Regulatory Resource / Metrics
Threats to Confidential Information
Exposure of confidential information within the enterprise can lead to significant data leakage. If it involves customer-related data -- such as credit card information -- it can severely undermine customer confidence, as well as violate local laws. Sensitive corporate information, including financial details, business plans and proprietary technologies, could also be leaked from compromised computers. In the last six months of 2006, threats to confidential information made up 66% of the volume of the top 50 malicious code. This is an increase over the 48% reported in the first half of the year and the 55% reported during the second half of 2005.
> > Full Chart
Sarbox's Toll
Sarbanes-Oxley is having an inherent impact on organizations' information security, but it is doing little to raise awareness of information security throughout the organization.
> > Full Chart
Sarbanes-Oxley Budget Allocation
A Robert Frances Group survey in June 2003 indicated that more than 95 percent of the budget for SOX implementation came from outside the IT department.
> > Full Chart
Threat Intelligence / Metrics
Top Threat Source Countries
January 1 - June 30, 2004
This chart reveals that the U.S. continues to be the top source country of attacks. However, attackers frequently hop through numerous systems to hide their location.
> > Full Chart
Unique Brands Phished by Sector
The majority of brands used in phishing attacks in the last six months of 2007 were in the financial services sector, accounting for 80%, virtually unchanged from the 79% reported in the previous period. The financial services sector also accounted for the highest volume of phishing Web sites during this period, at 66%, down from 72% in the first half of 2007.
> > Full Chart
Phished Sectors by Volume of Phishing Web Sites
The drop in volume of phishing Web sites targeting financial organizations during the period is worth noting. The drop is potentially driven by the increased knowledge and awareness of phishing schemes and how to avoid falling victim to them. Information campaigns driven by financial institutions, as well as warning emails and a general heightened awareness of phishing schemes targeting financial services, have likely made it more difficult for phishers to carry out successful phishing attacks against them.
> > Full Chart
Top Countries Hosting Phishing Web Sites and Top Targets Phished
In the second half of 2007, 66% of all phishing attacks detected were associated with Web sites located in the United States. For phishing attacks with Web sites hosted in the United States, all of the top 10 targets are also headquartered there. The top target phished on Web sites hosted in the United States was a social networking site. Together with another social networking site, these two sites accounted for 91% of phishing attacks with Web sites hosted in the United States.
> > Full Chart
Phishing Web Site Hosts
Between July 1, 2007 and Dec. 31, 2007, 87,963 phishing hosts were observed. This is an increase of 167% from the first half of 2007, when only 32,939 phishing Web site hosts were detected. Between the second half of 2006, when 13,353 phishing Web site hosts were detected, and the second half of 2007, a dramatic increase of 559% in phishing Web site hosts was observed.
> > Full Chart
Top 10 Countries of Spam Origin
During the second half of 2007, 42% of all spam originated in the United States, a decrease from 50% in the previous period. Despite the decrease, the United States had an 8% increase in volume of spam messages. The drop in percentage from the United States can be explained by the increase in volume of spam originating in other countries -- namely, Russia. The prominence of the United States is not surprising, given that it has the highest number of broadband Internet users in the world. The United States was the top country of spam origin for the first half of 2007 as well as the last half of 2006.
> > Full Chart
Top Spam Categories
The most common type of spam detected in the first half of 2007 was related to commercial products, which made up 27% of all spam detected by sensors -- an increase from the 22% detected in the previous period. Commercial product spam usually consists of advertisements for commercial goods and services. It is frequently used to sell designer goods, such as watches, handbags and sunglasses, the profits from which can be substantial, given that the goods sold are often cheaply made counterfeits.
> > Full Chart
Use of Automated Phishing Toolkits
A phishing toolkit is a set of scripts that allows an attacker to automatically set up phishing Web sites that spoof the legitimate Web sites of different brands, including the images and logos associated with those brands. Three phishing toolkits were responsible for 26% of all phishing attacks observed in the second half of 2007. This is a decrease from the first half of 2007, when three phishing toolkits were responsible for 42% of all phishing attacks.
> > Full Chart
Phishing Site Top-level Domains
The most common top-level domain (TLD) used in phishing Web sites between Jul. 1 and Dec. 31 of 2007 was ".com," accounting for 44% of the total. This is not surprising for a number of reasons. Phishers not only benefit from its familiarity, but since it is the most common TLD overall, it is natural that it is also the most commonly used TLD for phishing Web sites. The ".com" domain is also unrestricted and is available to anyone who wishes to register a ".com" domain name, making it easy for phishers to register these domains.
> > Full Chart
Malicious Code That Exploits Vulnerabilities
During the second half of 2007, 10% of the 1,032 documented malicious code instances exploited vulnerabilities. This is lower than the 18% proportion of the 1,509 malicious code instances documented in the first half of 2007. While the number of new samples exploiting vulnerabilities declined in the current reporting period, this method of propagation remains effective.
> > Full Chart
Malicious Code That Modifies Web Pages
In the last six months of 2007, 7% of the top 50 malicious code samples modified Web pages -- up from 3% in the first half of the year. In the second half of 2006, none of the top 50 malicious code samples attempted to modify Web pages on the compromised computer. It is likely that the success of threats like the MPack kit has encouraged attackers, in recent months, to use Web pages to install malicious code.
> > Full Chart
Threats to Confidential Information by Type
In this reporting period, 86% of confidential information threats had a remote access component, compared to 88% in the first half of 2007 and 87% in the last half of 2006. While this exposure type dropped slightly in the current period, it still remains more popular than other techniques. This is likely because remote access, such as a back door, gives the attacker extensive control over the compromised computer, allowing for the theft of any information on the computer, the installation of other threats or the use of the computer for other purposes, such as relaying spam or hosting a phishing Web site.
> > Full Chart
Threats to Confidential Information by Volume
In the last six months of 2007, threats to confidential information made up 68% of the volume of the top 50 malicious code samples causing potential infections. This is an increase over the 65% reported in the first half of 2007 and the 53% from the same period in 2006. Malicious code can expose confidential information in a variety of ways. The most common method is by allowing remote access to the compromised computer through a back door.
> > Full Chart
Malicious Code Types by Potential Infections
During the current reporting period, Trojans made up 71% of the volume of the top 50 potential malicious code infections -- a slight decrease from 73% in the first half of 2007 but still more than the 60% in the same period of 2006. It is interesting to note that, while the volume of Trojans in the top 50 decreased only slightly since the first half of the year, the number of distinct Trojans in the top 50 decreased from 22 in the first half of the year to 16 in the last six months of 2007.
> > Full Chart
Top 10 New Malicious Code Families
Of the top 10 new malicious code families detected in the last six months of 2007, five were Trojans, two were worms, two were worms with a back door component and one was a worm with a virus component. The prevalence of Trojans in the top new malicious code families is indicative of multistage attacks. These are attacks in which an initial compromise takes place in order to install another piece of malicious code, such as a Trojan, that then downloads and installs additional threats.
> > Full Chart
New Malicious Code Threats
In the last six months of 2007, 499,811 new malicious code threats were detected. This is a 136% increase over the previous period, when 212,101 new threats were detected, and a 571% increase over the last half of 2006. In total, there were 711,912 new threats detected in 2007 compared to 125,243 threats in 2006 -- an increase of 468%. This brings the overall number of malicious code threats identified to 1,122,311, as of the end of 2007. This means that almost two-thirds of all malicious code threats currently detected were created during 2007.
> > Full Chart
Vulnerabilities in Security Products
During the second half of 2007, 92 vulnerabilities that affected security products were detected. Of these, 15 were classified as high severity, 48 as medium and 29 as low. This is fewer than the 113 vulnerabilities that affected security products during the first half of 2007, of which 23 were classified as high severity, 58 as medium and 32 as low. During the last six months of 2007, 4% of all vulnerabilities documented during the period affected security products, down slightly from 5% during the first six months of the year.
> > Full Chart
Unpatched Vulnerabilities, by Vendor
In the second half of 2007, 88 unpatched enterprise vulnerabilities were detected as being published during this period. Of these, 39 affected Microsoft, 22 affected IBM, 10 affected Computer Associates, eight affected HP, five affected Sun, three affected Oracle and one affected Symantec. No other vendor was subject to unpatched vulnerabilities during this period.
> > Full Chart
Site-specific Cross-site Scripting Vulnerabilities Time to Patch, in Days
Site-specific vulnerabilities are a growing concern. The number of cross-site scripting vulnerabilities that affected specific sites in 2007 exceeds the total number of traditional vulnerabilities tracked. Moreover, the numbers presented in this section are also only representative of site-specific vulnerabilities that are reported voluntarily by security researchers to the XSSed Project archive. Other types of Web-application vulnerabilities are not covered.
