERABILITY PUBLICATION NUMBER OF ATTACKS DETECTED THOUSANDS 16 14 12 10 8 6 4 2 0 90 • Malware was found on 1 in 566 websites scanned by Symantec’s Website Vulnerability Assessment Service in combination with the daily malware scanning service. • 97 percent of attacks using exploits for vulnerabilities initially identified as zero-days were Java-based. The total time between a zero-day vulnerability being published and the required patch being published was 19 days for the top-five most-exploited zero-day vulnerabilities. The average time between publication and patch was 4 days. • Zero-day vulnerabilities are frequently used in watering-hole web-based targeted attacks. Attackers can quickly switch to using a new exploit for an unpublished zero-day vulnerability once an attack is discovered and the vulnerability published.
  • 24. p. 24 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES TARGETED ATTACKS + DATA BREACHES
  • 25. p. 25 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES At a Glance • Targeted attacks have become more focused as attackers have streamlined their attack methods. • The global average number of spear-phishing attacks per day in 2013 was 83. • Zero-day vulnerabilities, often used in watering-hole attacks, reached their highest levels since Symantec began tracking them. • Hackers were once again responsible for more data breaches than any other source. However, accidental exposure, as well as theft or loss, grew significantly in 2013. • There were over 552 million identities exposed in data breaches during 2013. Targeted Attacks The use of malware specifically to steal sensitive or confidential information from organizations isn’t a new trend; it’s been around for at least the past decade. However the scale of these attacks has always been relatively low in order to remain below the radar of security technology used to safeguard against them. A targeted attack uses malware aimed at a specific user or group of users within a targeted organization and may be delivered through a spear-phishing email, or a form of drive-by download known as a watering-hole attack. No matter how these attacks are delivered they are designed to be low in volume, often with malicious components used exclusively in one attack. Their ultimate goal is to provide a backdoor for the attacker to breach the targeted organization. In the past these targeted attacks have relied primarily on the spear-phishing element, an email-based phishing attack is often aimed at an individual or small group of individuals, because they may have access to sensitive information through their role at a targeted organization. An important detail with a spear-phishing email is that it often appears to come from someone the recipient knows, a source they would trust, or contain subject matter the target would be interested in or is relevant to their role. The social engineering is always refined and well-researched, hence the attack may be very difficult to recognize without the right technology in place to safeguard against it. However, targeted attacks no longer rely as heavily on spear-phishing attacks in order to penetrate an organization’s defenses. More recently the attackers have expanded their tactics to include watering-hole attacks, which are legitimate websites that have been compromised for the purpose of installing targeted malware onto the victim’s computer. These attacks rely almost exclusively on client-side exploits for zero-day vulnerabilities that the attackers have in their arsenal. Once the vulnerability the hackers are using has been published, they will often quickly switch to using another exploit in order to remain undetected. Changes in 2013 It’s worth looking back at the last few years to see how previous attack trends compare to the ones in 2013. In 2012 we witnessed a 42 percent increase in the targeted-attack rate when compared to the previous year. This was a measure of the average number of targeted-attack spear-phishing emails blocked each day. In 2013 the attack rate appears to have dropped 28 percent, returning to similar levels seen in 2011. What appears to have happened is that attacks have become more focused as the attackers have solidified and streamlined their attack methods. Looking at email-based attack campaigns in particular,01 the number of distinct campaigns identified by Symantec is up by 91 percent compared to 2012, and almost six times higher compared to 2011. However, the average number of attacks per campaign has dropped, down 76 percent when compared to 2012 and 62 percent from 2011. This indicates that while each attack campaign is smaller, there have been many more of them in 2013. The number of recipients of spear-phishing emails during a campaign is also lower, at 23 recipients per campaign, down from 111 in 2012 and 61 in 2011. In contrast, these campaigns are lasting longer. The average duration of a campaign is 8.2 days, compared to 3 days in 2012 and 4 days in 2011. This could indicate that the attack campaigns are becoming more focused and persistent, with a reduced number of attempts over a longer period of time in order to better hide the activity. Their ultimate goal is to provide a backdoor for the attacker to breach the targeted organization.
  • 26. p. 26 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES • The global average daily rate of targeted spear-phishing attacks is 28 percent lower than in 2012, but two percent higher than 2011. The figure for 2012 was unusually high, and attackers seem to have adjusted their tactics in 2013 in an attempt to reduce their footprint. The average rates for 2013 returned to levels on par with previous years. • The global average number of spear-phishing attacks per day in 2013 was 83, compared with 116 in 2012 and 82 in 2011. • The spear-phishing attack rate reached a peak of 188 attacks per day in the month of August, compared with the peak of 227 in June of the previous year. Average Number of Spear-Phishing Attacks Per Day, 2011–2013 Source: Symantec 2011 2012 2013 250 225 200 175 150 125 100 75 50 25 J F M A M J J A S O N D Fig. 1 Spear Phishing Spear-phishing attacks rely heavily on social engineering to improve their chances of success. The emails in each case are specially tailored by the attackers to spark the interest of the indi-vidual being targeted, with the hope that they will open them. For example, an attacker may send someone working in the financial sector a spear-phishing email that appears to cover some new financial rules and regulations. If they were targeting someone working in human resources, they might send spear-phishing emails that include malware-laden résumé attachments. We’ve also seen some fairly aggressive spear-phishing attacks. In these cases the attacker sent an email and then followed up with a phone call directly to the target, such as the “Francophoned” attack from April 2013.02 The attacker impersonated a high-ranking employee, and requested that the target open an attachment immediately. This assertive method of attack has been reported more often in 2013 than in previous years. Attackers will often use both the personal and professional accounts of the individual targeted, although statistically the victim’s work-related account is more likely to be targeted. Over the past decade, an increasing number of users have been targeted with spear-phishing attacks, and the social engineering has grown more sophisticated over time. In analyzing the patterns and trends in these attacks it is important to look at the profile of the organizations concerned, most notably to which industry sector they belong, and how large their workforce is. The net total number of attacks blocked in 2013 is broken down by industry in figure 4 and organi-zation size in figure 5.
