Written evidence submitted by Symantec
(Malware 09)
1. Recent high profile cyber incidents have highlighted
the increasingly complex, sophisticated and organised nature of
cybercrime. This together with the shift towards greater interoperability
between internet based networks and systems means that a targeted
malware attack has the potential to have a cascading effect on
other connected systems leading to individuals, businesses and
organisations being impacted. Online attacks that were once conducted
solely for notoriety are now increasingly being motivated by economic
gain with cyber criminals seeking access to information that can
then be sold as a commodity on the underground economy and possibly
used in further attacks.
2. Given Symantec's position as one of the world's
leaders in internet and information security we welcome the opportunity
to provide input to the Committee on the important questions raised
in the call for evidence.
What proportion of cyber-crime is associated with
malware?
3. To answer this question first it is necessary
to define what is meant by malware. For Symantec malware is malicious
computer code that can be classified into four main threat types;
viruses, backdoors, worms, and Trojans. As is commonly understood
computer viruses propagate by infecting existing files on affected
computers with malicious code while backdoor malware is code that
allows an attacker to remotely access compromised computers. Worms
are malicious code that can replicate on infected computers and
can facilitate malicious code being copied to another computer
such as via USB storage devices or spread through emails and instant
messages. Trojans leads users to unwittingly install malicious
code onto their computers, most commonly through either opening
email attachments or downloading from a web site.
4. For the last seven years Symantec has produced
its Internet Security Threat Report. The longevity of the Symantec
report provides a unique view on how malware threats have evolved,
in scale and nature, as well as provides a current view of the
worldwide Internet threat activity seen today. According to the
latest Symantec's report published in April in 2010 the main malicious
code type seen in the UK were Trojans (55%) followed by worms
(38%), backdoor codes (4%) with computer viruses (3%) being the
least seen malware type.
5. The volume and sophistication of malicious
malware activity globally increased substantially in 2010. Symantec
recorded over three billion malware attacks and observed more
than 286 million unique variants of malware with many of the malicious
code threats increasing sophisticated with multiple features.
For example, many worms and viruses are also incorporating backdoor
functionality. One reason for this is that threat developers try
to enable malicious code with multiple propagation vectors in
order to increase their odds of successfully compromising computers
in attacks. The development of multi-layered malware means that
malicious code is increasingly able to remain resident on infected
computers longer, giving attackers more time to steal information
before the infections is discovered. As more users become aware
of these threats and competition among attackers increases, it
is likely that such complex malware threats will continue to increase
in sophistication as cyber criminals attempt to evade security
software. The use of new delivery mechanisms in 2010, such as
web-attack toolkits, has also driven up the number of malware
being seen in circulation.
6. The tactics and approach used by attackers
may also change and evolve depending on the target. For example
a popular website, social network or mobile operating system may
be used to spread an attack given the popularity of the compromised
environment and therefore the likelihood of the malware reaching
more users. In 2010 Symantec also saw an increased malware threat
to mobile devices given their popularity. As new devices, systems
and networks grow in popularity and use, such as mobile, social
networks, digital signatures and cloud computing, attackers will
look to exploit their use as a means of targeting and attacking
users.
7. In 2010 Symantec also observed a number of
key attack themes which included a rise in targeted attacks with
incidents such as Hydraq and Stuxnet both utilising different
types of malware to conduct its activities. The Stuxnet attack
is a key example of how malware is being used not only to conduct
traditional cyber crimes, such as fraud or extortion, but also
targeted cyber attacks on critical systems and networks such as,
in the case of Stuxnet, those used by the energy sector.
8. The Stuxnet attack targeted energy companies
around the world and represented an example of a malware threat
can be designed to gain access to and reprogram industrial control
systems specifically. It is estimated that at least four zero
day vulnerabilities attacks were involved in the Stuxnet attack
which allowed attackers to steal confidential Supervisory Control
and Data Acquisition (SCADA) design and usage documents for industrial
systems such as those used by the energy sector. This is the first
time that so many zero-day vulnerabilities have been exploited
in one attack and indicates that the people needed to develop
and execute such an attack were not amateurs. It is understood
that once the attackers gained entry into the targeted systems
a root kit was used to hide their presence while they targeted
software within the systems used to control industrial assets
and processes. It is also believed that legitimate as well as
stolen digital certificates were used in the attack to mask their
trail through the compromised systems. The use of zero-day vulnerability,
root kit, stolen digital certificates, and in-depth knowledge
of SCADA software are all high-quality attack assets and points
to an estimated group of at possibly up to ten people were involved
in developing this specific, targeted and technically sophisticated
cyber attack.
9. In the past this type of cyber attack focusing
on such a critical national infrastructure were seen by many as
theoretically a possibility however it is fair to say that most
would have dismissed such an attack as simply a movie-plot scenario.