> > Full Chart
Site-specific Cross-site Scripting Vulnerabilities
During the last six months of 2007, there were 11,253 site-specific cross-site scripting vulnerabilities that were documented by the XSSed project. At the time of writing, only 473 of these vulnerabilities had been fixed by the maintainer of the affected Web site. In the first six months of 2007, the total was 6,961, although data collection only began in February, which factors into the lower total. Of the 6,961, only 330 had been fixed at the time of writing.
> > Full Chart
Web Application Vulnerabilities
In the second half of 2007, 58% of all vulnerabilities affected Web applications. This is less than the 61% in the first half of 2007. This drop in the proportion of Web application vulnerabilities is a continuing trend. From an attacker's standpoint, rather than try to compromise numerous smaller sites, it is better to compromise a specific popular site with a single vulnerability, as this increases the chances of compromising a larger number of hosts.
> > Full Chart
Browser Plug-in Vulnerabilities
Browser plug-in vulnerabilities continue to be prevalent because technologies such as ActiveX remain an easy target for security researchers and attackers alike, mostly due to fuzzer programs such as AxMan79 and COMRaider. This may indicate that there is a lack of secure development practices among ActiveX application developers. However, ActiveX is also an attractive target because many users may not be aware that they have installed vulnerable controls, and because of the relative difficulty of removing or patching ActiveX controls once they have been installed.
> > Full Chart
Web Browser Vulnerabilities
During the second half of 2007, 88 vulnerabilities affected Mozilla browsers. Of these, 19 were considered to be medium severity and 69 were considered low. This total is an increase from the 34 vulnerabilities that affected Mozilla browsers in the first half of 2007. Of those, 12 were considered medium severity and 22 were low. Safari was affected by 22 vulnerabilities in the second half of 2007. One was considered high severity, 12 were medium and nine were low. This is a decrease from the 25 Safari vulnerabilities that were documented in the first half of 2007, of which seven were medium severity and 18 were low.
> > Full Chart
Window of Exposure for Web Browsers
During the last six months of 2007, Mozilla had a window of exposure of three days based on a sample set of 82 patched vulnerabilities. This is a decrease from the window of exposure of five days in the first half of 2007, which was based on 22 patched vulnerabilities. In the second half of 2007, Microsoft Internet Explorer had a window of exposure of 11 days based on a sample set of 11 patched vulnerabilities. This is an increase from the five-day time period in the first half of 2007, which was based on a sample set of 17 patched vulnerabilities.
> > Full Chart
Operating System Time to Patch by Type of Vulnerability
Of the 86 patched vulnerabilities that affected Apple Mac OS X in the second half of 2007, eight affected browsers, 31 were client-side vulnerabilities, 15 were local, 15 affected servers and 17 did not fall into any of these categories. From the sample set of 21 vulnerabilities for HP in the last six months of 2007, 11 affected browsers, four were client-side vulnerabilities, three affected servers and three did not fit in any category. Meanwhile, 22 patched vulnerabilities in Microsoft Windows were categorized. Seven of these affected browsers, 11 were client-side vulnerabilities, one was local and three affected servers.
> > Full Chart
Patch Development Time for Operating Systems
Of the five operating systems assessed in the last six months of 2007, Microsoft Windows had the shortest average patch development time of six days based on a sample set of 22 patched vulnerabilities. None of the vulnerabilities affected third-party applications. This is shorter than the average patch development time of 18 days in the first six months of 2007, based on a sample set of 38 vulnerabilities, including two vulnerabilities that affected third-party applications.
> > Full Chart
Bot Command-and-Control Servers
In the last six months of 2007, 4,091 bot command-and-control servers were identified. This is an 11% decrease from the previous reporting period, when 4,622 bot command-and-control servers were identified. The decrease in the number of bot command-and-control servers detected reflects the growing trend in the methods botnet owners are using to communicate with their bot-infected computers.
> > Full Chart
Active Bot-Infected Computers by Day
Between July 1 and December 31, 2007, an average 61,940 active bot-infected computers were observed each day, a 17% increase from the previous reporting period. An active bot-infected computer is one that carries out an average of at least one attack per day. This does not have to be continuous; rather, a single computer can be active on a number of different days. During this period 5,060,187 distinct bot-infected computers were observed, only a one percentage point increase from the first six months of 2007. A distinct bot-infected computer is a distinct computer that was active at least once during the period.
> > Full Chart
Data Breaches That Could Lead to Identity Theft by Cause and Identities Exposed
In the second half of 2007, the primary cause of data breaches that could facilitate identity theft was the theft or loss of a computer or other medium on which data is stored or transmitted, such as a USB key or a backup medium. Theft or loss made up 57% of all data breaches during the second half of 2007 and accounted for 46% of all reported breaches in the previous reporting period.
> > Full Chart
Data Breaches that Could Lead to Identity Theft by Sector and Identities Exposed
In the second half of 2007, the education sector represented the highest number of known data breaches that could lead to identity theft, accounting for 24% of the total. This is a decrease from the previous reporting period when the education sector accounted for 30% of the total, when it also ranked first. Educational institutions store a large amount of personal information on students, faculty and staff that could be used for the purposes of identity theft, including government-issued identification numbers, names, addresses and birth dates.
> > Full Chart
Use of Automated Phishing Toolkits
A phishing toolkit is a set of scripts that allows an attacker to automatically set up phishing Web sites that spoof the legitimate Web sites of different brands, including the images and logos associated with those brands. A look at the three most widely used phishing toolkits reveals that, on average, they alone were responsible for 42% of all phishing attacks detected in the first half of 2007. This shows the high percentage of complete automation used in phishing attacks compared to attacks that are only partially automated. Automation allows attackers to send a high volume of phishing messages that spoof several brands to a large number of recipients with minimal effort.
> > Full Chart
Image Spam as a Percentage of All Spam
During the first half of 2007, 27% of all spam blocked consisted of image spam. While image spam started at a higher level at the beginning of the period, reaching nearly 50% of all spam in the first week of January, it showed a marked decline beginning in April and continuing throughout May. The January level is likely due in large part to the rise of the Peacomm Trojan, which sent image spam. While the decline of image spam subsided in June, it did not regain the prominence it achieved at the beginning of the period.
> > Full Chart
Top Countries of Spam Origin
During the first six months of 2007, 47% of all spam detected worldwide originated in the United States. This is likely due to the high number of broadband users in that country and the high percentage of bot-infected computers located there. The United States was also the top country of spam origin in the second half of 2006, when 44% of spam originated there. The second-highest source of spam this period was a group of undetermined European Union countries, from where 7% of all detected spam originated during this period. China was the third-highest country of spam origin in the first half of 2007.
> > Full Chart
Top Spam Categories
The most common type of spam detected in the first half of 2007 was related to commercial products, which made up 22 % of all spam detected during this period. This is a slight increase from the previous period when this category made up 21 % of detected spam. Commercial product spam usually consists of advertisements for commercial goods and services. It is frequently used to sell designer goods, such as watches, handbags and sunglasses. There is financial motivation since the goods sold are often counterfeit and can be sold at a profit. Spam related to financial services made up 21 % of all spam in the first six months of 2007, making it the second most common type of spam during this period.
> > Full Chart
Malicious Code Types by Volume
During the first half of 2007, Trojans made up 54 % of the volume of the top 50 malicious code reports, an increase over the 45 % reported in the final six months of 2006. While part of this increase can be attributed to the success of the Peacomm Trojan, there were also a wide variety of other Trojans present in the top 50 malicious code reports. As previously mentioned, Trojans are likely gaining prominence because they generate a low volume of traffic compared to network and mass-mailing worms.
> > Full Chart
Browser Plug-in Vulnerabilities
In the first half of 2007, 237 vulnerabilities affecting browser plug-ins were documented. Of these, 210 affected ActiveX components, 18 affected the Apple QuickTime plug-in, four affected the Sun Java plug-in, three affected extensions for Mozilla browsers and two affected the Adobe Acrobat plug-in. Adobe Flash, Microsoft Windows Media Player and Opera widgets were not affected by any browser plug-in vulnerabilities during this period.
> > Full Chart
Zero-Day Vulnerabilities
Of the zero-day vulnerabilities documented during the first half of 2007, three of the vulnerabilities affected Microsoft Office applications. This is a drop from the six zero-day vulnerabilities that affected Office in the second half of 2006. The number of zero-day Office vulnerabilities may have dropped due to measures taken by Microsoft to patch as many pending Office vulnerabilities as possible.
