Safer code fails to stem cyber crime tide

Hackers are targeting a smaller number of security flaws with larger amounts of malicious code

The number of malicious code signatures grew by 71 per cent over the past year

Several reports released in the run-up to this week’s Infosec 2010 security conference recorded increases in the amount of cyber crime detected and experienced by business – despite a fall in the number of detected security flaws. Two of the reports indicated that the increase is partly the result of outsourcing activity.

According to Symantec’s Internet Security Threat Report (ISTR) 2010, hackers are targeting a smaller number of security flaws with larger amounts of malicious code.

The number of security vulnerabilities documented fell 18 per cent in 2009, down from 5,491 to 4,501.

However, the number of malicious code signatures grew 71 per cent to 2.9 million, more than half (51 per cent) of all the signatures ever created.

Those malicious code signatures have been incorporated into 240 million distinct malicious programs, 100 per cent more than in 2008.

The main trends were an increase in targeted enterprise attacks, with web-based methods being the favored attack vector.

ISTR’s league table of malicious activity by country shows an increase in activity in emerging countries such as Brazil and India, who are third and fifth respectively, where arguably more security flaws go undetected than in markets with more established security governance.

A second report released last week from Infosecurity Europe and PricewaterhouseCoopers, called 2010 Information Security Breaches Survey (ISBS), argued that the increase in dependence on external IT providers leaves UK businesses exposed to attack.

With 44 per cent now entrusting critical services to third parties, some 61 per cent have detected significant attempts to break into their network this year, double that of 2008.

Senior director of Symantec’s global security response operations, Kevin Hogan, said his firm’s research also suggested a link between outsourced IT and security breaches.

“The emerging market trends we highlighted in our ISTR [showing an increase in malicious activity in Brazil and India] are the result of targeted attacks on oursourced or offshored IT.

“Numerous fairly well-known brands, with sound internal IT security, have been attacked from the offshored or outsourced part of the business.”