  • 27. p. 27 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES 2013 vs 2012 2013 vs 2011 EMAIL CAMPAIGNS 2011 – 2013 Source: Symantec 2013 2012 2011 Campaigns 779 408 165 29 122 -76% 78 -62% 23 111 -81% 61 -62% Recipients per Campaign 8.2 3 4 Average Duration of a Campaign (in days) +91% +472% +173% +105% Average Number of Email Attacks Per Campagn Fig. 2 • In 2013 the volume and intensity of spear phishing targeted email campaigns changed considerably from the previous year, extending the duration over which a campaign may last, rather than intensifying the attacks in one or two days as had been the case previously. Consequently, the number of attacks seen each day has fallen and other characteristics of these attacks suggest this may help to avoid drawing attention to an attack campaign that may be underway.
  • 28. p. 28 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES TARGETED ATTACK KEY STAGES Source: Symantec 01 INCURSION The attacker gains entry to the targeted organization. This is often preceded by reconnaissance activities where the attacker is looking for a suitable social engineering tactic. 02 DISCOVERY Once the attacker has gained entry, they will seek to maintain that access as well as discover what data and other valuable resources they may wish to access. 03 CAPTURE Once the valuable data has been discovered and identified, the attacker will find a way to collect and gather that data before trying to exfiltrate it. 04 EXFILTRATION The attacker will find a mechanism to steal the data from the targeted organization. This may be by uploading it to a remote server or website the attackers have access to. More covert methods may involve encryption and steganography, to further obfuscate the exfiltration process, such as hiding data inside DNS request packets. Fig.3
  • 29. p. 29 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES • Public Administration03 topped the industries targeted in 2013, comprising 16 percent of all attacks. • Services, both professional and non-traditional,04 came in second and third, respectively, in the overall number of attacks. However just because an industry or organization of a particular size receives a large number of attacks doesn’t necessarily mean that it was at an elevated risk, or that someone working in that industry or organization had a high probability of being targeted. The probability was determined by looking at a group of people who have been targeted and comparing this number against a control group for that industry or organization size. Furthermore, it was important to look not only at the attacks themselves, but also to examine the email traffic of other customers in the same sectors and of the same organizational size. In this way, for the first time, Symantec was able to report on the odds of any particular organization being targeted in such an attack, based on their industry and size. Top-Ten Industries Targeted in Spear-Phishing Attacks, 2013 Source: Symantec Public Administration (Gov.) 16% Services – Professional Services – Non-Traditional Manufacturing Finance, Insurance & Real Estate Transportation, Gas, Communications, Electric Wholesale Retail Mining Construction 15 14 13 13 6 5 2 1 1 Fig. 4 Politics and Targeted Attacks While correlation doesn’t always equal causation, it’s often quite interest-ing never-the-less. This is especially true in the amalgamous region of targeted attacks, where it’s difficult to prove motive. A good example of this came this year after negotiations concerning an energy partnership between two nation states. Sadly the negotiations broke down, but what followed was a significant increase in the number of targeted attacks against the Energy sector.
  • 30. p. 30 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES Spear-Phishing Attacks by Size of Targeted Organization, 2011 – 2013 Source: Symantec 2,501+ Employees 1,501 to 2,500 1,001 to 1,500 501 to 1,000 251 to 500 50% 50% • Targeted attacks aimed at small businesses (1-250 employees) in 2013 accounted for 30 percent of all such attacks, compared with 31 percent in 2012 and 18 percent in 2011. Despite the overall average being almost unchanged, the trend shows that the proportion of attacks at organizations of this size was increasing throughout the year, peaking at 53 percent in November. • If businesses with 1-250 and 251-500 employees are combined, the proportion of attacks is 41 percent of all attacks, compared with 36 percent in 2012. 50% 39% • Large enterprises comprising over 2,500+ employees accounted for 39 percent of all targeted attacks, compared with 50 percent in 2012 and 2011. The frontline in these attacks moved along the supply chain department. Large enterprises were more likely to be targeted though watering-hole attacks than through spear phishing. 1 to 250 2011 2012 2013 61% 50% 18% 31% 30% 100% 0 Fig. 5
  • 31. p. 31 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES For example, in 2013, 1 in 54 customers were targeted with at least one spear-phishing email. The seriousness of attempted spear-phishing attacks is even clearer, using the same methodology, when comparing these numbers to the annual risk of an office fire. The odds of a building catching fire are, at worst, around one in 161.05 These odds change depending on the industry, the size of the organization, and an individual’s role within the organization. This risk can be calculated using epidemiology concepts commonly applied to public health issues,06 in this case applying them to the industry and job role. Epide-miology is frequently used in medicine to analyze how often diseases occur in different groups of people and why. In this way, if targeted attacks are considered to be disease agents, it is possible to determine which groups are more or less at risk based on exposure to the disease. In this case, Fig. 6 Risk of Job Role Impact by Targeted Attack Sent by Spear-Phishing Email Source: Symantec Risk Personal Assistant (Executive Assistant) Media High Medium Senior Management Sales C-Level Recruitment R&D Low • Personal assistants, people working in the media, and senior managers are currently most at risk of being targeted by a spear-phishing campaign, based on observations in 2013. • C-level executives, recruitment, and research and development are less likely to be targeted in the near future solely because of their job role. Theft in the Middle of the Night On occasion, evidence of a cybercrime comes from an unexpected source. One company in the financial sector noticed an unusual early morning money transfer on a particular day, and from a particular computer. The company decided to check the CCTV footage and discovered that there was no one sitting at the computer at the time of the transac-tion. A back door Trojan was discovered during the examination of the computer. The threat was removed, but not before the attackers behind the attack made off with more than €60,000.