> > Full Chart
Web Browser Vulnerabilities
During the first six months of 2007, 39 vulnerabilities were documented in Microsoft Internet Explorer. Of these, one was considered to be high severity, 15 were medium severity and 23 were low. During the same time period, 34 vulnerabilities were disclosed that affected Mozilla browsers. Of these, 12 were considered to be medium severity and 22 were considered low.
> > Full Chart
Web Application Vulnerabilities
In the first half of 2007, 61% of all vulnerabilities affected Web applications. This is a drop from the 66% reported in the second half of 2006, and a further decrease from the 69% of all vulnerabilities that affected Web applications in the first half of 2006.
> > Full Chart
Patched Operating System Vulnerability by Type
Of the 59 patched vulnerabilities that affected Apple Mac OS X in the first half of 2007, eight affected browsers, 21 were client-side vulnerabilities, 17 were local, 11 affected servers and two vulnerabilities did not fit into any of these categories. There were 30 patched vulnerabilities disclosed during this period that affected HP-UX. Of these, 13 affected browsers, three were client-side, three were local, nine affected servers and two could not be categorized.
> > Full Chart
Patch Development Time for Operating Systems
Of the five operating systems tracked in the first six months of 2007, Microsoft had the shortest average patch development time at 18 days, based on a sample set of 38 patched vulnerabilities. Of the 38 vulnerabilities, two affected third-party applications. This is lower than the average patch development time of 23 days in the second half of 2006 based on a sample set of 50 vulnerabilities, seven of which affected third-party applications.
> > Full Chart
Bot-Infected Computers by Country
China had the highest number of bot-infected computers during the first half of 2007, accounting for 29% of the worldwide total. This is a slight increase from 26% in the second half of 2006, when China also had the highest number of bot-infected computers.
> > Full Chart
Command-and-Control Servers
In the first six months of 2007, 4,622 bot command-and-control servers were identified. This is a 3% decrease from the previous period, when 4,746 command-and-control servers were identified. The decrease in command-and-control servers reflects a consolidation of bot networks observed in second half of 2006. During that period, the number of command-and-control servers decreased and the average size of bot networks increased.
> > Full Chart
Average Lifespan of Bot-Infected Computers
During the first six months of 2007, the lifespan of the average bot-infected computer was four days. This is an increase from the previous period, when the average lifespan was three days. The median lifespan of a bot-infected computer during both periods was one day. This indicates that the majority of bot-infected computers only participate in attacking behavior for a short period, after which they are either identified and disinfected, or are used for activities other than carrying out Internet attacks, such as hosting spam zombies or phishing Web sites.
> > Full Chart
Active Bot-Infected Computers per Day
Between January 1 and June 30, 2007, an average of 52,771 active bot-infected computers were observed per day, a 17% decrease from the previous reporting period. The decrease in bots observed over the past six months is likely due to a number of reasons, the primary one being a change in bot attack methods. The exploitation of network-based vulnerabilities to spread bots is being slowly abandoned for methods that are more likely to succeed, such as bots that send a mass mailing of themselves.
> > Full Chart
Breakdown of Goods Available for Sale on Underground Economy Servers
During the first half of 2007, credit cards were the most frequently advertised item, making up 22% of all goods available for sale on underground economy servers. Bank account credentials, including account numbers and authentication information, were the second most commonly advertised item on underground economy servers during the period, accounting for 21% of all advertised goods. The advertised price for bank account credentials varied widely, ranging between $30 and $400 USD, and was dependent on the funds available in the account.
> > Full Chart
Location of Banks Whose Cards Were Sold on Underground Economy Servers
During the first six months of 2007, 85% of credit and debit cards advertised for sale on underground economy servers were issued by banks in the United States. This is down slightly from 86% in the last six months of 2006.
> > Full Chart
Location of Underground Economy Servers
During the first six months of 2007, 64% of all underground economy servers identified were located in the United States, by far the highest total of any country. During the last half of 2006, the United States was home to the majority of underground economy servers as well, accounting for 51% of the total. Germany had the second most underground economy servers during the first half of 2007, accounting for 12% of the worldwide total.
> > Full Chart
Number of Identities Exposed by Cause
In the first half of 2007, hacking was responsible for 73% of identities exposed. The prominence of hacking as a cause of exposed identities was largely driven by the TJX breach. This shows clearly that hacking is the cause of data breaches that is most likely to lead to wide-scale identity theft. This is likely because hacking is more clearly purpose-driven than insecure policy or the loss or theft of devices. It is an intentional act with a clearly defined purpose: to steal data that can be used for purposes of identity theft or other fraud.
> > Full Chart
Data Breaches that Could Lead to Identity Theft by Cause
In the first half of 2007, the primary cause of data breaches that could facilitate identity theft was the theft or loss of a computer or other medium on which data is stored or transmitted, such as a USB key or a back-up medium. These made up 46% of all such data breaches during this period. Theft or loss accounted for 57% of all reported breaches in the previous reporting period. Despite this, theft or loss of a computers and storage media only accounted for 11% of all identities exposed.
> > Full Chart
Identities Exposed by Sector
During the first half of 2007, the retail/wholesale sector accounted for only 6% of all data breaches that could lead to identity theft, making it the fifth ranked sector during this period. However, the sector was responsible for the largest number of exposed identities, accounting for 85%. Breaches in this sector were thus far more likely to result in wide-scale identity theft than any other sector. Each data breach would facilitate identity theft to a much greater degree.
> > Full Chart
Data Breaches that Could Lead to Identity Theft by Sector
In the first half of 2007, the education sector accounted for 30% of all known data breaches that could lead to identity theft, more than any other sector. This is up from the previous period when education accounted for only 22% of the total and was the second ranked sector. In spite of the high number of data breaches that occurred in the education sector during the first six months of 2007, it only accounted for 1% of all identities exposed during the period. This is likely because most data breaches within the education sector were caused by theft or loss of computers or data-storage devices.
> > Full Chart
Malicious Activity Originating from Fortune 100 Companies
Between January 1 and June 30, 2007, 4% of malicious activity detected originated from the IP address space of Fortune 100 companies. The IP space of Fortune 100 organizations constitutes just over 7% of the world's active and advertised IP space. Since the proportion of malicious activity originating from Fortune 100 IP space is lower than the proportion of the world's active and advertised IP space that is assigned to these organizations, less attack activity is originating from Fortune 100 companies than other IP spaces. It is likely that security measures put in place on Fortune 100 networks make it difficult for attackers to compromise them, or to use them to launch attack activity.
> > Full Chart
Malicious Activity by Country per Internet User
During the first six months of 2007, Israel was the most highly ranked country for malicious activity per Internet user. If one person from each of the top 25 countries were assessed as a representation of their country's Internet users, the average user in Israel would carry out 11% of the group's malicious activity. This is a small increase from 9% in the previous period.
> > Full Chart
Malicious Activity by Country
Between January 1 and June 30, 2007, the United States was the top country for malicious activity, making up 30% of worldwide malicious activity. This represents a minimal change from the second half of 2006, when the United States was also the highest ranked country, accounting for 31% of the world's malicious activity. For each of the malicious activities taken into account for this measurement, the United States ranked number one by a large margin with the exception of bot-infected computers. It ranked second for that criteria behind only China.
> > Full Chart
Threats to Confidential Information by Type
In the first half of 2007, 237 vulnerabilities affecting browser plug-ins were detected. Of these, 210 affected ActiveX components, 18 affected the Apple QuickTime® plug-in, four affected the Sun™ Java™ browser plug-in, three affected extensions for Mozilla browsers and two affected the Adobe Acrobat plug-in. Adobe Flash, Microsoft Windows Media Player and Opera widgets were not affected by any browser plug-in vulnerabilities during this period.
> > Full Chart
Browser Plug-In Vulnerabilities
In the first half of 2007, 237 vulnerabilities affecting browser plug-ins were detected. Of these, 210 affected ActiveX components, 18 affected the Apple QuickTime® plug-in, four affected the Sun™ Java™ browser plug-in, three affected extensions for Mozilla browsers and two affected the Adobe® Acrobat® plug-in. Adobe® Flash®, Microsoft Windows Media Player and Opera widgets were not affected by any browser plug-in vulnerabilities during this period.
> > Full Chart
Bot-Infected Computers by Country
China had the highest number of bot-infected computers during the first half of 2007, accounting for 29% of the worldwide total, up from 26% in the second half of 2006. This continues a trend that was first discussed in the first half of 2005, which saw an increase in bot activity in China during that period.
> > Full Chart
Active Bot-Infected Computers per Day
An active bot-infected computer is one that carries out at least one attack per day. This does not have to be continuous; rather, a single computer can be active on a number of different days. Between January 1 and June 30, 2007, an average of 52,771 active bot-infected computers per day were observed, a 17% decrease from the previous reporting period.