The Stuxnet incident has shown that such targeted, organised threats
do exist where external actors motivated possibly by organised
crime, terrorism or even hostile nations, are designing, developing
and deploying malware in an attempt to gain control of industrial
processes and then place that control in the wrong hands. This
incident therefore represents a new way in which malware is being
used by cyber attacks to conduct criminal activity that is motivated
by reasons other than financial gain or notoriety.
10. While it is perhaps better understood today
the way in which the online threat environment constantly evolves,
understanding the sheer scale and nature of the cyber threats
facing users from malware can still be somewhat difficult. Looking
at the number of malicious code threats observed in a specific
period can help to provide an insight into the overall level and
variance of activities currently being seen in the global threat
landscape and may be useful to paint a picture of current situation
within which the Committee's inquiry is taking place.
11. In the period between 1 April and 30 June
2011 Symantec observed approximately 166 million[25]
unique malicious code threats, or malware, and on average observed
138,000 web based attacks. The malware detected in this time consisted
of both existing and new threats. In the time period between April
and June along with the continued prevalence of botnets and web
based attacks, the emergence of new worm threats were also seen
such as Qakbot a worm designed to specifically steal online banking
account information from compromised computers. In this time period
notable events such as the UK Royal Wedding, Japan Tsunami and
death of Osama Bin Laden were all seen to be exploited by malware
developers with the emergence of spam and phishing campaigns against
internet users.
Where does the malware come from? Who is creating
it and why?
12. According to the latest Threat Report the
top country from where an attack targeting the UK originated in
2010 was the United States (38%) followed by the UK itself (17%)
China (11%), Turkey (4%) and Canada (3%).[26]
While these figures provide an indication of the origins of malicious
activity it is important to recognise that this data does not
give the full picture of where malware may originally originates
from. While an attack may appear to be coming from America or
China, the cyber attacker themselves could in fact be located
in a entirely different country and may only be using the network,
systems and perhaps users infected with a botnet viruses, in those
countries to distribute and conduct attacks. In addition the creator
of the malicious code itself may also be located in a different
location altogether. Locating the origins of malware and therefore
who is actually creating malicious codes is not something that
a single organisation or company can achieve as it requires different
information on an attacks, or pieces of a puzzle, to be brought
together by different sources as and when appropriate.
13. Although it's difficult to determine the
specific origins and objectives and motivations of attackers,
a high proportion of the attacks Symantec is seeing are driven
by economic and financial gain and consequently information theft.
Recent incidents have fuelled public speculation about possible
political motivation of attacks.
14. It's perhaps easier to comment on why malware
is being created and the motivation behind those creating malware.
Cyber criminals today are both organised and professional with
activities run like a business with malware research and development
departments, marketing divisions using online sites to promote
and sell attack tool kits which are also being sold with support
services and help lines when malware needs to be updated or modified
perhaps in order to avoid detection.
15. End users continue to be the main target
for cyber criminals with confidential information a valuable commodity
for criminals that can then be used in social engineering or more
targeted attacks.
What level of resources are associated with combating
malware?
16. Given the online threat environment and increasing
sophisticated malware organizations are being exposed to, having
the appropriate technology and solutions in place to address security
incidents effectively is important. Given the current economic
climate the cost challenges that organizations and individuals
are facing may raise many questions as to the level of resources
needed. Determining the most appropriate and proportionate level
of technological resources needed is a decision that should be
based on an assessment and identification of the level of risks
being faced.
17. For Symantec an appropriate approach to addressing
possible cyber security threats requires prevention against incidents
occurring as well as preparedness to act if and when an incident
occurs. Therefore a key resource needed to be prepared for a cyber
security incident is having the right information at the right
time to consider the possible threat or risk and take action as
and when necessary. Having real time threat intelligence information
can assist in the assessment of a risk and enable a timely response
to the threat situation or incident by deploying appropriate operational
capabilities to address specific security risks. Technological
tools and solutions clearly also have a role to play in deploying
countermeasures to combat and eradicate malware if an incident
does occurs.
18. It is also important however to recognise
that in order to combat cyber risks resources should not simply
be focused on technology alone. An approach is needed that ensures
appropriate technology is in place (based on an assessment of
risk), policies and procedures for responding to an incident are
developed and that resources are also allocated to ensuring people
have the necessary cyber security skills and knowledge.
19. While it is recognised that the current economic
climate may presents resource challenges, it is important that
public and private sector organisations understand the importance
of investing in, and deploying, appropriate security measures
and solutions to protect against the increasing online threat
environment.
What is the cost of malware to individuals and
how effective is the industry in providing protection to computer
users?
20. On 7 September Symantec published
its latest Norton Cybercrime Report.[27]
Based on a survey of individuals on their experience of malware
and cybercrime, the 2011 report has found that malware, specifically
computer viruses, was the top cyber crime reported by both UK
and global individual users. In the UK 38% of respondents having
suffered a malware related incident of which 55% occurred in the
last 12 months. This is the most common type of cyber crime experienced
by users in the past 12 months. Following malware in the list
of cyber crime experienced by users was online credit card fraud
(10% of respondents) followed by social network profile hacking
(6%). The Norton Cybercrime report estimates the total net cost
of cybercrime to the UK as £1.1 billion. The lost of time
by victims affected by cybercrime is valuated at £618.9 million
while the direct cash cost to victims from such factors as money
stolen and the cost of resolving cybercrime is estimated at £474.2
million.