  • 32. p. 32 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES Ratio of Organizations in an Industry Impacted by Targeted Attack Sent by Spear-Phishing Email Source: Symantec Risk 1 IN Mining 2.7 Public Administration (Government) 3.1 Manufacturing 3.2 High Wholesale 3.4 Transportation, Communications, Electric, Gas & Sanitary Services 3.9 Finance, Insurance & Real Estate 4.8 Medium Services — Non-Traditional 6.6 Construction 11.3 Agriculture, Forestry & Fishing 12.0 Low we were not just focused on the organizations being targeted within a particular sector, but on other organizations within the same industry which may not be targeted. In this way we were able to more accurately determine the odds ratio for any one type of organization being targeted. It’s similar to the way risk is calculated for diseases such as lung cancer, and calculating the probability of developing the disease from exposure to tobacco smoke. Of course an organization’s risk will either rise or fall depending on their industry and number of employees (figure 8). For the individual, another factor will be their job role, as shown in figure 6. • Mining, Manufacturing, and Public Administration were high-risk industries based on observations made in 2013. For example, approximately 1 in 3 customers in these sectors were subjected to one or more targeted spear-phishing attacks in 2013. • Although only 0.9 percent (1 in 110) of all spear-phishing attacks were aimed at the Mining sector in 2013, one-third of Mining organizations were targeted at least once. This indicates a high likelihood of being targeted, but the frequency and volume of attacks is relatively low compared to other sectors. • Similarly Wholesale, Transportation, and Finance may be classified as medium-risk industries. • Non-traditional services, Construction, and Agriculture fell below the base line, which means that the organizations in these industry sectors were unlikely to have been targeted solely for being in that sector. Fig. 7
  • 33. p. 33 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES Ratio of Organizations Targeted by Industry Size Sent by Spear-Phishing Email Source: Symantec Risk 1 IN 2,500+ 2.3 1,501–2,500 2.9 1,001–1,500 2.9 High 501–1,000 3.8 Medium 251–500 4.3 1–250 5.2 • The larger the company, the greater risk of receiving a spear-phishing email. • One in 2.3 organizations with 2500+ employees were targeted in at least one or more spear-phishing attacks, while 1 in 5 small or medium businesses were targeted in this way. Fig. 8 07 Fig. 9 Analysis of Spear-Phishing Emails Used in Targeted Attacks Source: Symantec Executable type 2013 2012 .exe 31.3% 39% .scr 18.4% 2% .doc 7.9% 34% .pdf 5.3% 11% .class 4.7% <1% .jpg 3.8% <1% .dmp 2.7% 1% .dll 1.8% 1% .au3 1.7% <1% .xls 1.2% 5% • More than 50 percent of email attachments used in spear-phishing attacks contained executable files in 2013. • Microsoft Word and PDF documents were both used regularly, making up 7.9 and 5.3 percent of attachments respectively. However, these percentages are both down from 2012. • Java .class files also made up 4.7 percent of email attachments used in spear-phishing attacks.
  • 34. p. 34 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES Watering Holes In 2013, the most sophisticated form of targeted attacks made use of “watering holes”. First docu-mented in 2011,08 this attack technique requires the attackers to infiltrate a legitimate site visited by their target, plant malicious code, and then lie in wait. As a drive-by download tactic, it can be incredibly potent. For example, the Hidden Lynx09 attacks infected approximately 4,000 users in one month alone. In some cases other visitors to a watering-hole site may not be the intended target, and are therefore either served with other forms of malware or no malware at all, rather than being subjected to the attack reserved for the primary target. This illustrates that while effective, watering holes may be used as a longer-term tactic, requiring a degree of patience on the part of the attackers as they wait for their intended target to visit the site unprompted. To set up a watering hole, attackers generally have to find and exploit a vulnerability in a legitimate website in order to gain control and plant their malicious payload within the site. Compromising a legitimate website may seem to be a challenge for many, but vulnerability scans of public websites carried out in 2013 by Symantec’s Website Security Solutions division10 found that 77 percent of sites contained vulnerabilities. Of these, 16 percent were classified as critical vulnerabilities that allow attackers to either access sensitive data, alter website content, or compromise a visitor’s computers. This means that when an attacker looked for a site to compromise, one in eight sites made it relatively easy to gain access. When a website is compromised, the attackers are able to monitor the logs of the compromised site in order to see who is visiting the website. For instance, if they are targeting organizations in the defense industry, they may look for IP addresses of known defense contractors. If these IP addresses are found in the traffic logs, they may then use the website as a watering hole. Zero-day Vulnerabilities, Annual Total, 2006 – 2013 Source: Symantec 30 25 20 15 10 5 0 13 15 9 12 14 8 14 23 2006 2007 2008 2009 2010 2011 2012 2013 FZige. r1o0 - Attackers generally have to find and exploit a vulnerability in a legitimate website in order to gain control and plant their malicious payload within the site.
  • 35. p. 35 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES Top-Five Zero-day Vulnerabilities Source: Symantec NUMBER OF ATTACKS DETECTED THOUSANDS 4 days Average time to patch 19 days Total time of exposure for top 5 zero-days NUMBER OF DAYS AFTER VULNERABILITY PUBLICATION 16 14 12 10 8 6 4 2 0 90 Oracle Java SE CVE-2013-1493 Remote Code Execution Vulnerability: 54% Oracle Java Runtime Environment CVE-2013-2423 Security Bypass Vulnerability: 27% Oracle Java Runtime Environment CVE-2013-0422 Multiple Remote Code Execution Vulnerabilities: 16% Microsoft Internet Explorer CVE-2013-1347 Use-After-Free Remote Code Execution Vulnerability: 1% Microsoft Internet Explorer CVE-2013-3893 Memory Corruption Vulnerability: <1% Fig. 11 • The chart above shows the malicious activity blocked by Symantec endpoint technology for the most frequently exploited vulnerabilities that were identified as zero-days in 2013. • Within the first 5-days after publication, Symantec blocked 20,813 potential attacks, which grew to 37,555 after 10 days. Within 30 days the total for the top five was 174,651. • For some zero-day vulnerabilities, there was a higher amount of malicious activity very soon after publication, an indication of exploits being available in the wild before the vulnerability was documented. For example, with CVE-2013-0422 after five days Symantec had blocked 20,484 malicious actions against that vulnerability, and 100,013 after just 30 days.