> > Full Chart
Breakdown of Goods Available for Sale on Underground Economy Servers
During the first six months of 2007, 8,011 distinct credit cards were observed being advertised for exchange on underground economy servers. This is only a small proportion of the credit cards sold, however. Typically, users selling credit card information advertise bulk rates and merely give examples of credit card information to attract buyers. Common bulk amounts and rates seen during the first six months of 2007 were: 10 credit card numbers for $20 USD; 50 credit card numbers for $70 USD; and 100 credit card numbers for $100 USD.
> > Full Chart
Data Breaches that Could Lead to Identity Theft by Sector
In the first half of 2007, the education sector accounted for more data breaches that could lead to identity theft than any other sector, making up 30% of the total. This is up from the previous period when the education sector accounted for only 22% of the total and ranked second. The retail/wholesale sector accounted for only 6% of all data breaches, making it the fifth ranked sector during this period. However, the sector was responsible for the largest number of exposed identities, accounting for 85%.
> > Full Chart
Malicious Code that Exploits Vulnerabilities
In the second half of 2006, five zero-day exploits were released for vulnerabilities in Microsoft Office. This accounts for a significant proportion of malicious code that exploits vulnerabilities during the second half of 2006. Zero-day vulnerabilities present attackers with an opportunity to evade detection when compromising computers. In the context of malicious code, this will also increase the success rate when compromising computers, as the malicious code will appear to spread through an unknown vector until it has been discovered, analyzed and mitigated by security and antivirus vendors.
> > Full Chart
Propagation Mechanisms
While malicious code propagating over SMTP decreased during this period, all other vectors experienced an increase. This is likely the result of an effort by attackers to diversify the way their threats proliferate. Good email scanning applications and increased user knowledge of mass-mailing threats have reduced the effectiveness of email as a propagation mechanism. As a result, some attackers are resorting to other propagation mechanisms or incorporating additional propagation mechanisms into a mass-mailing worm.
> > Full Chart
Threats to Confidential Information by Source, July-December 2006
While the volume of threats that allow remote access has decreased, the volume of threats that log keystrokes and export user and system data have all increased. Keystroke logging threats made up 79% of confidential information threats by volume of reports in the second half of 2006, up from 57% in the first half of the year and 66% in the second half of 2005. During the current reporting period, keystroke loggers made up 76% of confidential information threats by infection. A keystroke logger will record keystrokes on the compromised computer. It usually either emails the log to the attacker or uploads it to a Web site that is under the attacker's control. This makes it easier for an attacker to gather confidential information from a large number of compromised computers with minimal effort.
> > Full Chart
Threats to Confidential Information by Type
In the second half of 2006, threats that allow remote access, such as back doors, made up 84% of confidential information threats by volume of reports, the same as in the first half of the year, but a decrease from 90% in the second half of 2005. During this reporting period, threats that allow remote access made up 87% of threats by potential infection. While a threat that allows remote access, such as a back door, could give an attacker full access to a computer, the attacker must typically access it manually. This likely explains why the numbers of reports (84%) are similar to the number of potential infections during this reporting period (87%).
> > Full Chart
Threats to Confidential Information by Volume
In the last six months of 2006, threats to confidential information made up 66% of the volume of top 50 malicious code programs reported. This is an increase over the 48% reported in the first half of the year and the 55% reported during the second half of 2005. Malicious code can expose confidential information in a variety of ways. The most common method is by allowing remote access to the compromised computer through a back door. In this method, the attacker typically uses a specialized application to connect to the compromised computer and performs numerous actions such as taking screenshots, changing configuration settings, and uploading, downloading or deleting files.
> > Full Chart
Malicious Code Types by Source, July-December 2006
While worms made up 52% of malicious code reports in the second half of 2006, they caused only 37% of potential infections. The main reason for this is that mass-mailing worms generate a significant number of email messages to which they attach their malicious code. Each message that is detected will generate a malicious code report. Because of the high volume of email that one worm can generate, a single infection can result in many reports. However, once a malicious code sample is detected, antivirus signatures are quickly developed that can protect against subsequent potential infections by that sample. So, only a small percentage of the high volume of email messages will result in additional infections.
> > Full Chart
Malicious Code Types by Volume
During the current reporting period, worms made up 52% of the volume of the top 50 malicious code reports, down from 75% in the previous period. This drop can largely be attributed to the decline in reports of major worms such as Sober.X,73 Blackmal.E,74, and Netsky.P75 since the first half of 2006. The longer a threat has been in the wild, the more time users will have had to update their detection signatures. The volume of these worms has likely declined because users have installed antivirus definitions that detect them.
> > Full Chart
Top Ten New Malicious Code Families
Of the top ten new malicious code families detected in the last six months of 2006, five were Trojans, four were worms, and one was a virus. One of the Trojans also had back door capabilities. This indicates that attackers may be moving toward using Trojans as a means of installing malicious code on computers. As Trojans do not propagate, they allow attackers to perform targeted attacks without drawing attention to themselves. The longer a threat remains undiscovered in the wild, the more opportunity it has to compromise computers before measures can be taken to protect against it.
> > Full Chart
Database Vulnerabilities
In the second half of 2006, 168 vulnerabilities were documented that affected Oracle databases. This is a slight decrease from the 169 vulnerabilities disclosed in the first half of 2006 and an increase over the 131 in the second half of 2005. During the second half of 2006, five vulnerabilities were documented in IBM DB2 databases. This is a slight increase from the four vulnerabilities documented during the first half of 2006. Seven vulnerabilities affected IBM DB2 during the second half of 2005.
> > Full Chart
Zero-Day Vulnerabilities
A zero-day vulnerability is one for which there is sufficient public evidence to indicate that the vulnerability has been exploited in the wild prior to being publicly known. Zero-day vulnerabilities represent a serious threat in many cases because there is no patch available for them, and because they will likely be able to evade purely signature-based detection. A black market for zero-day vulnerabilities has emerged that has the potential to put them into the hands of criminals and other interested parties. In the second half of 2006, 12 zero-day vulnerabilities were documented. This is a significant increase compared to the first half of 2006 and the second half of 2005, when only one zero-day vulnerability was documented for each reporting period.
> > Full Chart
Web Browser Vulnerabilities
In the second half of 2006, 54 vulnerabilities in Microsoft Internet Explorer were documented. Of these, one was considered to be high severity, 13 were medium severity and 40 were classified as low severity. This total is an increase from the 38 vulnerabilities documented in the first half of 2006. During the second half of 2006, 40 vulnerabilities affected the Mozilla browsers. Of these, 35 were considered to be medium severity and five were considered low. During the second half of 2006, four vulnerabilities were disclosed that affected Opera.
> > Full Chart
Vendor Responsiveness
Vendor responsiveness is measured by the proportion of vulnerabilities that remains unconfirmed by the vendor and, therefore, unpatched over time.
Vendor responsiveness is an important security consideration because, in many cases, unsanctioned, unsupported and unmaintained software may be deployed within the organization. In the second half of 2006, 68% of documented vulnerabilities were not confirmed by the affected vendor. This is an increase from the first half of the year, when 61% of vulnerabilities were not confirmed by the vendor. In the second half of 2005, 55% of documented vulnerabilities were not vendor confirmed.
> > Full Chart
Patch Development Time for Operating Systems
Microsoft Windows had the shortest average patch development time of the five operating systems in the last six months of 2006. During this period, Windows had an average patch development time of 21 days based on a sample set of 39 patched vulnerabilities. This represents an increase over the first six months of 2006, when Windows had an average patch development time of 13 days based on a sample set of 22 vulnerabilities.
> > Full Chart
Command-and-Control Servers by Country
Command-and-control servers are computers that bot network owners use to relay commands and instructions to the bot-infected computers that make up their networks. Although China had the most bot-infected computers worldwide, it had only the fourth highest number of known command-and-control servers worldwide. This discrepancy likely indicates that the majority of bot-infected computers in China are being controlled from servers in other countries. For example, an attacker in the United States could control a command-and-control server in the United Kingdom to administer bot-infected computers all over the world.
> > Full Chart
Active bot-infected computers per day
Between July 1 and Dec. 31, 2006, an average of 63,912 active bot-infected computers were observed per day. This is an 11% increase from the previous period, when an average of 57,717 active bots were observed per day. Furthermore, 6,049,594 distinct bot-infected computers were observed during the current reporting period, a 29% increase from the previous period, when 4,696,903 distinct bot-instinct computers were identified.
