Memorandum by Symantec
Symantec welcomes the opportunity offered by
the Science and Technology Committee to submit evidence on security
issues affecting private individuals when using communicating
computer-based devices, either connecting directly to the Internet,
or employing other forms of inter-connectivity.
I. DEFINING THE
What is the nature of the security threat to private
individuals? What new threats and trends are emerging and how
are they identified? What is the scale of the problem?
The nature of security varies from
attacks on technical vulnerabilities to social engineering techniques
(virus, worms, spyware, phishing);
The emergence of new technologies
such as Instant Messaging (IM), VoIP etc., create new potential
platforms for e-crime. For example, IM, one of the most successful
and widely deployed applications on the Internet, has become a
potent means of propagation of viruses, worms and other threats.
It is also particularly well suited for social engineering tactics
and in the case of young users, for grooming for paedophilia as
it is a tool which tends to be inherently trusted by users. As
IM moves to Voice and Video, the scope of risk of child exposure
to harmful content may increase. Parental control and level of
access could be included to protect children from these emerging
Shift from attacks motivated by notoriety
to attacks motivated by economic gain: Private individuals are
increasingly targeted by phishing scams and spyware designed to
steal confidential information and pass it along to attackers;
Fraud and theft: as rewards get more
attractive, attackers will continue to improve their methods:
volume and severity of attacks continues to rise from noise categories
attacks to quieter, stealthier category 1 &2
Increased Threats to e-Commerce:
During the last semester 2005, e-Commerce was the single most
targeted industry, with nearly 16 percent of attacks against it.
This represents a 400 percent increase from the 4 percent reported
during the previous six months;
Attacks against web application technologies
are increasingly popular: Web application technologies are appealing
targets for attacks because of their widespread deployment within
organisations and the relative ease with which they can be exploited.
Web applications allow attackers to gain access to the target
system simply by penetrating one end-user's computer, bypassing
traditional perimeter security measures. Nearly 82 percent of
documented Web application vulnerabilities were classified as
easy to exploit, thereby representing a significant threat to
an organisation's infrastructure and critical information assets;
Time Between Vulnerability and Exploit
is shortening: According to the report, the time between the announcement
of a vulnerability and the release of associated exploit code
was extremely short. Symantec data
indicates that over the past six months, the average vulnerability-to-exploit
window was just 5.8 days. Once an exploit has been released, the
vulnerability is often widely scanned for and quickly exploited.
This short window leaves organisations with less than a week to
patch vulnerable systems;
Bots and Bot Networks and customisable
or "modular malicious" code are the preferred method
of attack. Adding to concern about the short vulnerability-to-exploit
window is the growth in bots (short for "robot"). Bots
are programs that are covertly installed on a targeted system,
allowing an unauthorised user to remotely control the computer
for a wide variety of purposes. Attackers often co-ordinate large
groups of bot-controlled systems, or bot networks, to scan for
vulnerable systems and use them to increase the speed and breadth
of their attacks. Over the past six months, Symantec has seen
a large increase in the number of remotely controlled bots. During
the first six months of 2004, the average number of monitored
bots rose from under 2,000 to more than 30,000 per daypeaking
at 75,000 in one day. Bot networks create unique problems for
organisations because they can be remotely upgraded with new exploits
very quickly, which could potentially allow attackers to outpace
an organisation's security efforts to patch vulnerable systems;
Increase in Severe, Easy-to-Exploit
Vulnerabilities: Symantec documented more than 1,237 new vulnerabilities
between January 1 and June 30, 2004, an average of 48 new vulnerabilities
per week. Seventy percent of these vulnerabilities were considered
easy to exploit, and 96 percent were considered moderately or
highly severe. Consequently, organisations must contend with an
average of more than seven new vulnerabilities per day, and a
significant percentage of these vulnerabilities could result in
a partial or complete compromise of the targeted system.
The Slammer worm was the most common
attack for the last semester of 2005, with 15 percent of attacking
IP addresses performing an attack related to it. Gaobot and its
variants were the second most common attack, increasing by more
than 600 percent over the past six months;
Overall, the daily volume of attacks
is decreasing due to a decline in Internet-based worm attack activity
over the first six months of 2004. E-Commerce received the most
targeted attacks of any industry during this period; small business
received the second most; and
The United States was the top attack
source country with 37 percent, down from 58 percent in the previous
six months. Other countries rose accordingly, indicating that
attack activity is becoming more international. UK remains the
top originating country for bot-attacks (7 percent of worldwide
bot-attacks) probably due to the implementation of Broadband,
which is not adequately secured;
During the first six months of 2004,
the average time between the public disclosure of a vulnerability
and the release of an associated exploit was 5.8 days;
The Symantec Vulnerability Database
documented 1,237 new vulnerabilities between January 1 and June
30, 2004. Ninety-six percent of documented vulnerabilities disclosed
during this period were rated as moderately or highly severe;
70 percent of vulnerabilities were considered easy to exploit;
64 percent of vulnerabilities for which exploit code is available
were considered high severity; and
In the first half of 2004, 479 vulnerabilitiesor
39 percent of the total volumewere associated with Web
Malicious Code Trends:
Over the past six months, Symantec
documented more than 4,496 new Windows viruses and worms (particularly
Win32), more than 4.5 times the number in the same period in 2003;
The number of distinct variants of
bots is rising dramatically, increasing by 600 percent over the
past six months;
Peer-to-peer services (P2P), Internet
relay chat (IRC), and network file sharing continue to be popular
propagation vectors for worms and other malicious code;
Adware is becoming more problematic,
making up six of the top 50 malicious code submissions; and
The first malicious worm for mobile
devices, Cabir, was developed.