  • 36. p. 36 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES Attackers can even send the malicious payloads to particular IP address ranges they wish to target, in order to minimize the level of collateral damage from other people visiting the site which potentially draws attention to the existence of the attack. Watering holes rely heavily on exploiting zero-day vulnerabilities because the chances of the attack being discovered are low. The number of zero-day vulnerabilities which were used in attacks during 2013 increased, with 23 new ones discovered during the year. This is an increase from the 14 that were discovered in 2012, and the highest figure since Symantec began tracking zero-day vulnerabilities in 2006. In 2013 the majority of attacks that used zero-day vulnerabilities focused on Java. Java held the top three spots in exploited zero-day vulnerabilities, responsible for 97 percent of attacks that used zero-day vulnerabilities after they were disclosed. When looking at the top five zero-day vulnerabilities, the average exposure window between disclosure and an official patch was 3.8 days, and comprised a total of 19 days where users were left exposed. One reason why watering-hole attacks are becoming more popular is that users aren’t instinc-tively suspicious of legitimate websites that they know and trust. In general such attacks are set up on legitimate websites that contain specific content of interest to the individual or group being targeted. The use of zero-day vulnerabilities on legitimate websites made watering holes a very attractive method for attackers with the resources to orchestrate such an attack. Network Discovery and Data Capture If attackers successfully compromise an organization they may traverse the network, attempt to gain access to the domain controller, find documents of interest, and exfiltrate the data. Down-loaders were popular tools used to gain further control within an organization’s network. Often referred to as “stage-one back doors”, these highly versatile forms of malicious code allow the download of other different malware, depending on what may be needed to carry out their objec-tives. The main reason that attackers use downloaders is that they’re lightweight and easy to propagate. Once a downloader enters a network it will, by definition, download more traditional payloads such as Trojan horses to scan the network, keyloggers to steal information typed into compromised computers, and back doors that can send stolen data back to the attacker. Once on the network, an attacker’s goal is generally to traverse it further and gain access to various systems. Info-stealing Trojans are one of the more common payloads that an attacker will deliver. These Trojans quietly sit on compromised computers gathering account details. Password-dumping tools are used as well, especially when encountering an encrypted cache of passwords. These tools allow an attacker to copy encrypted (or “hashed”) passwords and attempt to “pass the hash,” as it is known, to exploit potentially vulnerable systems on the network. The goal for the attacker is to gain elevated privileges on systems on the network that appeal to them, such as FTP access, email servers, domain controllers, and so on. Attackers can use these details to log into these systems, continue to traverse the network, or use them to exfiltrate data. It’s Not Just a Game Anymore Video game companies have become the target of attackers, but for more than just to steal virtual currencies, as we’ve seen in previous years. It appears there has been a concerted effort by hacking groups to steal the source code of popular games, particularly those in the massively-multiplayer online role-playing game (MMORPG) genre. The hackers appear to have gained access through forged digital certifi-cates, after which point they stole source code. The motive for doing so remains unclear, though it could be to monitor game users or simply to steal the intellectual property.
  • 37. p. 37 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES Case Study: Point of Sale Attacks One of the most notable incidents in 2013 was caused by a targeted attack exploiting a retailer’s point of sale (PoS) systems. This resulted in a significant breach of confidential customer records. These PoS systems handle customer transactions through cash or credit cards. When a customer swipes their credit or debit card at a PoS system, their data is sent through the company’s networks in order to reach the payment processor. Depending on how the system is set up, attackers could take advantage of a number of flaws within the networks to ultimately allow them to get to their targeted data. 01 First, the attacker needs to gain access to the corporation’s network that provides access to the PoS systems. 02 Once the attacker has established a beachhead into the network, they will need to get to their targeted systems. To achieve this, the attacker needs to either attempt to exploit vulnerabilities using brute-force attacks or steal privileged credentials from an employee through an information-stealing Trojan. 03 The attacker must then plant malware that steals sensitive financial data, such as network-sniffing tools, which steal credit card numbers as they move through internal unencrypted networks, or RAM-scraping malware, which gather credit card numbers as the computer reads them. 04 Once the malware is planted, the attacker needs to wait until enough financial data is collected before exfiltrating it. The stolen data is stored locally and is disguised by obfuscating file names and encrypting data. The attacker can also use the stolen administrator credentials to delete log files or disable monitoring software to cover their tracks. 05 When the time comes for the attacker to exfiltrate the data, they may use a hijacked internal system to act as their staging server. The stolen data will be passed to this server and when the time comes, the details will be transferred through any number of other internal systems before reaching an external system under the attacker’s control.
  • 38. p. 38 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES POINT OF SALE BREACH STAGES Source: Symantec 01 INFILTRATION Attackers break into corporate network via spear phishing, vulnerable servers, and other traditional means 02 NETWORK TRAVERSAL Attacker searches for entry point to the point of sale network 03 DATA STEALING TOOLS Attacker installs malware on PoS systems to steal credit card data 04 PERSISTENCE STEALTH Malware steals data after each credit card transaction, accumulating large amounts of stolen data over time 06 EXFILTRATION Collected data is exfiltrated to an external server such as a compromised 3rd party cloud server for removal 05 STAGING Attackers hijack internal system for their “staging server” – accumulating data from thousands of PoS systems PoS Fig. 14
  • 39. p. 39 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES Data Breaches We’ve seen a shift in 2013 in the causes of data breaches. When thinking of a data breach, what often comes to mind are outside attackers penetrating an organization’s defense. Hacking continues to lead in terms of the number of breach causes, comprising 35 percent of data breaches in 2013, but this is down from 2012. At 28 percent, accidental disclosure is up 5 percentage points from 2012 and theft or loss is close behind it, up 4 percentage points to 27 percent. There are many situations where data is exposed by the information leaving the organization silently. Sometimes it’s a well-meaning employee simply hoping to work from home by sending a spreadsheet through third-party web-based email, a cloud service, or simply by copying the files to a USB drive. Alternatively system glitches may expose data to users who should not be able to see or share such material. For instance, users may be granted permissions on company storage resources that are higher than necessary, thus granting them too much access rather than just enough to do what they need. Privileged users, such as those granted administrative rights on work computers, are • Hacking was the leading source for reported identities exposed in 2013: Hackers were also responsible for the largest number of identities exposed, responsible for 35 percent of the incidents and 76 percent of the identities exposed in data breach incidents during 2013. • The average number of identities exposed per data breach for hacking incidents was approximately 4.7 million. • Theft or loss of a device was ranked third, and accounted for 27 percent of data breach incidents. Top Causes of Data Breach, 2013 Source: Symantec Hackers 34% Accidentally Made Public Theft or Loss of Computer or Drive Insider Theft Unknown Fraud 29% 27% 6% 2% 2% Number of Incidents 87 72 69 15 6 4 TOTAL 253 Fig. 12
  • 40. p. 40 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES 160 140 120 100 80 60 40 20 Timeline of Data Breaches, 2013 Source: Symantec 130 113 159 .3 .8 6 8 23 24 J F M A M J J A S O N D NUMBER OF INCIDENTS IDENTITIES EXPOSED (MILLIONS) INCIDENTS IDENTITIES EXPOSED (Millions) 53 3 12 43 17 19 15 15 15 37 22 26 20 26 17 40 35 30 25 20 15 10 5 Fig. 13 • There were 253 data breach incidents recorded by the Norton Cybercrime Index for 2013, and a total of 552,018,539 identities exposed as a result • The average number of identities exposed per incident was 2,181,891, compared with 604,826 in 2012 (an increase of over 2.5 times) • The median number of identities exposed was 6,777 compared with 8,350 in 2012. The median is a useful measure as it eliminates extreme values caused by the most notable incidents, which may not necessarily be typical. • The number of incidents that resulted in 10 million or more identities being exposed in 2013 was eight, compared with only one in 2012.