> > Full Chart
Advertised prices of items traded on underground economy servers
Cards from the United States sold over underground economy servers are generally advertised for about half as much as those from the United Kingdom. For instance, credit cards from US-based banks have been advertised for $3.00 USD, while credit cards from UK-based banks are advertised for $6.00 USD. Other items are also being sold on underground economy servers, including full identities, which typically involve government-issued identification numbers (such as social security numbers), bank account information (including passwords), personal information (such as date of birth), as well as identity verification information (such as a person's mother's maiden name).
> > Full Chart
Location of Banks with Cards Sold on Underground Economy Servers
During the last six months of 2006, 4,943 credit cards were observed being traded on underground economy servers. By far, most of the credit and debit cards advertised for sale on underground economy servers were issued by banks in the United States. The prominence of the United States is not entirely unexpected. The vast majority of the identity theft-related data breaches reported during the last six months of 2006 took place in the United States.
> > Full Chart
Data Breaches that Could Lead to Identity Theft by Cause
In the second half of 2006, the primary cause of data breaches that could facilitate identity theft was theft or loss of a computer or other medium on which data is stored or transmitted, such as a USB key or backup medium. These made up 54% of all identity theft-related data breaches during this period. In many cases, the computers that were lost or stolen were laptop computers.
The second most common cause of data breaches that could lead to identity theft during this period was insecure policy, which made up 28% of all incidents.
> > Full Chart
Malicious Activity by Country per Internet User
Israel was the most highly ranked country for malicious activity per Internet user. If one person from each of the top 25 countries were assessed as a representation of their country's Internet users, the average user in Israel would carry out 9% of malicious activity. Taiwan ranked second, accounting for 8% of malicious activity per Internet user. Poland ranked third, accounting for 6%.
> > Full Chart
Malicious Activity by Country
Between July 1 and December 31, 2006, the United States was the top country for malicious activity, making up 31% of worldwide malicious activity. For each of the malicious activities taken into account for this measurement, the United States ranked number one by a large margin, with the exception of bot-infected computers. The United States ranked second for that criterion, 12 percentage points lower than China.
> > Full Chart
Bot-infected Computers by Country
China had the highest number of bot-infected computers during the second half of 2006, accounting for 26% of the worldwide total. This is an increase of six percentage points over the previous six months. This increase was driven by a rise in the number of bots in the country, rather than a decrease in other countries. This coincides with and illustrates a trend first discussed in 2005, in which bot activity in China appeared to be increasing. During the second half of 2006, the United States had the second highest number of bot-infected computers, accounting for 14% of the worldwide total.
> > Full Chart
Malicious code types, by reports and by potential infections, July -- December 2006
During the current reporting period, worms made up 52% of the volume of malicious code threats, down from 75% in the previous period. However, the number of unique samples of worms in the top 50 malicious code reports remained fairly constant over the last six months of 2006. During this period, 36 worms were reported, compared to 38 in the previous period. The volume of Trojans in the top 50 malicious code samples reported increased significantly in the last six months of 2006. During this period, they constituted 45% of the volume of the top 50 malicious code samples, a significant increase over the 23% last period and the 38% reported in the second half of 2005.
> > Full Chart
Location of Underground Economy Servers
Underground economy servers are used by criminals and criminal organizations to sell stolen information, typically for subsequent use in identity theft. This data can include government-issued identity numbers, credit cards, bank cards and personal identification numbers (PINs), user accounts and email address lists. During the second half of 2006, 51% of all underground economy servers were located in the United States, the highest total of any country. Sweden ranked second, accounting for 15% of the worldwide total, and Canada ranked third, accounting for 7%.
> > Full Chart
Data Breaches That Could Lead to Identity Theft by Sector
In the second half of 2006, the government sector accounted for the majority of data breaches that could lead to identity theft, making up 25% of the total. Government organizations store a lot of personal information that could be used for the purposes of identity theft. Furthermore, they often consist of numerous semi-independent departments. As a consequence, sensitive personal identification information may be stored in separate locations and be available to numerous people. This increases the opportunity for attackers to gain unauthorized access to this data. Governments may also be more likely to report such breaches than private organizations, which may fear negative market reaction.
> > Full Chart
Malicious Activity by Country
Between July 1 and Dec. 31, 2006, the United States was the top country for malicious activity, accounting for 31% of the worldwide total. For each of the malicious activities taken into account for this measurement, the United States ranked number one by a large margin with the exception of bot-infected computers. It ranked second for that criterion, 12 percentage points lower than China.
> > Full Chart
Window of Exposure, Enterprise Vendors
In the first six months of 2006, the average patch development time for enterprise vendors was 31 days. During the same period, the average exploit code development time for vulnerabilities affecting enterprise vendors was three days. As a result, the window of exposure for this reporting period was 28 days. In the second half of 2005, the window of exposure for vulnerabilities affecting enterprise vendors was 50 days, based on a patch development time of 57 days and an exploit code development time of seven days.
> > Full Chart
Operating System Patch Development Time
Over the past six months, each of the five vendors of operating systems had shorter average patch development times than in the previous two six-month periods. Linux vendor patch development times were generally shorter than those of the commercial UNIX vendors, HP and Sun. Over the past three reporting periods, Microsoft has had the shortest patch development time of all the operating system vendors. Along with Microsoft, Red Hat had the lowest patch-development time during this reporting period. This is likely related to open-source collaboration.
> > Full Chart
Easily Exploitable Vulnerabilities by Type
Over the first six months of 2006, 78% of easily exploitable vulnerabilities affected Web applications. This continued the increase that was evident in the two previous six-month periods, during which Web applications accounted for 69% and 61% of easily exploitable vulnerabilities, respectively. In part, Web applications dominate this metric because they make up the majority of vulnerabilities that were documented over the last three periods.
> > Full Chart
Web Application Vulnerabilities
Vulnerabilities affecting Web applications accounted for 69% of all vulnerabilities that were documented in the first half of 2006. This is a slight increase over the 68% seen in the second half of 2005. It is also higher than the 60% proportion in the first half of 2005. Web applications generally have quicker release cycles than traditional desktop and server applications. This provides security researchers with a continually growing source of new applications to audit, particularly as, in many cases, Web applications do not undergo the same degree of quality assurance and testing as other applications.
> > Full Chart
Total Volume of Vulnerabilities
During the first half of 2006, 2,249 new vulnerabilities were detected. This is an increase of 18% over the 1,912 vulnerabilities that were documented in the second half of 2005. It is also a 20% increase over the 1,874 vulnerabilities that were reported in the first half of 2005. A higher volume of vulnerabilities were documented in this reporting period than in any other previous six-month period. The marked increase in the number of vulnerabilities can be attributed to the continued growth in those that affect Web applications. This is due to the relative ease of discovering vulnerabilities in Web applications compared to other applications.
> > Full Chart
Top Targeted Sectors
Between January 1 and June 30, 2006, the home user sector was the most highly targeted sector, accounting for 86% of all targeted attacks. As computers in the home user sector are less likely to have well-established security measures and practices in place, they may be more vulnerable to targeted attacks. Furthermore, as home users represent a fertile resource for identity theft, it is likely that many of the targeted attacks are used for fraud or other financially motivated crime. Financial services was the second most frequently targeted sector in the first half of 2006.
> > Full Chart
Top Originating Countries
During the first six months of 2006, the United States ranked as the top country of attack origin, accounting for 37% of the worldwide total. Attack activity originating in the United States increased by 29% in this period, which is 13 percentage points above the average increase of 16%. This is likely driven by recent growth in broadband infrastructure there. An increase in broadband connectivity in a country often leads to an increase in attacks and bot infections originating there.
> > Full Chart
Top Cities By Bot-Infested Computers
During the first half of 2006, Beijing was the city with the most bot-infected computers in the world, accounting for almost three percent of the worldwide total. Guangzhou, China ranked second, with just under two percent of the world's bot-infected computers. Seoul, South Korea had the third highest number of bot-infected computers worldwide, accounting for slightly less than two percent of the total. All of the top three cities in this category are large population centers that are cultural and economic centers in their respective countries. Furthermore, all have a large broadband Internet infrastructure.
> > Full Chart
Distribution of Command-and-Control Servers in Top Ten Bot-Infected Countries
In the first six months of 2006, the United States was the site of 42% of all known command-and-control servers, making it the highest ranked country in this category. The high proportion of command-and-control servers likely indicates that servers in the United States control not only bot networks within the country but offshore as well. The high proportion of bot-infected computers and bot command-and-control servers in the United States is driven by its extensive Internet and technology infrastructure and the fact that more than 49 million broadband Internet users are located there. Although China had the most bot-infected computers worldwide, it had only the fourth highest number of known command-and-control servers worldwide. This discrepancy likely indicates that the majority of bot-infected computers within China are being controlled from servers in other countries.
