eEye Digital Security, a provider of IT security and unified vulnerability management solutions, has announced results from its “2011 Headlines vs. Reality” survey.
Through the polling of 1,677 IT security professionals and executives, over 50% responded that it was the common malware and spyware attacks which threatened their organisations most significantly, and not sophisticated, high-profile attacks that garnered media attention, such as Stuxnet, Operation Aurora or Night Dragon.
The survey included responses from IT administrators, managers and C-level executives from organisations of various sizes and from multiple industries in the private and public sectors. Thirty percent of respondents came from organisations with 4,000 employees or more.
“These facts demonstrate that while it is important to remain vigilant against attacks that wreak havoc and damage reputations, we must also remain focused on attacks that fly in under the radar, happen every day and chip away at defences and compliance,” said Marc Maiffret, CTO, eEye Digital Security.
Meanwhile McAfee’s whitepaper ‘The New Reality of Stealth Crimeware’ warned that sophisticated malware techniques which employed “Ninja” stealth tactics and combination vulnerabilities, rootkit and stolen certificate techniques were on the rise.
“Powerful toolkits, like what is available in the Zeus Crimeware Toolkit, make stealth malware development a point- and-click endeavour, no longer restricted to the most knowledgeable programmers.”
McAfee Labs estimates that about 15 percent of malware uses sophisticated stealth techniques to hide and spread malicious threats that can cause significant damage.
“One of the most important things to understand about stealthy malware like Stuxnet and Zeus is that it truly owns the computers it takes over. Through rootkits that operate at the user, kernel, and firmware levels, malware can hide, replicate, protect itself against being overwritten, and deactivate anti-virus protection and other defences.”
Unfortunately, getting accurate figures on the impact of both common malware and the ‘other stealthy kind’ is difficult. Most companies only reveal breaches when regulations require disclosure (typically losses of personally identifiable information) and in Australia, unlike in the US, there is no mandatory disclosure of cybercrime within companies or Government.
Calling for mandatory reporting of cybercrime legislation from Governments, Yuval Ben-Itzhak the chief technology officer of security vendor AVG explained to ZDNet yesterday that “It's not interesting for the media if Mr X from down the street was compromised."
"No-one knows about that person. But suddenly, if there are five thousand people in the city being compromised, well, that's a story that will get the headlines. And I think it's for the lawmakers to start to step forward and request reports for these cases."
Tangible verifiable costs can be difficult to gauge. However, McAfee suggestions that the malware of 2011 is
- Fast spreading—McAfee Labs has detected up to 6 million new botnet infections in a month
- Increasing data loss rates—Malicious attacks were the root cause of 31 percent of the data breaches studied in the 2011 Ponemon Cost of a Data Breach Survey, the highest percentage in the study’s five year history
- Increasing data breach costs—The average compromised record costs $214, and the average data breach costs $7.2 million
- Compliance is in jeopardy—About three-quarters of the companies surveyed by Evalueserve in 2011 said that discovering threats and discovering vulnerabilities were their biggest challenges in risk management
- Tax on productivity—Costs average five hours for each IT administrator and user per system reimaged (10 hours total), for an approximate cost per endpoint of $585; at a 5,000 node company, a 1 percent infection rate would equate to $30,000 in cleanup costs)
In addition to demonstrating top-level concerns, the EyeDigital survey also provided insight into how and where security professionals would bolster their resources if they were to receive a 20 percent increase in their security budgets.
- 65 percent said they would invest it in security reporting and dashboard technologies
- 63 percent said they would invest in patch management
- 60 percent said they would invest in configuration compliance
- 52 percent said they would invest additional personnel
- 39 percent said they would invest regulatory compliance reporting
Unfortunately, although respondents were decisive when it came to knowing how to invest, many have their hands tied. Despite perceived economic recovery, 57 percent of those polled said their IT security budgets saw no increase in 2011, with only 21 percent receiving an increase and 22 percent actually experiencing a decline.