  • 41. p. 41 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES often more responsible for breaches than external hackers. These users try to access data they shouldn’t have access to or tamper with protections, such as data loss prevention software meant to keep sensitive data from leaving the organization’s network. In many of these cases the employee does not believe that they are putting the company at risk. In fact, according to a survey conducted by Symantec and The Ponemon Institute, 53 percent of employees believe this practice is acceptable because it doesn’t harm the company.11 That’s not to say that attacks from hackers have suddenly slowed. In 2013 there were three record-breaking data breaches, where the numbers of identities exposed was in the hundreds of millions. These massive breaches highlight the importance of having defenses in place to keep outside intruders out as well as systems set up to stop sensitive information from leaving the network. According to the 2013 Cost of a Data Breach study, published by Symantec and the Ponemon Institute,12 the cost of the average consolidated data breach incident increased from US$130 to US$136. However, this number can vary depending on the country, where German and US companies experienced much higher costs at US$199 and US$188, respectively. Consequences of a Data Breach Data theft is not a victimless crime. Data breaches pose major consequences for both the corpora-tions that experience them and the consumers who are victims of them. Risks for the Corporations If a company suffers a major data breach, it can face severe repercussions that could impact its business. First, there are the reputational damages that come with a data breach. The incident could cause consumers to lose trust in the company and move to their competitors’ businesses. If the company suffered a large data breach it’s likely to receive extensive media coverage, further damaging the corporation’s reputation. If the customers decide that the company was at fault for failing to protect their information from theft, they could file a class action lawsuit against the breached firm. For example, a class action lawsuit is being taken against a health insurer over the theft of two unencrypted laptop computers which held data belonging to 840,000 of its members. Affected corporations could have other financial concerns beyond legal matters. We believe that on average, US companies paid US$188 per breached record over a period of two years. The only country hit with a bigger price tag was Germany, at US$199 per breached record. This price rose if the data breach was caused by a malicious attack. In these cases, US firms paid US$277 per breached record over two years, while German firms paid US$214 per record. These expenses covered detection, escalation, notification and after-the-fact response, such as offering data moni-toring services to affected customers. One US medical records company was driven to bankruptcy after a break-in which led to the exposure of addresses, social security numbers, and medical diagnoses of 14,000 people. When explaining its decision to file for Chapter 7 bankruptcy protection, the company said that the cost of dealing with the data breach was “prohibitive.” Data theft is not a victimless crime. Data breaches pose major consequences for both the corporations that experience them and the consumers who are victims of them.
  • 42. p. 42 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES Risks for the Consumers Ultimately, consumers are the real victims of data breaches, as they face many serious risks as a result of this cybercrime. One unintended risk for consumers whose data was stolen in this way is that their other online accounts could be compromised. Attackers use a victim’s personal details to try to gain access to other accounts of more value, for example, through password reset features on websites. Depending on the stolen information, attackers could use the data to authorize bank account transfers to accounts under their control. They could also use victims’ financial details to create fraudulent credit or debit cards and steal their money. Consumers’ own lax password habits could also cause several of their accounts to be compromised as the result of a data breach. If an attacker manages to obtain email addresses and passwords for one service as a result of a data breach, they could use this data to attempt to log in to other online services. Medical identity theft could have a huge impact on the consumer, potentially costing victims thousands of dollars, putting their health coverage at risk, causing legal problems, or leading to the creation of inaccurate medical records. Attackers can use health insurance information, personal details, and social security numbers to make false claims on their victims’ health insurance. They could take advantage of this data to get free medical treatment at the victims’ cost, or even to obtain addictive prescription drugs for themselves or to sell to others. According to our data, the healthcare sector contained the largest number of disclosed data breaches in 2013 at 37 percent of those disclosed. Why does it appear that the Healthcare sector is subject to a higher number of data breaches? One consideration is that few other industries can lay claim to needing to store such a variety of person-ally identifiable information about clients. By targeting a hospital’s records, an attacker can easily gather a lot of personal information from these sources, especially if their goal is identity theft. On the other hand, the healthcare industry is one of the most highly regulated industries, and required to disclose when and where a breach occurs. These sorts of disclosures garner lots of media attention. In contrast, many industries are less forthcoming when a breach occurs. For instance, if a company has trade secrets compromised, which doesn’t necessarily impact clients or customers directly, they may not be quite as forthcoming with the information. Whatever the case, at 44 percent Healthcare continues to top our list of industries most impacted by data breaches. Digital Privacy Concerns If there ever was any question that governments are monitoring Internet traffic, a spotlight was cast on the subject in 2013. A variety of leaks during the year showed that, for better or for worse, there are agencies in the world who are largely gathering anything and everything they can. In some cases it’s one nation state monitoring another. In others it’s a nation state monitoring the communications of its own citizens. While some governments have been thrust into the spotlight more than others, there’s no question that it is happening in many places. Online monitoring was a major security and privacy talking point in 2013. From June 2013, several news reports were released containing new information on the US National Security Agency’s (NSA) data surveillance programs. More are yet to come, considering the sheer magnitude of documents leaked by Edward Snowden, the former NSA contractor who released the data. The documents claimed that over the course of several years the NSA collected metadata from phone calls and major online services, accessed the fiber-optic networks that Medical identity theft could have a huge impact on the consumer, potentially costing victims thousands of dollars, putting their health coverage at risk, causing legal problems or leading to the creation of inaccurate medical records.
