The Malware Mess

A couple weeks ago McAfee Labs released the McAfee Threats Report: Second Quarter 2013, which found that Android-based malware marked a 35% growth rate not seen since early 2012.  They also found twice as many new ransomware offerings in Q2 as in Q1, bringing the 2013 ransomware count higher than the total found in all previous periods combined.  Everything was in play - SMS stealing bank malware, infected legitimate apps, malicious apps in sheep's clothing, along with fake dating and entertainments apps.  A lot of areas that we spend a good portion of our mobile time.

In addition to mobile threats, Q2 also saw a 16% uptick in suspicious URLs and a 50% increase in digitally-signed malware samples.  Attackers are showing that they can adapt to the criminal opportunities and continue to infiltrate the ever changing infrastructure.  Ransomware, a very popular and profitable scheme, where pop-ups or other messages threaten the user unless they pay a ransom, doubled from Q1 to Q2.  Hey, if it works, might as well.  Malware signed with legitimate certificates increased 50% to 1.2 million samples.  You think you're getting the safe code due to the certificate's authentication but that cozy blanket gets cold quick.  Malware also continues to find life with infected URLs according to McAfee.  The total number of suspect URLs found reached 74.7 million or a 16% increase over Q1.  The Indexed Web is at least 3.82 billion pages so around 2% of the web but still.  I might suggest, 'watch what you type, don't click suspicious links, avoid porn sites,' and other rather obvious actions but these days it could be delivered through an ad loading on a popular news site.  Almost no one is immune.  SPAM continues to hog email servers accounting for almost 70% of all global email volume.  That's nuts.  Think about it all the legitimate email we send over a month and it only accounts for 30% of all email?!?  What a waste of resources.  Other highlights included cyber espionage campaigns and attacks on digital currency.

These threats come at a time where there seems to be a disconnect between executives and their technical teams. 

The Ponemon Institute's most recent research shows that when it comes to locking down enterprise infrastructure, the application layer is responsible for more than 90% of all security vulnerabilities, yet more than 80% of IT security spending continues to be at the network and endpoint layer.  According to Ponemon, 'Most Organizations are Woefully Behind in Application Security.'  For it's 'Current State of Application Security Report' , they asked 642 IT professionals (both executive & engineering) 20 questions concerning tools usage, development team knowledge and security best practices to better understand the maturity of an organization’s application security program in comparison to the core competencies of high-performing organizations.  They found that a much higher percentage of executive-level respondents believe their organizations are following security procedures through the lifecycle of application development than do the engineers who are closest to executing the security processes.  For instance, 71% of executives interviewed believe that application security training is available and up to date but only 20% of technical staff felt the same.  Around 67% of execs feel they have a mature application security program, compared to 33% of technical staff and 75% of executives believe that a secure architecture exists in their organization verses 23% of technical staff.  Someone is either not communicating or many organizations do not yet consider the need to proactively do something about application security or even attempt to understand application security risks.

What is troublesome is that even with all the media attention and the afore mentioned malware stats, most organizations are not building nor testing their applications for security. According to the Ponemon report, only 43% of respondents say they have a process in place to test for vulnerabilities prior to release, and only 41% are using automated scanning tools to test applications during development. And just to pile on, only 42% push their applications to manual penetration testing by internal teams or from a third party. 

So, threats are increasing (I feel like I say this multiple times a year) and it seems that organizations' response to them are decreasing...or at least not taking them seriously enough.  In many ways, it is kinda like the real world.  We think, feel, believe that we're safe until something happens...then we take all the precautions.  Many organizations need to do that yesterday. 

Today's technologies are awesome but every once in a while I do miss 4 TV stations (including PBS), typewriters, rotary phones, mimeograph machines, S&H Green Stamps and the hard wires of yesteryear.

ps

Related:

• McAfee Labs Q2 Report Finds Mobile Threats Rebound
• The Ponemon Institute: Most Organizations are Woefully Behind in Application Security
• Web Applications Attacked 26 Times Per Minute
• Cyber Weapons: The New Arms Race
• The Problem with 'Quitting' the Internet
• Nostalgia for yesterday's technology
• The Exec-Disconnect on IT Security

Connect with Peter:	Connect with F5: