Cybercrime goes on year-after-year, but the way it manifests itself continually changes. I’ve been putting together a presentation on global security threats for an upcoming meeting and have had to do quite a bit of research on the types of cybercrimal activity that is currently occurring. After analyzing a fairly wide range of sources, I’ve concluded that viruses and worms, then laptop theft, then insider attacks, then denial of service (DoS), then network break-ins, and then data security breaches are currently the most prevalent types of attacks.
I remember when I started in the information security arena nearly 25 years ago how unauthorized access, insider tampering with systems, and viruses such as the Brain and Lehigh viruses constituted the overwhelming majority of types of cybercrime activity. Attacks in those days were incredibly crude by today’s standards, as was malware.
In 2000 I gave a presentation with the same title (“Global threat update”) as the one I am currently preparing; cybercrime statistics were quite different then. At that time, denial of service attacks were most prevalent, followed by man-in-the middle attacks, spam and mail bomb attacks, attacks exploiting vulnerabilities in services, exploitation of cgi-bin vulnerabilities in Web servers, buffer overflow attacks, exploitation of misconfigured FTP servers, and relay host attacks.
In 2006 I made another “global threat update” presentation. This time virus infections were most prevalent, followed by spyware infections, port scans, laptop theft, denial of service, and network break-ins. Interestingly, in 2006 wireless network abuse made the top ten for the very first time.
Looking at the trends over the years, viruses (and also worms), insider attacks, network break-ins and DoS attacks have had the greatest longevity. Some of you may remember when not all that long ago I proclaimed that virus and worm infections were on the decline. I believe that I was right at that particular time. Cybercriminals had by that time turned to other attack methods that were more likely to produce monetary gain; virus and worm infections are not conducive to monetary gain because they are so highly detectable. But then came the Conficker worm. No one is sure how many Windows systems Conficker has infected, but an estimate of 15 million or more systems so far would not be unreasonable. Conficker alone is largely responsible for the huge increase in malware infections over the last ten months. And I now believe that perpetrators have probably already designed a new “son of Conficker” that builds on Conficker’s base features, but also introduces new features. Given all the highly vulnerable Windows systems out there, it is reasonable to expect viruses and worms to remain at the top of types of cyberattacks for some time to come.
In preparing for my upcoming presentation, I’ve done a trend analysis that spans only over the last few years. The following types of attacks are becoming proportionately more prevalent: virus and worm incidents, data security breaches, financial fraud, DNS-related incidents, and targeted attacks. I’ve already discussed virus and worm infections, so I’ll turn to data security breaches. To put it simply, most organizations are not exercising due diligence in protecting information assets. As such, expect the proportion of data security breaches to continue to grow at a disproportionate pace. Financial fraud is always a problem, but the overwhelming majority of it over the last decade has been perpetrated by insiders. Insiders still perpetrate a large proportion of financial fraud, but organized crime and “hackers for hire” are becoming more and more prevalent with respect to this type of crime. DNS attacks, especially DNS poisoning and exploitation of Berkeley Internet name daemon (bind) vulnerabilities, are growing so fast because they are so useful in perpetrating other types of computer crime rather than their serving as an end to themselves. Targeted attacks are becoming increasingly frequent because they have such a high probability of succeeding in gaining access to restricted information. If you don’t believe me, just ask the US State Department, the UK Home Department, and the US Department of Defense!
According to available statistics, phishing, DoS attacks, and bots and botnets are all on the wane. (This is not to say that they do not pose very serious risks, however.) The combination of anti-phishing features in Web browsers and quick action by law enforcement to take down phishing sites has much to do with phishing becoming less prevalent. But the reason for the decrease in the relative prevalence in DoS attacks, which just nine years ago constituted over 40 percent of all reported attacks, is a bit of a mystery. A possible reason is that there is less money to be made from DoS attacks compared to other types. Finally, the decrease in bots and botnets may be due to the greater efficiency of law enforcement in finding and bringing to prosecution botnet owners and operators.
A final caveat—everything I have said is based on statistics. In most cases, little or no detail about the methodologies used to gather these statistics has been available. Always take statistics with a grain of salt. But I would rather have some statistics that are only partially valid than none at all.