  • 43. p. 43 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 TARGETED ATTACKS + DATA BREACHES connected global data centers, attempted to circumvent widely-used Internet encryption technolo-gies, and stored vast amounts of metadata gathered as part of these programs. The US wasn’t the only country engaged in cyber-espionage activities in 2013. The Snowden leaks also pointed the finger at the United Kingdom’s Government Communications Headquarters (GCHQ), and the monitoring activities of other European spying agencies have come to light as well. In other parts of the globe, Symantec uncovered a professional hackers-for-hire group with advanced capabilities known as Hidden Lynx. The group may have worked for nation states, as the information that they targeted includes knowledge and technologies that would benefit other countries. Russia’s intelligence forces were also accused of gaining access to corporate networks in the US, Asia, and Europe. What’s important to note is that the released data leading to many of the year’s online monitor-ing stories was brought to the public from someone who was a contractor rather than a full-time employee, and considered a trusted member of the organization. These organizations also appeared to lack strong measures in place to prevent such data leaks, such as data loss prevention systems. Unlike external attackers, insiders may already possess privileged access to sensitive customer information, meaning they don’t have to go to the trouble of stealing login credentials from someone else. They also have knowledge of the inner workings of a company, so if they know that their organization has lax security practices they may believe that they could get away with data theft unscathed. Our recent research conducted with the Ponemon Institute says that 51 percent of employees claim that it’s acceptable to transfer corporate data to their personal computers, as their organizations don’t strictly enforce data security policies. Insiders could earn a lot of money for selling customer details, which may be motivation enough to risk their careers. There are two big issues with online monitoring today, not just for governments, but also for organizations and ordinary citizens: Personal digital privacy, and the use of malware or spyware. It’s clear that governments are monitoring communications on the internet, leading more Internet users to look into encryption to protect their communications and online activities. What’s more troubling for those concerned about safeguarding their privacy is that nation states have largely adopted the same techniques as traditional attackers, using exploits and delivering malicious binaries. From a security perspective, there is very little difference between these techniques, targeted attacks, and cybercrime in general. If there ever was any question that governments are monitoring Internet traffic, a spotlight has been cast on the subject in 2013
  • 44. p. 44 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 E-CRIME + MALWARE DELIVERY TACTICS E-CRIME + MALWARE DELIVERY TACTICS
  • 45. p. 45 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 E-CRIME + MALWARE DELIVERY TACTICS E-crime and Cyber Security The use of computers and electronic communications equipment in an attempt to commit criminal activities, often to generate money, is generally referred to as e-crime and it continues to play a pivotal role in the threat landscape. The scope of what is covered by e-crime has also changed and expanded over the years and now includes a variety of other potentially illegal activities that may be conducted online, such as cyber bullying, the hijacking of personal data, and the theft of intel-lectual property. The threats used to carry out the more traditional e-crime attacks rely heavily on social engineer-ing in order to succeed, and may be delivered in one of two ways; through web-based activity, drive-by downloads, or by email; similar to the way spam campaigns are conducted. The criminals behind these e-crime attacks are well organized, having a sophisticated malicious distribution network behind them. This plays out in a format where different attackers carry out different tasks. One group will focus on compromising computers, another will configure and administer those computers to carry out various malicious activities, while yet another will broker deals for renting the use of those compromised computers to other cybercriminals. Botnets and the Rental Market Cybercriminals involved in e-crime generally start out by working to get malware onto computers, turning them into “zombies” with the aim of adding them to larger networks of similarly compro-mised computers, called botnets, or “robot networks”. A botnet can be easily controlled from a central location, either through a command and control (CC) server or a peer to peer (P2P) network. Zombie computers connected to the same CC channels become part of the same botnet. Botnets are an extremely potent asset for criminals because they can be used for a wide variety of purposes, such as sending spam emails, stealing banking information, conducting a distributed denial-of-service (DDoS) attacks against a website, or a variety of other malicious activities. They have also become a core tool for administering compromised computers that are rented to yet another third party for malicious purposes. Adding a computer to a botnet is generally just the first step. The attackers seek out other cyber-criminals in the hope that they can lease the botnets for various purposes. This rental style gives the initial attacker a lot of leverage and flexibility concerning how they monetize and use the computers they’ve compromised and look after. Configurations can vary widely, focused on types of computers, regions, languages, or other features that the buyer is looking to gain access to. Prices also vary depending on the length of rental and the job for which the computers are to be used. For example, infections in some countries are considered more valuable than others. In the case of click fraud, an infection will create fake user clicks on advertisements to earn affiliate