> > Full Chart
Top Countries Targeted by Bot-Infected Computers
China had the highest number of bot-infected computers during the first half of 2006, accounting for 20% of the worldwide total. This ranking represents a rise from third place in the second half of 2005. Bots usually infect computers that have high-speed broadband connections to the Internet through large ISPs, and the expansion of broadband connectivity often facilitates the spread of bots. Frequently, ISPs will focus their resources on meeting growing broadband demand at the expense of implementing security measures, such as port blocking and ingress and egress filtering. As a result, ISPs that are expanding their services rapidly may have security infrastructures that are underdeveloped relative to their needs.
> > Full Chart
Top Sectors Targeted by Denial of Service Attacks
The sector most frequently targeted by DoS attacks in the first half of 2006 was the Internet service provider (ISP) sector, which was targeted by 38% of all DoS attacks. ISPs are popular targets for several reasons. First, they are responsible for providing Internet service to a high number of users. By successfully attacking an ISP, an attacker can effectively create denial of service conditions for a high number of users at one time. Second, ISPs also host Web sites and provide Internet access to many potential target organizations. Attackers wanting to target an organization's Web sites or networks could do so by launching a DoS attack against the organization's ISP. The second most popular target of DoS attacks during the first half of 2006 was the government sector, which was targeted by 32% of all detected attacks. Government Web sites typically are high-profile sites, so it is logical that the government sector is a popular target for DoS attacks.
> > Full Chart
Top Countries Targeted by Denial of Service Attacks
Between January 1 and June 30, 2006 the United States was the location of the most DoS targets, accounting for 54% of the worldwide total. The prominence of the United States as a target is not surprising. The country's extensive broadband Internet infrastructure and its high proportion of Internet-connected organizations make it a very attractive target. China was targeted by the second highest number of DoS attacks, accounting for 12% of the total. The United Kingdom was the third most common target, accounting for 11% of all detected attacks. Like the United States, both China and the United Kingdom have an extensive broadband Internet infrastructure. Both countries are also regional and global political and economic centers. As a result, attackers who are acting on financial or political motives may choose to target these countries.
> > Full Chart
Denial of Service Attacks Per Day
During the first six months of 2006, an average of 6,110 denial of service (DoS) attacks per day were detected. DoS attacks are generally carried out by a wide variety of attackers, from amateurs who simply download a freely available tool, to owners of highly organized bot networks whose primary purpose is to carry out coordinated attacks. Defending against DoS attacks that use forged source addresses is difficult, as spoofed addresses make filtering based on the IP address very complicated. Some operating systems have configuration options that may be used to make the computers less prone to resource exhaustion, thereby making them more resilient against DoS attacks. Administrators should optimize this to minimize the effects of DoS attacks.
> > Full Chart
Top Attacks Against Wireless Networks
The most common wireless threat detected between January 1 and June 30, 2006 was a device probing for an access point, which accounted for 30% of all threatening activity. A device probing for a wireless network access point is one that is noisily trying to connect with an access point using any service set identifier (SSID). An organization's wireless security can be threatened by devices probing for an access point in two ways. The first is by attackers roaming urban areas attempting to locate and connect to wireless networks, a practice that is known as war driving. The second way in which an organization can be threatened by devices probing for wireless access points is through authorized, albeit poorly configured, computers trying to connect to an access point using any SSID. Although apparently innocuous, this could be more damaging to an organization than war driving.
> > Full Chart
Distribution of Attacks Targeting Web Browsers
During the first six months of 2006, Microsoft Internet Explorer was the most frequently targeted Web browser. It was targeted by 47% of all known attacking IP addresses. The prominence of Microsoft Internet Explorer is not surprising considering the number of vulnerabilities that affect it. Furthermore, on a worldwide basis, it is the most widely deployed browser. Some attacks target vulnerabilities that are present in multiple Web browsers. Browsers that fall within the "multiple browsers" category include Apple Safari, KDE Konqueror, the Mozilla Browser family, Netscape, Opera, Microsoft Internet Explorer, and others. Attacks targeting multiple browsers were the second most common during the first half of 2006, accounting for 31% of all attacking IP addresses.
> > Full Chart
Top Web Browser Attacks
The most common attack carried out against Web browsers between January 1 and June 30, 2006 was the Multiple Browser Zero Width GIF Image Memory Corruption Attack, which accounted for 31% of all detected Web browser attacks. This attack exploits the vulnerability of the same name, which was first disclosed in September 2002 and affects older Netscape, Mozilla, Galleon, and Opera Web browsers. This attack is carried out when a user loads a Web site containing a graphics interchange format (GIF) image file with a width field that is set to zero.
> > Full Chart
Phishing Activity By Sector
The financial sector was the most heavily phished sector during the first six months of 2006, accounting for 84% of phishing sites tracked. Phishing attacks against the financial services sector are most likely to produce the greatest monetary gain for attackers. Once an attacker gains access to a target's account through one of these attacks, he or she can initiate wire transfers to remove funds, apply for loans, credit lines, or credit cards. Further evidence of the high concentration of phishing activity targeting the financial sector is the fact that nine of the top ten brands phished this period were from that sector.
> > Full Chart
Number of Unique Phishing Messages
Over the first six months of 2006, 157,477 unique phishing messages were detected. This is an increase of 81% over the 86,906 unique phishing messages that were detected in the last half of 2005. It is also an increase of 61% over the 97,592 messages detected in the first half of 2005. This sharp increase over the previous six-month period may be a result of attempts by attackers to bypass filtering technologies by creating multiple randomized messages.
> > Full Chart
Active Bot Network Computers Per Day
Bot networks are groups of compromised computers on which attackers have installed software that listens for and responds to commands, typically using Internet relay chat (IRC), thereby giving the attacker remote control over the computers. In the first six months of 2006, an average of 57,717 active bot network computers per day were observed. During this period, 4,696,903 distinct bot network computers were identified as being active at any point in time during the six-month period.
> > Full Chart
Web Browser Vulnerabilities
In the first six months of 2006, 47 vulnerabilities were documented that affected Mozilla browsers, including Mozilla Firefox and the Mozilla Browser. This is a significant increase over the 17 vulnerabilities that were disclosed in the second half of 2005. The Mozilla Foundation released multiple revisions of Firefox and Mozilla during this period to address the majority of these vulnerabilities. In the first half of 2006, 38 new vulnerabilities were documented in Microsoft Internet Explorer. This is a 52% increase over the 25 vulnerabilities published in the preceding six-month period. The continued prevalence of Internet Explorer vulnerabilities is likely due to the widespread deployment of the browser. During this reporting period, 12 vulnerabilities were disclosed that affected Apple Safari. This is double the six reported in the second half of 2005.
> > Full Chart
Web Browsers Window of Exposure
In the first half of 2006, Internet Explorer had a window of exposure of nine days, down considerably from 25 days in the second half of 2005. Apple Safari had a window of exposure of five days, up from zero days in the second half of 2005. In the first half of 2006, Opera had a window of exposure of two days, down considerably from 18 days during the second half of 2005. In the first half of this year, Mozilla had a window of exposure of one day. In the second half of 2005, Mozilla had a window of exposure of negative two days, meaning that exploit code in that period was generally released after patches were available.
> > Full Chart
Operating System Patch Development Time
The time period between the disclosure date of a vulnerability and the release date of an associated patch is known as the "patch development time." During the first six months of 2006, Microsoft had an average patch development time of 13 days, a significant decrease from 34 days in the last half of 2005. Red Hat also had an average patch development time of 13 days for the first six months of 2006, a drop from 28 days in the last half of 2005. Apple had the third shortest time to patch at 37 days. This is a significant reduction from the 73-day average for 27 vulnerabilities in the second half of 2005.
> > Full Chart
Window of Exposure, Enterprise Vendor
The window of exposure is the difference in days between the time at which exploit code affecting a vulnerability is made public and the time at which the affected vendor makes a patch available to the public for that vulnerability. In the first six months of 2006, the average patch development time for software developed by enterprise vendors was 31 days. The average exploit code development time during the same period was three days. As a result, the window of exposure for this reporting period was 28 days. In the second half of 2005, the window of exposure was 50 days. In the first half of 2005, it was 60 days.
> > Full Chart
Top Sectors Targeted by Denial of Service Attacks
The sector most frequently targeted by denial of service (DoS) attacks in the first half of 2006 was the Internet Service Provider (ISP) sector, which was targeted by 38% of all DoS attacks. ISPs are popular targets for several reasons. First, they are responsible for providing Internet service to a high number of users. By successfully attacking an ISP, an attacker can effectively create denial of service conditions for a high number of users at one time. Second, ISPs also host Web sites and provide Internet access to many potential target organizations. Attackers wanting to target an organization's Web site or networks could do so by targeting the organization's ISP.
