There was
an average of 220 security vulnerabilities a month between July and
December 2003, of which an average of 99 were of “high severity”,
and 70% of which were easy to exploit, according to Symantec’s
latest Internet Security Threat Report.
The findings of
the report highlight growing concerns among IT users that
implementing every software patch released is becoming an
impossible task.
Richard
Archdeacon, technical services director at Symantec, said, “As the
time between disclosure and exploitation of vulnerabilities
continues to shrink, ‘zero-day threats’ that target vulnerabilities
before they are known, are imminent.
“Patch management
continues to be critical, but companies are struggling to manage it
themselves.”
And the problem is
likely to get worse before it gets better, Archdeacon warned.
“Attackers require no specialised knowledge to gain unauthorised
access to a network when vulnerabilities are easy to exploit.”
Threats to privacy
and confidentiality were the most rapidly increasing threats during
the six-month period, the security software supplier said, with a
148% growth in volume of malicious code submissions.
So-called
“blended threats” like Blaster, Welchiaa and Sobig.F - which
combine the characteristics of viruses, worms, Trojan horses,
malicious code with existing vulnerabilities to spread an attack -
made up 54% of the top ten submissions for the last six months of
2003, the research revealed.
Almost one third
of all attacking systems targeted the vulnerability exploited by
the Blaster worm and its successors, it said. And, although many of
the worms appeared in August, there are a sufficient number of
unpatched systems remain to sustain them, Symantec warned.
Internet
Security Threat Report July-Dec 2003: Main points
Blended threats
increasingly target backdoors left by other attackers and worms
Financial
services, healthcare and power and energy sectors were the hardest
hit by severe cyber attacks
2,636 new
vulnerabilities – an average of 220 new per month
70% of new
vulnerabilities are easily exploited requiring no exploit code
providing opportunity for attackers to gain access to critical
systems more easily