Future and Emerging Trends:
User-side attacks are expected to
increase in the near future. Targeted attacks on firewalls, routers,
and other security devices protecting users' systems are also
a growing security concern;
Symantec expects bot networks to
employ increasingly sophisticated methods of control and attack
synchronisation that are difficult to detect and locate. Symantec
also expects to see instances of port knocking, a method attackers
may use to create direct connections to potential target systems;
Symantec expects that recent Linux
and BSD vulnerabilities that have been discovered and used in
proof-of-concept exploits will be used as exploit-based worms
in the near future. Symantec also expects to see more attempts
to exploit mobile devices.
How are security breaches affecting the individual
user detected and recorded?
There are a number of technologies available
to detect and record security breaches and attacks. These are
employed in different ways by different users. For example the
average consumer who is using a security solution on his or her
PC like the Symantec Internet Security suite will have a set of
log-files generated every time there is malicious activity detected.
In addition the user will be receiving pop-up messages from the
Symantec security solution informing him about the attack and
the measures taken to protect the system and how its status is
affected. Similar log-files and messages to the user or the system
administrator are generated by different Symantec security solutions
installed in enterprise environments. In addition there exists
specialised sensor technology employed by the Symantec early warning
system (Deepsight) which is designed to record attacking activity
and provide early warning information and intelligence on attacks.
Another technology is employed by Symantec Managed Security Services
which monitor using sensors real-time customer systems and alert
the system administrator for attacks on its system or can even
take precautionary measures to prevent a system compromise.
The UK government through DTI is also conducting
an e-crime and breach survey which Symantec has sponsored.
Hence it is evident that there are a number
of technologies suitable for different environments and different
user-sophistication that afford adequate level of information
and warning for attacks.
How well do users understand the nature of the
There is a lack of awareness about the current
level of information security threats. Users and enterprises depending
upon their level of sophistication, economic capacity and their
risk profile will understand or not the problem and will take
or not relevant measures. The average consumer or SME are probably
the ones with the least knowledge around this issue which makes
them probably most vulnerable, due to a large extent to the proliferation
of broadband connectivity. It is therefore welcomed that the UK
Government, in conjunction with a number of private sector entities,
is conducting awareness-raising activities like the Get Safe Online
campaign. The European Union has also underscored the importance
of awareness raising on its recent Communication
on information security. Awareness raising is also one of the
tasks of the European Network and Information Security Agency
(ENISA) that recently issued a toolkit
for governments on this topic.
What can and should be done to provide greater
computer security to private individuals? What, if any, are the
potential concerns and trade-offs?
A role for intermediaries: In order
to address computer security to private individuals effectively
it is necessary to address it from a global standpoint and lay
out a multi-layered defence against attacks. Security remains
ultimately also a user responsibility and the end-to-end nature
of the Internet cannot and should not be challenged. However,
as an increasingly complex and constantly evolving threat landscape
unfolds, private users cannot be expected to guarantee their security
online alone. Upstream defence is necessary. For instance, electronic
communication service providers can play a key role in addressing
information security threats as a first line of defence;
Competition as a guarantee for security:
Diversity in software platforms and applications is key to containing
the spread of security threats such as malware and viruses. A
monoculture in software applications would entail that a single
point of failure would affect users globally. Promoting a competitive
market for security software industry protects diversity and thereby
Early warning and intelligence collection:
Layered defence entails anticipation. Tracking security events
on a global basis can enable early warning of upcoming active
attacks. This allows users to be alerted and prepared at best
against a potential attack; and
Raising awareness and User Best practice
(c.f annex 1): User awareness of the threat and of the means to
address it is as important as computer technical protection. As
networks and computers become more secure, hackers turn to the
weakest link, the individual user (for example: phishing scams).
Educating the user to use information communications technology
responsibly is therefore as important as protecting the machine;
There is a role for business and government
to play and collaborate in this respect. Public/private partnership
fora can help establish and monitor best-practice standards. Awareness-raising
tools include training in the workplace and via easy-to-use public
access web sites where users can learn and also share experiences.
The media can also be enlisted to publicise the importance of
safe cyber practices. Symantec has drawn up a list for user's
best practices enclosed at annex 1.
