Select Committee on Science and Technology Minutes of Evidence


Memorandum by Symantec

  Symantec welcomes the opportunity offered by the Science and Technology Committee to submit evidence on security issues affecting private individuals when using communicating computer-based devices, either connecting directly to the Internet, or employing other forms of inter-connectivity.

I.  DEFINING THE PROBLEM

What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified? What is the scale of the problem?

    —  The nature of security varies from attacks on technical vulnerabilities to social engineering techniques (virus, worms, spyware, phishing);

    —  The emergence of new technologies such as Instant Messaging (IM), VoIP etc., create new potential platforms for e-crime. For example, IM, one of the most successful and widely deployed applications on the Internet, has become a potent means of propagation of viruses, worms and other threats. It is also particularly well suited for social engineering tactics and in the case of young users, for grooming for paedophilia as it is a tool which tends to be inherently trusted by users. As IM moves to Voice and Video, the scope of risk of child exposure to harmful content may increase. Parental control and level of access could be included to protect children from these emerging risks;

    —  Shift from attacks motivated by notoriety to attacks motivated by economic gain: Private individuals are increasingly targeted by phishing scams and spyware designed to steal confidential information and pass it along to attackers;

    —  Fraud and theft: as rewards get more attractive, attackers will continue to improve their methods: volume and severity of attacks continues to rise from noise categories 3&4[1] attacks to quieter, stealthier category 1 &2[2] attacks;

    —  Increased Threats to e-Commerce: During the last semester 2005, e-Commerce was the single most targeted industry, with nearly 16 percent of attacks against it. This represents a 400 percent increase from the 4 percent reported during the previous six months;

    —  Attacks against web application technologies are increasingly popular: Web application technologies are appealing targets for attacks because of their widespread deployment within organisations and the relative ease with which they can be exploited. Web applications allow attackers to gain access to the target system simply by penetrating one end-user's computer, bypassing traditional perimeter security measures. Nearly 82 percent of documented Web application vulnerabilities were classified as easy to exploit, thereby representing a significant threat to an organisation's infrastructure and critical information assets;

    —  Time Between Vulnerability and Exploit is shortening: According to the report, the time between the announcement of a vulnerability and the release of associated exploit code was extremely short. Symantec data[3] indicates that over the past six months, the average vulnerability-to-exploit window was just 5.8 days. Once an exploit has been released, the vulnerability is often widely scanned for and quickly exploited. This short window leaves organisations with less than a week to patch vulnerable systems;

    —  Bots and Bot Networks and customisable or "modular malicious" code are the preferred method of attack. Adding to concern about the short vulnerability-to-exploit window is the growth in bots (short for "robot"). Bots are programs that are covertly installed on a targeted system, allowing an unauthorised user to remotely control the computer for a wide variety of purposes. Attackers often co-ordinate large groups of bot-controlled systems, or bot networks, to scan for vulnerable systems and use them to increase the speed and breadth of their attacks. Over the past six months, Symantec has seen a large increase in the number of remotely controlled bots. During the first six months of 2004, the average number of monitored bots rose from under 2,000 to more than 30,000 per day—peaking at 75,000 in one day. Bot networks create unique problems for organisations because they can be remotely upgraded with new exploits very quickly, which could potentially allow attackers to outpace an organisation's security efforts to patch vulnerable systems; and

    —  Increase in Severe, Easy-to-Exploit Vulnerabilities: Symantec documented more than 1,237 new vulnerabilities between January 1 and June 30, 2004, an average of 48 new vulnerabilities per week. Seventy percent of these vulnerabilities were considered easy to exploit, and 96 percent were considered moderately or highly severe. Consequently, organisations must contend with an average of more than seven new vulnerabilities per day, and a significant percentage of these vulnerabilities could result in a partial or complete compromise of the targeted system.

  Attack Trends:

    —  The Slammer worm was the most common attack for the last semester of 2005, with 15 percent of attacking IP addresses performing an attack related to it. Gaobot and its variants were the second most common attack, increasing by more than 600 percent over the past six months;

    —  Overall, the daily volume of attacks is decreasing due to a decline in Internet-based worm attack activity over the first six months of 2004. E-Commerce received the most targeted attacks of any industry during this period; small business received the second most; and

    —  The United States was the top attack source country with 37 percent, down from 58 percent in the previous six months. Other countries rose accordingly, indicating that attack activity is becoming more international. UK remains the top originating country for bot-attacks (7 percent of worldwide bot-attacks) probably due to the implementation of Broadband, which is not adequately secured;

  Vulnerability Trends:

    —  During the first six months of 2004, the average time between the public disclosure of a vulnerability and the release of an associated exploit was 5.8 days;

    —  The Symantec Vulnerability Database documented 1,237 new vulnerabilities between January 1 and June 30, 2004. Ninety-six percent of documented vulnerabilities disclosed during this period were rated as moderately or highly severe; 70 percent of vulnerabilities were considered easy to exploit; 64 percent of vulnerabilities for which exploit code is available were considered high severity; and

    —  In the first half of 2004, 479 vulnerabilities—or 39 percent of the total volume—were associated with Web application technologies.