> > Full Chart
Top Targeted Sectors
Between January 1 and June 30, 2006, the home user sector was the most highly targeted sector, accounting for 86% of all targeted attacks. As computers in the home users sector are less likely to have well established security measures and practices in place than other sectors, they are much more vulnerable to targeted attacks. Furthermore, as home users represent a fertile resource for identity theft, it is likely that many of the targeted attacks against them are used for fraud or other financially motivated crime. The financial services sector was the second most frequently targeted in the first half of 2006.
> > Full Chart
Distribution of Attacks Targeting Web Browsers
In the first six months of 2006, Microsoft Internet Explorer was the most frequently targeted Web browser. Attacks targeting it accounted for 47% of all attacking computers targeting Web browsers. The prominence of Microsoft Internet Explorer is not surprising, as it is the most widely deployed browser worldwide. Furthermore, it had the second highest number of vulnerabilities of all Web browsers during this period.
> > Full Chart
Top 10 Malicious Code Samples
In the last six months of 2005, Sober.X was the most widely reported malicious code sample. This worm was discovered on Nov. 19, 2005 and was upgraded to a category 3 threat on Nov. 22. Despite the fact that it was released with only a month to go before the end of the year, Sober.X was reported more frequently than any other malicious code sample in the six-month period.
> > Full Chart
Web Browser Vulnerabilities, Vendor Confirmed
The number of vendor-confirmed Web browser vulnerabilities disclosed during the second half of 2005 was considerably less than the total number of vendor-confirmed and non-confirmed vulnerabilities. While Microsoft Internet Explorer had the highest number of vulnerabilities detected over the last six months of the year, the Firefox browser from Mozilla had the highest number of vendor-confirmed vulnerabilities over the past several reporting periods.
> > Full Chart
New Win32 Viruses and Worm Variants
Throughout 2005, the number of Win32 threat variants remained high. As of the end of 2005, the total number of Win32 threat variants had surpassed 39,257, indicating that these threats will continue to dominate the landscape for some time to come.
> > Full Chart
Instant Messaging Threats
Instant messaging (IM) continues to grow rapidly with users in both home and enterprise environments, estimated at 300 million in 2005. However, IM is generally unprotected and unmonitored in consumer and enterprise environments, leaving it vulnerable to attacks. In the second half of 2005, worms were the most common type of malicious code on the top three largest IM services. Worms constituted 91 percent of IM-related malicious code during that time, a nearly 10 percent increase over the 83 percent reported during the first half of the year.
> > Full Chart
Web Browser Vulnerabilities
Between July and December 2005, 24 new vulnerabilities that affected at least one version of Microsoft's Internet Explorer browser were documented. This is the same number seen in the previous six-month reporting period. The totals in both periods are far lower than the 45 new vulnerabilities detected in Internet Explorer in the second half of 2004. At the same time, the increasingly popular Firefox browser from Mozilla was affected by 17 new vulnerabilities in the second half of 2005. This is a decrease from the 32 vulnerabilities that were documented during the first part of the year.
> > Full Chart
Total Number of Commercially Acquired Vulnerabilities
Over the past several reporting periods, the number of vulnerabilities that have been commercially disclosed and acquired has increased. However, during the second half of 2005, this trend appears to have reversed. Between July and December 2005, there were 54 commercial vulnerabilities, a decline of 21 percent from the 68 commercial vulnerabilities detected during the first half of the year.
> > Full Chart
Vulnerabilities Associated with Exploit Code
The proportion of vulnerabilities with exploit code continued to decline in the second half of 2005. Between July 1 and December 31, 2005, exploit code was available for 12 percent of the vulnerabilities disclosed. This is lower than the 14 percent seen in the first half of 2005. During the same reporting period a year ago, exploit code was available for 15 percent of vulnerabilities disclosed.
> > Full Chart
Web Application Vulnerabilities
Web application vulnerabilities have increased significantly over the past several reporting periods. That was also true during the last six months of 2005, when 69% of vulnerabilities were associated with Web applications. This was a 15% increase over the first half of 2005, when they made up 60% of vulnerabilities.
> > Full Chart
Volume by Severity
Over the past four six-month recording periods, the vast majority of vulnerabilities were rated either moderate or high severity, with only a small percentage rated low severity. This pattern continued in the last half of 2005, when 45% of vulnerabilities were rated as high severity and 52% of vulnerabilities were rated as moderate severity.
> > Full Chart
Total Volume of Vulnerabilities, 2001-2005
The second half of 2005 was marked by a slight increase in the total number of vulnerabilities disclosed, with 1,896 new vulnerabilities detected. This is an increase of 1% over the 1,871 new vulnerabilities detected in the first half of 2005. More significantly, however, it is an increase of 34% over the 1,416 new vulnerabilities disclosed during the second half of 2004.
> > Full Chart
Top Targeted Industries
The financial services industry was the most frequently targeted industry between July 1 and December 31, 2005. Attackers are believed to be turning their attentions to cyber crime -- usually for profit. The financial services industry is considered a popular target for attacks from people seeking to profit from their attacks. During the first half of 2005, the financial services industry was the third most frequent target of attacks.
> > Full Chart
Top Originating Countries
During the last six months of 2005, the United States was the country of origin of 31% of attacks. This is a slight drop from the 33% of attacks that originated there in the first half of the year and slightly more than the 30% of attacks that originated there in the second half of 2004. China moved up to second position during the second half of 2005, when 7% of all attacks originated there. There was a 153% increase in the volume of attacks originating in China during that period.
> > Full Chart
DoS Attacks Per Week
During the last half of 2005, an average of 1,402 denial of service attacks were detected per day. This is an increase of 51% over the first six months of the year, when an average of 927 DoS attacks were detected each day. The rise in number of attacks indicates that an entrenched and well-organized community of attackers -- likely bot network owners -- may be beginning to utilize better resources to carry out more attacks.
> > Full Chart
Top Bot-Infected Countries
Over the last six months of 2005, the United States was the location of the highest number of bot-infected computers of any country, with 26% of bot-infected computers situated there. This is up from the first half of the year, when only 19% of all bot-infected computers were in the United States. The second highest number of bot-infected computers was located in the United Kingdom, with 22% of all bot-infected computers situated there.
> > Full Chart
Time to Compromise -- Desktop Computers with Firewalls Deactivated
The time to compromise seven different desktop operating systems and configurations was tested during the last six months of 2005. Of the desktop operating systems that were tested, Microsoft Windows XP Professional with no patches had the shortest average time to compromise, at one hour and 12 seconds. The longest time to compromise this system took 20 hours and 18 minutes. The minimum time took one minute and 19 seconds.
> > Full Chart
Daily Variance in Bot-Infected Computers
The daily variances in the number of bot-infected computers followed a boom-and-bust population curve. Between February and June 2004, the number of bot-infected computers experienced significant growth, driven by the rapid spread of Spybot and Gaobot. A bust occurred between July and December 2004, as security professionals began to harden their computers and networks against bots. During 2005, the number of bot-infected computers seems to have reached the carrying capacity of its environment.
> > Full Chart
Time to Compromise -- Web Servers
This metric measured the time it took for attackers to compromise an Internet-connected Web server once a new operating system was installed. The measure will help provide insight into how quickly an Internet-connected computer may become compromised. Of the Web servers tested, Windows Server 2000 with no patches had the shortest average time to compromise, roughly one hour and 17 minutes. The minimum time for this server was one minute and 14 seconds. The longest time was 18 hours and 28 minutes. A considerable variation was possible in time to compromise for all types of servers tested.
> > Full Chart
Top command-and-control countries
Over the last six months of 2005, the United States had the highest proportion of bot command-and-control servers in the world, accounting for 48% of the total. South Korea ranked second with nine percent of the total and Canada ranked third with six percent.
> > Full Chart
New Win32 virus and worm variants
Over the second half of 2005, more than 10,992 new Win32 viruses and worms were documented. While this is consistent with the 10,866 detected in the first half of the year, it is a 49% increase over the 7,360 documented in the second half of 2004. The significant increase over 2004 is due to the continued development of Win32 worms that implement bot features that attackers can use for financial gain.
> > Full Chart
DoS attacks per day
Over the last six months of 2005, an average of 1,402 DoS attacks per day were detected. This is an increase of 51% from the first half of 2005, when an average of 927 DoS attacks per day were detected.
> > Full Chart
Web browser vulnerabilities, vendor confirmed
During the last six months of 2005, the Firefox browser from Mozilla had the highest count of vendor-confirmed vulnerabilities. Thirteen out of the 17 vulnerabilities disclosed for Firefox were vendor confirmed, down from 27 out of 32 in the first half of 2005. Twelve out of the 24 vulnerabilities associated with Microsoft Internet Explorer were confirmed by the vendor, a slight decrease from the 14 out of 24 disclosed between January and June 2005.