What is the level of public awareness of the threat
to computer security and how effective are current initiatives
in changing attitudes and raising that awareness?
It is somewhat effective provided that awareness
campaigns take place and that there is a follow up to those activities.
Public-private partnerships among government and industry have
a key role to play in this area.
What factors may prevent private individuals from
following appropriate security practices?
Lack of awareness of the potential danger is
a main factor which prevents private individuals from following
appropriate security practices.
What role do software and hardware design play
in reducing the risk posed by security breaches? How much attention
is paid to security in the design of new computer-based products?
More and more attention is paid to the security
when designing new IT products, although often until the level
of threat and the risk profile is well-understood, it may not
always be straight forward to adequately assess the level of security
required for new products. A good example of that could be VoIP
technologies which have been originally designed with quality
of services as a primary consideration. The more VoIP communications
proliferate, the more security and confidentiality of those communications
will become a key issue. At the same time, it is important for
policy-makers to ensure that security should not be used as an
argument for anti-competitive practices (such as intentional refusal
to disclose information related to interoperability) when putting
into market a new product. Diversity, innovation and competition
are key drivers for security which would be hampered if there
cannot be competing security solutions on the different technology
Who should be responsible for ensuring effective
protection from current and emerging threats?
There cannot be a single entity held accountable.
The nature of the internet and IT technology is such that no single
person can be held accountable.
How effective are initiatives on IT governance
in reducing security threats?
Often security is seen more as a cost and less
as a business enabler. Regulatory compliance therefore is often
seen as a key driver for information security being placed high
in the agenda of IT governance. Examples include regulations on
data protection, SOX, data retention and Basel II.
How far do improvements in governance and regulation
depend on international co-operation?
Considerably. EU-US co-operation is critical
in this area. Frequently regulations issued by either side will
cascade to the business environment of the other, having extra-territorial
effects. Examples in this area include data protection for Europe
and SOX for the US. These create major compliance challenges and
a patchwork of regulations that increase costs and inefficiency.
Is the regulatory framework for Internet services
The regulatory framework for Internet services
within the meaning of Electronic Communications, Information Society
services and E-Commerce, is probably adequate. However when it
comes to information security, with the exception of some criminal
law provisions and data protection, there is no specific information
security regulatory framework.
What, if any, are the barriers to developing information
security systems and standards and how can they be overcome?
It is important to ensure strong intellectual
property protection to the developers of information security
technology so as to create research and investment incentives
in this fast growing and changing arena.
It is important to ensure software quality by
improving the current Common Criteria certification process in
terms of technological quality as well as in terms of cost reduction.
The cost element is particularly important in allowing new entrants
in the market. It is important to ensure that there are no competing
certification or standardisation schemes to Common Criteria because
this will increase the costs of creating secure technologies that
are commonly accepted across a number of jurisdictions.
It is also important that there are no technology
mandates introduced for security because that could stifle innovation
and ultimately achieve opposite than the desired results in terms
Finally it is of paramount importance for reasons
previously explained to ensure a functional and competitive marketplace
whereby users and consumers will have choice about the technologies
they wish to use and providers have access to the necessary information
to compete in developing high-quality and innovative security
IV. CRIME PREVENTION
How effective is Government crime prevention policy
in this area? Are enforcement agencies adequately equipped to
tackle these threats?
The UK is probably among the best placed countries
in comparison to several other EU Member States in countering
cybercrime. However, there is certainly room for improvement by
providing more training and more resources to the UK police. Strong
collaboration with the private sector in this area is a key success
factor as it is the private sector that controls the infrastructure
and has most knowledge about the threats. Recently the NHTCU was
incorporated into SOCA. It remains to be seen how this will affect
the enforcement activities.
Is the legislative framework in UK criminal law
adequate to meet the challenge of cyber-crime?
The CMA is currently before the House of Lords
for updating. There is probably consensus about the need to update
the CMA and, in general, it is fair to say that the business community
probably shares the objectives that the amendments proposed by
the government aim to achieve. However, some questions have been
raised by industry regarding the wording proposed for some of
the CMA amendments. It is felt that the language proposed could
be improved so as to ensure a higher level of legal certainty.
How effectively does the UK participate in international
actions on cyber-crime?
UK is active in international forums and is
known to be an effective counterpart. The UK is active in the
G8 and in the EU. However, unlike the US which recently ratified
the Council of Europe Convention on cybercrime, the UK has still
to do so despite having signed it. There is strong business support
for the ratification of the Convention as it is by far the most
comprehensive legal instrument in the fight against cybercrime.
1 Symantec uses a threat matrix to categorise the
different level of threat posed by malware. The categorisation
within that matrix ranging from 1 (least severe) to 4 (most severe)
Is determined by a number of factors, such as the ease of infection,
the speed of propagation, the damage caused etc. Back
Idem as 1. Back
cf Symantec Internet Security Report, Trends for July 2005 to
December 2005, Vol IX, March 2006. Back