  Malicious Code Trends:

    —  Over the past six months, Symantec documented more than 4,496 new Windows viruses and worms (particularly Win32), more than 4.5 times the number in the same period in 2003;

    —  The number of distinct variants of bots is rising dramatically, increasing by 600 percent over the past six months;

    —  Peer-to-peer services (P2P), Internet relay chat (IRC), and network file sharing continue to be popular propagation vectors for worms and other malicious code;

    —  Adware is becoming more problematic, making up six of the top 50 malicious code submissions; and

    —  The first malicious worm for mobile devices, Cabir, was developed.

  Future and Emerging Trends:

    —  User-side attacks are expected to increase in the near future. Targeted attacks on firewalls, routers, and other security devices protecting users' systems are also a growing security concern;

    —  Symantec expects bot networks to employ increasingly sophisticated methods of control and attack synchronisation that are difficult to detect and locate. Symantec also expects to see instances of port knocking, a method attackers may use to create direct connections to potential target systems; and

    —  Symantec expects that recent Linux and BSD vulnerabilities that have been discovered and used in proof-of-concept exploits will be used as exploit-based worms in the near future. Symantec also expects to see more attempts to exploit mobile devices.

How are security breaches affecting the individual user detected and recorded?

  There are a number of technologies available to detect and record security breaches and attacks. These are employed in different ways by different users. For example the average consumer who is using a security solution on his or her PC like the Symantec Internet Security suite will have a set of log-files generated every time there is malicious activity detected. In addition the user will be receiving pop-up messages from the Symantec security solution informing him about the attack and the measures taken to protect the system and how its status is affected. Similar log-files and messages to the user or the system administrator are generated by different Symantec security solutions installed in enterprise environments. In addition there exists specialised sensor technology employed by the Symantec early warning system (Deepsight) which is designed to record attacking activity and provide early warning information and intelligence on attacks. Another technology is employed by Symantec Managed Security Services which monitor using sensors real-time customer systems and alert the system administrator for attacks on its system or can even take precautionary measures to prevent a system compromise.

  The UK government through DTI is also conducting an e-crime and breach survey which Symantec has sponsored.

  Hence it is evident that there are a number of technologies suitable for different environments and different user-sophistication that afford adequate level of information and warning for attacks.

How well do users understand the nature of the threat?

  There is a lack of awareness about the current level of information security threats. Users and enterprises depending upon their level of sophistication, economic capacity and their risk profile will understand or not the problem and will take or not relevant measures. The average consumer or SME are probably the ones with the least knowledge around this issue which makes them probably most vulnerable, due to a large extent to the proliferation of broadband connectivity. It is therefore welcomed that the UK Government, in conjunction with a number of private sector entities, is conducting awareness-raising activities like the Get Safe Online campaign. The European Union has also underscored the importance of awareness raising on its recent Communication[4] on information security. Awareness raising is also one of the tasks of the European Network and Information Security Agency (ENISA) that recently issued a toolkit[5] for governments on this topic.

II.  TACKLING THE PROBLEM

What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and trade-offs?

    —  A role for intermediaries: In order to address computer security to private individuals effectively it is necessary to address it from a global standpoint and lay out a multi-layered defence against attacks. Security remains ultimately also a user responsibility and the end-to-end nature of the Internet cannot and should not be challenged. However, as an increasingly complex and constantly evolving threat landscape unfolds, private users cannot be expected to guarantee their security online alone. Upstream defence is necessary. For instance, electronic communication service providers can play a key role in addressing information security threats as a first line of defence;

    —  Competition as a guarantee for security: Diversity in software platforms and applications is key to containing the spread of security threats such as malware and viruses. A monoculture in software applications would entail that a single point of failure would affect users globally. Promoting a competitive market for security software industry protects diversity and thereby enhances security;

    —  Early warning and intelligence collection: Layered defence entails anticipation. Tracking security events on a global basis can enable early warning of upcoming active attacks. This allows users to be alerted and prepared at best against a potential attack; and

    —  Raising awareness and User Best practice (c.f annex 1): User awareness of the threat and of the means to address it is as important as computer technical protection. As networks and computers become more secure, hackers turn to the weakest link, the individual user (for example: phishing scams). Educating the user to use information communications technology responsibly is therefore as important as protecting the machine;

  There is a role for business and government to play and collaborate in this respect. Public/private partnership fora can help establish and monitor best-practice standards. Awareness-raising tools include training in the workplace and via easy-to-use public access web sites where users can learn and also share experiences. The media can also be enlisted to publicise the importance of safe cyber practices. Symantec has drawn up a list for user's best practices enclosed at annex 1.

