Malicious Attacks Spike As Flaws Fall In 2011

Malicious attacks jumped 81 percent in 2011, despite a 20 percent drop in vulnerabilities, according to a Symantec report.

Web based attacks increased by 36 percent thanks to over 4,500 new attacks every day in 2011. There were also 403 million new variants of malware created over the year, a 41% increase of 2010.

Cleaning the flaws

The decline in vulnerabilities indicates attackers have embraced simple attack toolkits to exploit known flaws, according to Symantec.

“In 2011 cybercriminals greatly expanded their reach, with nearly 20 percent of targeted attacks now directed at companies with fewer than 250 employees,” said Stephen Trilling, chief technology officer at Symantec.  “We’ve also seen a large increase in attacks on mobile devices, making these devices a viable platform for attackers to leverage in targeting sensitive data.  Organisations of all sizes need to be vigilant about protecting their information.”

Symantec’s findings were similar to those of HP last month, which found vulnerabilities disclosed in commercial applications had decreased 20 percent in 2011, yet attack levels were up 35 percent.

Pre-sales director for enterprise security products at HP Simon Leech told TechWeekEurope at InfoSecurity Europe 2012 that one of the reasons for the vulnerability decrease was because of the bounty campaigns run by the likes of Facebook and Google.

As for why attacks are going up, Leech said hackers were increasingly focusing their efforts on web applications. “There are enough vulnerabilities out there, meaning the attackers don’t need to go out there and find new vulnerabilities,” he added. “People aren’t patching so vulnerabilities still exist.”

But Leech said there had been a major shift from attackers to focus on business’ in-house applications. “The most important thing is the fact that the attackers are starting to change their attack methods towards in-house developed applications,” he said. “If, for example, a bank or finance company has a product they have developed, vulnerabilities in that application will exist. Whenever a person writes software, they will make errors.

“Those sorts of things won’t be patched by the mainstream vendors like Microsoft or Apple. In those situations, it is very much up to the organisation that produces to code to introduce security into their software development lifecycle.”

Think you know security? Test yourself with our quiz!