fees. American and UK computers tend to be preferred because pay-per-click advertisers in these countries will pay more. The same applies to banking Trojans, which are generally more focused on targeting Western bank accounts. The good news is that there were a number of takedowns that occurred in 2013. Of particular note are the efforts to take down the Bamital and ZeroAccess botnets. Bamital was taken down in February, thanks to a cooperative effort on the part of Symantec, Microsoft, Spain’s Civil Guardia, and Catalunyan CERT (CESICAT).This botnet had been respon-sible for a significant amount of click-fraud traffic, generating upwards of three million clicks per day at its peak.13 To perform click fraud, the botnet would hijack the search results typed into At a Glance • The criminals behind e-crime have set up sophisticated malicious distribution networks. • The monthly volume of ransomware has increased by over six times since the beginning of 2013. • Web attack toolkits continue to be a primary method for compromis-ing computers, even with the arrest of the alleged creator of the Blackhole exploit kit in 2013. • The number of vulner-abilities disclosed has reached record levels in 2013. Botnets are an extremely potent asset for criminals because they can be used for a wide variety of purposes
  • 46. p. 46 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 E-CRIME + MALWARE DELIVERY TACTICS Fig. 1 Malicious Activity by Source: Bots, 2012–2013 Source: Symantec Country/Region 2013 Bots Rank 2013 Bots % 2012 Bots Rank 2012 Bots % United States 1 20.0% 1 15.3% China 2 9.1% 2 15.0% Italy 3 6.0% 5 7.6% Taiwan 4 6.0% 3 7.9% Brazil 5 5.7% 4 7.8% Japan 6 4.3% 6 4.6% Hungary 7 4.2% 8 4.2% Germany 8 4.2% 9 4.0% Spain 9 3.9% 10 3.2% Canada 10 3.5% 11 2.0% • Unsurprisingly, the US and China have the most densely populated bot populations, largely owing to their large Internet populations. The US population are avid users of the Internet, with 78 percent Internet penetration, but undoubtedly their keen use of the Internet contributes to their popularity with malware authors. China also has the largest population of Internet users in the Asia region, with 40 percent Internet penetration and accounting for approximately 50 percent of the Internet users in the Asia region.14 • Italy has a lower percentage of bots in the country, but is ranked third highest in 2013, compared with fifth in 2012. • The US, Germany, Spain and Canada all increased their relative proportions of the world’s bots in 2013, while the proportions in the other geographies listed has diminished. compromised computers, redirecting the users to predetermined pay-per-click sites, with the goal of making money off those clicks. When a computer is used to perform click fraud, the user will rarely notice. The fraud consumes few computer resources to run, and at the most takes up extra bandwidth with the clicks. The attackers make money from pay-per-click advertisers and publish-ers— not from the user. This is in contrast with other forms of malware such as ransomware, where it is clear that an infection has occurred. A computer may be used in a click-fraud operation for an extended period of time, performing its activity invisibly during the daily operation of the computer. The partial takedown during the year made a lasting impact on the operations of the ZeroAccess botnet. Symantec security researchers looking at the threat discovered a flaw in ZeroAccess that could allow them to sinkhole computers within the botnet. The operation succeeded in liberating approximately half a million ZeroAccess clients from the botnet network.15 At that time, ZeroAccess was one of the larger botnets in existence, and one that used P2P commu-nications to maintain links between clients. These types of P2P botnets tend to be quite large overall; Helios and Zbot (a.k.a. GameOver Zeus) are two other examples of large botnets that use similar communication mechanisms. It isn’t entirely clear if these botnets are big because they utilize P2P, or they utilize P2P because they’re big. However, using P2P for communications does make it more difficult to take down a botnet, given the lack of a centralized CC server. Large botnets like Cutwail and Kelihos have made their presence felt in the threat landscape this year by sending out malicious attachments. The threats are generally like banking Trojans or downloaders, such as Downloader.Ponik and Downloader.Dromedan (also called Pony and Andromeda respectively), which download more malware. Trojan.Zbot (a.k.a. Zeus) continues to make an impact in the botnet world. Having its malicious payload based on easy-to-use toolkits has allowed Zbot to maintain its popularity with threat actors. In 2013 we’ve seen Zbot being packed in different ways and at different times in order to evade detection. These packing techniques appear almost seasonal in their approach to evading detection, but underneath it all it’s always the same Zeus code base.
  • 47. p. 47 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 E-CRIME + MALWARE DELIVERY TACTICS Fig. 2 Top-Ten Botnets, 2013 Source: Symantec Spam Botnet Name Percentage of Botnet Spam Estimated Spam Per Day Top Sources of Spam From Botnet KELIHOS 46.90% 10.41BN Spain 8.4% United States 7.2% India 6.6% CUTWAIL 36.33% 8.06BN India 7.7% Peru 7.5% Argentina 4.8% DARKMAILER 7.21% 1.60BN Russia 12.4% Poland 8.3% United States 8.1% MAAZBEN 2.70% 598.12M China 23.6% United States 8.2% Russia 4.8% DARKMAILER3 2.58% 573.33M United States 18.2% France 10.4% Poland 7.5% UNKNAMED 1.17% 259.03M China 35.1% United States 10.0% Russia 7.5% FESTI 0.81% 178.89M China 21.9% Russia 5.8% Ukraine 4.7% DARKMAILER2 0.72% 158.73M United States 12.6% Belarus 8.3% Poland 6.6% GRUM 0.53% 118.00M Russia 14.5% Argentina 6.9% India 6.9% GHEG 0.35% 76.81M Poland 17.4% Vietnam 12.1% India 11.5% • 76 percent of spam was sent from spam botnets, down from 79 percent in 2012. • It is worth noting that while Kelihos is the name of a spam-sending botnet, Waledac is the name of the malware used to create it. Similarly, Cutwail is another the spam-sending botnet and Pandex is the name of the malware involved.