21. From the perspective of the computer security
industry Symantec continues to develop and supply tools and solutions
that enable users to put in place appropriate measures to protect
their systems, networks and information. Symantec works around
the world to ensure there is an adequate level of protection for
users against online threats. Software companies, however, cannot
and should not be held responsible for what they do not effectively
control such as how the customer may install, configure, use and
update security software. However, effective cyber security is
not just about technology but also processes and education. Users
must also be aware and educated about cyber threats and have the
knowledge and skills to be safe online.
Should the Government have a responsibility to
deal with the spread of malware in a similar way to human disease?
22. It was the computer expert Fred Cohen who
is reported to have coined the phrase computer virus back in the1980's
as a way of describing how a file can infect a computer and propagate
itself through a device similar to a virus in a human body. The
analogy is still relevant today particularly with the rise in
malware such as malicious spam emails. A provider of anti-spam
services uses technical information, such as traffic data, to
detect spam and deploy anti-spam techniques. It is rather like
the immune system of the body recognising a pathogen (in this
case the malicious traffic data) and producing the necessary antibodies.
Operating in this automated way enables the security provider
to determine whether an email is a spam and address the malware
quickly and effectively to protect the potential victim.
23. Since the 1980's not only has the nature
of computer viruses changed but so has the environment in which
they operate with the interconnected nature of advanced electronic
networks and systems. Sophisticated malware attacks today can
use more than one type or malware to conduct its attack multiplying
rapidly across a number of different domains and infrastructures
and devices that may be used, owned, managed or controlled by
a number of different parities both in the public and private
sector.
24. Ensuring the ongoing resilience and stability
of the Internet from cyber threats is therefore not a responsibility
of governments alone but a responsibility that is shared by all
those using the Internet. The nature of the internet and IT technology
is such that no single person can be held accountable and we all
share a collective responsibility to protect ourselves and our
customers whether they are businesses, users or citizens. Given
the complex cyber ecosystem of the internet the threat information,
technical intelligence and cyber security related expertise and
advice that may be needed in a cyber related incident will reside
across a number of different sources both inside and outside of
government. For example it is estimated that 90% of critical national
infrastructures that are increasingly reliant on interconnected
networks and systems, and therefore a possible target for cyber
attacks, are privately owned and managed. As a result public and
private sector co-operation and collaboration are a key factor
to assisting not only the government but also industry to identify,
assess and evaluate the level of seriousness of cyber incidents.
25. The government does have a role to play in
considering and addressing the UK's preparedness for cyber related
issues and provide coordination. The recognition of the cyber
threats to the UK in the National Security and Defence Strategy
was welcomed as was the focus on the importance of public-private
partnership which should continue to be supported. Given the importance
of the ongoing resilience and stability of the internet to the
societal and economic stability of the UK cyber security must
remain a long term overarching public policy objective.
How effective is the Government in co-ordinating
a response to cyber-crime that uses malware?
26. Symantec is supportive of government efforts
to gather advice and information in the event of a cyber incident
as needed and bring together those that may need to work together
to address an issue as and where appropriate and within the boundaries
of the law.
27. Symantec sees the Office of Cyber Security
as playing a key role in coordinating government activities in
this area and operational response to address cyber related issues.
The willingness of the Office of Cyber Security to engage and
work with industry is also welcomed given the shared responsibility
to prepare for and address cyber incident as and when they occur.
It's recognised that the UK has a number of different bodies addressing
cyber security related issues at many different levels ranging
from e-crime to critical national infrastructure protection. These
bodies include the important work of CPNI and the UK e-Crime Police
Unit which also play an important role in addressing cyber security
issues in the UK.
28. Coordination and cooperation between the
public and private sector on addressing the spread of cyber related
threats are an important component to a cyber security strategy
not only in the UK but globally. The UK government's involvement
in European international forums where cyber security issues are
discussed such as ENISA, UN Internet Governance Forum, ITU and
OCED as well as the UK's participation in cyber security related
exercises are welcomed and should continue going forward to ensure
the UK playing a leading role in international efforts.
ABOUT SYMANTEC
Symantec is a world leader in providing solutions
to help individuals and enterprises assure the security, availability,
and integrity of their information. Headquartered in Cupertino,
Calif., Symantec has operations in more than 40 countries. Further
information can be found at www.symantec.com.
7 September 2011
25 Symantec Intelligence Quarterly - April - June 2011-08-10 Back
26
Symantec Internet Security Threat Report : Trends for 2010 - United
Kingdom Data (Volume 16 April 2011) Back
27
Norton Cybercrime Report 2011
http://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/ Back
|