What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  It is somewhat effective provided that awareness campaigns take place and that there is a follow up to those activities. Public-private partnerships among government and industry have a key role to play in this area.

What factors may prevent private individuals from following appropriate security practices?

  Lack of awareness of the potential danger is a main factor which prevents private individuals from following appropriate security practices.

What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computer-based products?

  More and more attention is paid to the security when designing new IT products, although often until the level of threat and the risk profile is well-understood, it may not always be straight forward to adequately assess the level of security required for new products. A good example of that could be VoIP technologies which have been originally designed with quality of services as a primary consideration. The more VoIP communications proliferate, the more security and confidentiality of those communications will become a key issue. At the same time, it is important for policy-makers to ensure that security should not be used as an argument for anti-competitive practices (such as intentional refusal to disclose information related to interoperability) when putting into market a new product. Diversity, innovation and competition are key drivers for security which would be hampered if there cannot be competing security solutions on the different technology platforms.

Who should be responsible for ensuring effective protection from current and emerging threats?

  There cannot be a single entity held accountable. The nature of the internet and IT technology is such that no single person can be held accountable.

III.  GOVERNANCE AND REGULATION

How effective are initiatives on IT governance in reducing security threats?

  Often security is seen more as a cost and less as a business enabler. Regulatory compliance therefore is often seen as a key driver for information security being placed high in the agenda of IT governance. Examples include regulations on data protection, SOX, data retention and Basel II.

How far do improvements in governance and regulation depend on international co-operation?

  Considerably. EU-US co-operation is critical in this area. Frequently regulations issued by either side will cascade to the business environment of the other, having extra-territorial effects. Examples in this area include data protection for Europe and SOX for the US. These create major compliance challenges and a patchwork of regulations that increase costs and inefficiency.

Is the regulatory framework for Internet services adequate?

  The regulatory framework for Internet services within the meaning of Electronic Communications, Information Society services and E-Commerce, is probably adequate. However when it comes to information security, with the exception of some criminal law provisions and data protection, there is no specific information security regulatory framework.

What, if any, are the barriers to developing information security systems and standards and how can they be overcome?

  It is important to ensure strong intellectual property protection to the developers of information security technology so as to create research and investment incentives in this fast growing and changing arena.

  It is important to ensure software quality by improving the current Common Criteria certification process in terms of technological quality as well as in terms of cost reduction. The cost element is particularly important in allowing new entrants in the market. It is important to ensure that there are no competing certification or standardisation schemes to Common Criteria because this will increase the costs of creating secure technologies that are commonly accepted across a number of jurisdictions.

  It is also important that there are no technology mandates introduced for security because that could stifle innovation and ultimately achieve opposite than the desired results in terms of protection.

  Finally it is of paramount importance for reasons previously explained to ensure a functional and competitive marketplace whereby users and consumers will have choice about the technologies they wish to use and providers have access to the necessary information to compete in developing high-quality and innovative security products.

IV.  CRIME PREVENTION

How effective is Government crime prevention policy in this area? Are enforcement agencies adequately equipped to tackle these threats?

  The UK is probably among the best placed countries in comparison to several other EU Member States in countering cybercrime. However, there is certainly room for improvement by providing more training and more resources to the UK police. Strong collaboration with the private sector in this area is a key success factor as it is the private sector that controls the infrastructure and has most knowledge about the threats. Recently the NHTCU was incorporated into SOCA. It remains to be seen how this will affect the enforcement activities.

Is the legislative framework in UK criminal law adequate to meet the challenge of cyber-crime?

  The CMA is currently before the House of Lords for updating. There is probably consensus about the need to update the CMA and, in general, it is fair to say that the business community probably shares the objectives that the amendments proposed by the government aim to achieve. However, some questions have been raised by industry regarding the wording proposed for some of the CMA amendments. It is felt that the language proposed could be improved so as to ensure a higher level of legal certainty.

How effectively does the UK participate in international actions on cyber-crime?

  UK is active in international forums and is known to be an effective counterpart. The UK is active in the G8 and in the EU. However, unlike the US which recently ratified the Council of Europe Convention on cybercrime, the UK has still to do so despite having signed it. There is strong business support for the ratification of the Convention as it is by far the most comprehensive legal instrument in the fight against cybercrime.



1   Symantec uses a threat matrix to categorise the different level of threat posed by malware. The categorisation within that matrix ranging from 1 (least severe) to 4 (most severe) Is determined by a number of factors, such as the ease of infection, the speed of propagation, the damage caused etc. Back

2   Idem as 1. Back

3   cf Symantec Internet Security Report, Trends for July 2005 to December 2005, Vol IX, March 2006. Back

4   http://eur-lex.europa.eu/LexUriServ/site/en/com/2006/com2006-0251en01.pdf Back

5   http://www.enisa.eu.int/doc/pdf/deliverables/enisa-a-users-guide-how-to-raise-IS-awareness.pdf Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007