A new analysis report, "Riptech Internet Security Threat Report," which Riptech released at the end of January, reflects trends in security threats against Riptech's customers' networks during the last half of 2001. Riptech based the report on information the company collected from more than 300 of its clients in 25 countries. Those clients work in sectors that include business services, high tech, finance, e-commerce, manufacturing, health care, media and entertainment, power and energy, and application service providers (ASPs).
According to the report, most attacks originated in the United States, South Korea, China, and Germany. However, when Riptech compared the number of Internet users in a given country with the number of attacks launched from that country, it discovered that Israelis launch twice as many attacks as any other country, followed by Hong Kong, Thailand, and South Korea.
The top 10 methods of attack that the report shows include:
- A URL-encoding problem with Microsoft Internet Information Server (IIS) that lets arbitrary commands execute on the server
- Attacks that employ IIS to gain access to the cmd.exe program to execute commands on the server
- SubSeven Trojan horse insertion, which listens on port 27374 and lets an attacker remotely control a Windows system
- Intrusion against vulnerable or misconfigured FTP servers, often used to store and propagate illegal material
- Attacks against vulnerable remote procedure call (RPC) services
- Attacks against vulnerable versions of Secure Shell (SSH)
- Attacks against vulnerable print services, include Line Print Daemon (LPD)
The report also says that attacks increased 79 percent between July and December 2001. Sixty-one percent of those attacks were attempts by intruders to discover any vulnerability in a given network, while 39 percent of the attacks targeted specific systems or companies.
An interesting highlight in the report, especially given the threat of cyberwar, is that power and energy companies suffered twice as many severe attacks as any other category of company in the sampled set of data about attacks that came from Middle Eastern countries. In contrast, high-tech and financial firms experienced 55 percent to 70 percent more attacks of Asian origin than any other category of company in the data sample set. Another interesting highlight is that larger companies (more than 500 employees) suffered at least 50 percent more attacks than smaller companies (fewer than 500 employees). In an even more refined perspective, intruders are more likely to attack companies with more than 1000 employees, and the sample data shows that companies with between 500 and 5000 employees are the most frequent targets of intruders. In addition, public companies are attacked twice as often as private companies.
The report is 33 pages and offers information that lends interesting insight into what to expect from intruders in the near future. Be sure to visit Riptech's Web site and download a copy of the report.
On another note, we're conducting a new poll this week to learn how many of you use a honeypot on your network to distract intruders as well as learn their interests and intrusion methods. Please visit our home page and take the poll.