  • 48. p. 48 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 E-CRIME + MALWARE DELIVERY TACTICS Ransomware Over Time, 2013 Source: Symantec THOUSANDS 1,000 900 800 700 600 500 400 300 200 100 0 112 107 138 141 189 286 625 419 861 660 178 421 J F M A M J J A S O N D TREND Ransomware: When Data Becomes a Hostage to Fortune In October 2013, the US Federal Bureau of Investigation issued a warning about a new type of malware that had appeared. The threat, known as CryptoLocker, encrypted a victim’s documents and demanded payment in return for the decryption key. Two weeks later, the UK equivalent of the FBI, the National Crime Agency, also issued a public warning about CryptoLocker. It isn’t often that one piece of malware mobilizes law enforcement agencies across the world, and it is indicative of the level of panic created by CryptoLocker during 2013. Despite the hype, CryptoLocker is not a completely new malware. Instead it is the latest evolution of a family of threats known as ransomware. Ransomware first came to prominence a decade ago. The business model usually involves the victim’s computer being locked. Attackers demand a ransom in order to remove the infection. However, CryptoLocker has managed to capture the public imagination because it represents the perfect ransomware threat: It encrypts the user’s data and, unlike most malware infections, no fix can rescue it. CryptoLocker uses strong encryption, meaning the victim is left with the unpalatable choice of saying goodbye to their valuable personal data or paying the attackers a ransom fee. Symantec noticed a significant upsurge in the number of ransomware attacks during 2013. During January we stopped over 100,000 infection attempts. By December that number had risen more than six-fold. There was a noticeable uptick in detection from the month of July onwards, peaking in November. CryptoLocker first began to circulate in September, and while CryptoLocker detections grew quickly (by 30 percent in December alone), the number of definitive CryptoLocker detections is still a very small proportion of overall ransomware detections. For example, in December only 0.2 per cent (1 in 500) of all ransomware detections by Symantec was indisputably identified as CryptoLocker. • Monthly ransomware activity increased by 500 percent from 100,000 in January to 600,000 in December, increasing to six times its previous level. Fig. 3
  • 49. p. 49 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 E-CRIME + MALWARE DELIVERY TACTICS Fig. 4 Browser-based ransomware threat, Browlock. However, this statistic only tells part of the story, and its prevalence may be higher. CryptoLocker is often blocked by intrusion prevention systems (IPS) which may simply identify it as generic ransom-ware rather than a specific variant. Ransomware, including CryptoLocker, continues to prove lucrative for attackers. Symantec research indicates that on average, 3 percent of infected users will pay the ransom. These figures tally with work done by other researchers.16 Analysis by Symantec of the ransoms demanded by CryptoLocker infections indicates that most variants demand US$100 to $400 for a decryption key. This is roughly in line with the ransom amount demanded by other ransomware variants. Although CryptoLocker is a more effective threat, attackers have yet to take advantage of this by demanding larger ransoms. The amount of money being paid in ransom is difficult to assess, however some efforts have been made to track payments made through Bitcoin. All Bitcoin transactions are logged as public record, and searching for Bitcoin addresses used to collect ransom can yield some insight. From the small number of Bitcoin addresses analyzed, it is clear that ransomware distributors have without a doubt earned tens of millions over the last year. Analysis of ransom amounts is complicated somewhat by the fact that many variants demand payment in Bitcoin. Our analysis of CryptoLocker ransom demands found that attackers generally seek between 0.5 and 2 Bitcoin. Lower ransom demands began appearing near the end of 2013. This reduction had less to do with any newfound altruism on the part of attackers and more to do with the soaring value of Bitcoin. The virtual currency was trading at just over US$100 when CryptoLock-er first appeared in September. By December its value had increased to over US$1,000. Ransomware, including CryptoLocker, continues to prove lucrative for attackers. Symantec research indicates that on average, 3 percent of infected users will pay the ransom.
  • 50. p. 50 Symantec Corporation Internet Security Threat Report 2014 :: Volume 19 E-CRIME + MALWARE DELIVERY TACTICS This suggests that attackers have concluded that US$100 to $400 is the optimum ransom amount, and they will move to adjust their demand to avoid pricing themselves out of the market. Some attackers have also refined their ransom tactics by introducing a second, larger ransom of 10 Bitcoin for victims who miss the original 72 hour deadline. The attackers appear to have concluded that some potential opportunities were left unexploited by their original business model, with some victims willing to pay significant amounts for the return of valuable data. This higher ransom tier may also have the secondary purpose of exerting additional pressure on victims to pay within the deadline. Meanwhile, older ransomware attack techniques have started to seep into markets previously unexploited. More localized content, based on location data, has started to appear in Latin American countries. In many ways, this form of ransomware is similar to what has been seen in English-speak-ing countries in previous years. The reasons behind this are likely precipitated by the increasing availability of online payment providers in these regions. With easy options for payment, ransom-ware has begun to appear in these areas, with the Reventon and Urausy versions already having been discovered with Spanish variants. In the grand scheme of the threat landscape, ransomware does not make up a huge percentage of overall threats, but it clearly does serious damage particularly to the victims who may not have backed-up their data to begin with. In the future, new ransomware schemes may emerge. Since some groups have had success with it, others may jump on the bandwagon. Toolkits for creating these types of ransomware have been developed. Browser-based ransomware also began to appear near the end of the year, which uses JavaScript to prevent a user from closing the browser tab,17 and more of these ransomware-type scams will likely be seen in the future. Banking Trojans and Heists Banking Trojans are a fairly lucrative prospect for attackers. Today’s threats continue to focus on modifying banking sessions and injecting extra fields in the hope of either stealing sensitive banking details or hijacking the session. Some of the more common banking Trojans include Trojan. Tiylon18 and a variant of the Zbot botnet, called Gameover Zeus. Symantec’s State of Financial Trojans 2013 whitepaper19 concluded that in the first three quarters of 2013, the number of banking Trojans tripled. More than half of these attacks were aimed at the top 15 financial institutions, though over 1,400 institutions have been targeted in 88 countries. While browser-based attacks are still common, mobile threats are also used to circumvent authentication through SMS messages, where the attacker can intercept text messages from the victim’s bank. The most common form of attack continues to be financial Trojans which perform a Man-In-The- Browser (MITB) attack on the client’s computer during an online banking session. Symantec analyzed 1,086 configuration files of 8 common financial Trojans. The malware was configured to scan for URLs belonging to 1,486 different organizations. All of the top 15 targeted financial institu-tions were present in more than 50 percent of the analyzed configuration files. In addition to those attacks, Symantec observed an increase in hardware-supported attacks in 2013. Besides the still popular skimming attacks, a new piece of malware was discovered named Backdoor. Ploutus which targeted ATMs. Initially discovered in Mexico, the malware soon spread to other countries, with English versions emerging later. The malware allows for criminals to effectively empty infected ATMs of cash. The malware is applied to the ATM by physically inserting a malicious CD-ROM and causing the machine to boot from it. While booting, the malware is installed onto the system. The attacker can then use specific key combinations on the keypad to interact with the malware and initiate the ultimate goal – to In the grand scheme of the threat landscape, ransomware does not make up a huge percentage of overall threats, but it clearly does serious damage, particularly to the victims who may not have backed-up their data to begin with.