> > Full Chart
Web Browser vulnerabilities, vendor confirmed and non-vendor confirmed
During the last six months of 2005, 24 new vendor-confirmed and non-vendor-confirmed vulnerabilities were disclosed that affected at least one version of Microsoft Internet Explorer. This is the same number that was seen in the previous six-month period. During this reporting period, the increasingly popular Firefox browser from Mozilla was affected by 17 new vendor-confirmed and non-vendor-confirmed vulnerabilities, down from the 32 seen in the previous period.
> > Full Chart
Top Bot-Infected Countries
The identification of bot-infected computers is important, as a high percentage increases the potential for bot-related attacks to occur. Over the second half of 2005, the United States had the highest number of bot-infected computers of any country, with 26% of bot-infected computers in the world situated there. The United Kingdom accounted for 22% of all bot-infected computers worldwide, the second-highest number during this period.
> > Full Chart
Top Attacked Ports
Assessing the top attacked ports allows security personnel to understand which ports (and associated services) attackers may be targeting. In the second half of 2005, UDP port 1026 was the most frequently targeted port. It was targeted by 17% of attackers. This is an 88% increase over the first half of 2005, when it was only targeted by 9% of attackers.
> > Full Chart
Bot-Infected Computers Detected Per Day
Over the last six months of 2005, an average of 9,163 bot-infected computers per day was detected. This is a drop of 11% from the first half of the year, during which 10,347 bot-infected computers were detected. Despite the decrease over the last six months, the level of bot-infected computer activity appears to have leveled off around the 10,000 bot mark.
> > Full Chart
Attack Activity Per Day
The attack activity per day is determined by the number of attacks observed by the median organization in a sample set and thus is considered to be indicative of the number of attacks on the Internet as a whole. Between July 1 and Dec. 31, 2005, an average of 39 attacks per day were detected. In each of the two previous six-month periods, 57 attacks per day were detected. This equates to a decrease of 32% over the last six months of 2005.
> > Full Chart
Percentage of Adware in Top 50 Reports
During the first six months of 2005, the percentage of adware in the top 50 malicious codes increased dramatically. Between January 1 and June 30, 2004, adware made up 4% of the top 50 programs reported. In the second half of 2004, it made up 5%. But in the first half of 2005, the percentage jumped to 8% of the top 50 reports.
> > Full Chart
Malicious Code that Downloads Adware
During the first six months of 2005, seven distinct malicious code samples that downloaded adware were present in the top 50 malicious code reports, including two variants of the Vundu Trojan and the Desktophijack virus. There was only one in the second half of 2004 and none in the first half of the year.
> > Full Chart
Malicious Code that Allows Email Relaying
Malicious code being used for profit motives is on the rise. One example is the growth of malicious code used to relay bulk unsolicited email (spam) for profit. In the first half of 2005, 64% of the top 50 malicious code samples allowed email relaying, compared with 53% in the last six months of 2004 and 37% in the first half of 2004.
> > Full Chart
P2P, Instant Messaging, Internet Relay Chat, and File-Sharing Threats
While peer-to-peer (P2P), instant messaging (IM), Internet relay chat (IRC), and network file sharing (CIFS) continue to be used as propagation vectors for the top threats, their effectiveness appears to be on the decline. In the first half of 2005, only 19% of the top 50 malicious code reported used one of these replication vectors, compared to 50% in the previous six months and 36% one year ago.
> > Full Chart
Threats to Confidential Information
Threats with the potential to disclose confidential information continued to rise during the first half of 2005, as they have for the past three reporting periods. During the first six months of 2005, malicious code that exposes confidential information represented 74% of the top 50 samples of malicious code.
> > Full Chart
New Win32 Virus and Worm Variants
During the first half of 2005, Win32 threats continued the increase in volume that was first noted in 2003. More than 10,866 new Win32 viruses and worms were detected during that time period, an increase of 48% compared with the second half of 2004.
> > Full Chart
Vulnerabilities with Exploit Code
Of the vulnerabilities that were disclosed during the first six months of 2005, associated exploit code was available for 251 or 13% of the total volume. In terms of raw numbers, this was greater than the last half of 2004, during which exploit code was available for 201 vulnerabilities.
> > Full Chart
Web Browser Vulnerabilities
During the first half of 2005, more vulnerabilities were disclosed for the Mozilla browsers, including Firefox, than for any other browser. There were 25 vulnerabilities detected affecting the Mozilla family of browsers during this period compared with 32 during the second half of 2004.
> > Full Chart
The Time to Patch
The time period between the disclosure date of vulnerabilities and the release of associated patches is referred to as "the time to patch." During the first half of 2005, on average, 54 days elapsed between the publication of vulnerabilities and the release of associated patches by an enterprise vendor. This is an increase over the average of 49 days in the second half of 2004.
> > Full Chart
Ease of Exploit Breakdown
During the first six months of 2005, 1,356 vulnerabilities were classified as easy to exploit. This means that 73% of all vulnerabilities disclosed during this period either required no exploit code or had some type of exploit code available.
> > Full Chart
Severity of Remotely Exploited Vulnerabilities
Of remotely exploited vulnerabilities in the first half of 2005, 29% were rated highly severe. In the second half of 2004, 40% were rated as highly severe.
> > Full Chart
Total Number of Vulnerabilities Disclosed
The first half of 2005 was marked by a substantial increase in the total number of vulnerabilities disclosed. Between January 1 and June 30, 2005, there were 1,862 new vulnerabilities disclosed. This is the highest number since the Internet Security Threat Report began tracking vulnerabilities in six-month intervals.
> > Full Chart
Targeted Attacks by Industry
Education was the most frequently targeted industry between January and June 2005. This is likely due to the nature of networks in educational organizations. In addition to providing large numbers of public terminals, educational institutions must facilitate remote access for tens of thousands of users. Small business was the second most targeted industry because they are less likely to have a well established security infrastructure, making them more vulnerable to attacks.
> > Full Chart
Denial of Service Attacks per Day
Between January 1 and June 30, 2005, the number of denial of service (DoS) attacks grew by more than 680% to 927 per day on average. This is an increase over the last six months of 2004, during which an average of 119 DoS attacks per day were observed. This increase strongly correlates to the rise in bot network activity because large bot networks are able to conduct broadly based DoS attacks.
> > Full Chart
Win32 Virus and Worm Variants
In the first half of 2005, more than 10,866 new Win32 viruses and worms were documented, a 48% increase over the second half of 2004. The massive increase is due to the increase of Win32 variants that use and implement bot features - such as remote access through IRC channels and denial of service capabilities - that attackers often use for financial gain.
> > Full Chart
Vulnerabilities by Severity
The severity of a vulnerability is a measure of the degree to which it gives an attacker access to the targeted system. Between Jan. 1 and June 30, 2005, 909 vulnerabilities -- or 49% of the total volume -- were classified as high severity, meaning they would result in the compromise of the entire system if exploited. This is four percentage points higher than the first six months of 2004.
> > Full Chart
Attacks Holding Consistent
During the first half of 2005, there was an average of 57 attacks per day. This is consistent with the second half of 2004, when 57 attacks per day were also detected. The relatively constant rate of attacks per day for the last six months of 2004 and the first six months of 2005 is likely due to the lack of any substantial worm outbreaks in that time. With this in mind, it should be noted that the attack activity per day would rise drastically over a very short period if a major malicious code outbreak occurs.
> > Full Chart
Patch Window Closing
During the first half of 2005, on average, 54 days elapsed between the disclosure of a vulnerability and the release of a patch by the vendor. This is a slight increase over the 49-day average of the previous period. This ends a two-year trend of decreasing response time. That trend was most likely due to increased pressure from customers for vendors to address security concerns in response to high-profile vulnerabilities and malicious code.
> > Full Chart
Blocking of Phishing on the Rise
1.04 billion phishing attempts were blocked in the first half of 2005, compared to over 546 million in the last six months of 2004, a 90% increase. Between January 1 and June 30, 2005, the volume of phishing messages grew from an average of 2.99 million attempts a day to 5.7 million.
> > Full Chart
Bots Increasing
The number of new bot variants has continued to climb. In the first six months of 2005, 6,361 new variants of Spybot were reported, a 48% increase over the 4,288 new variants documented in the second half of 2004.
> > Full Chart
DoS Attacks
Between January 1 and June 30, 2005, the number of DoS attacks grew by more than 680% to 927 per day on average. This increase in DoS activity may be due to similar increases in bot network activity.
> > Full Chart
Trojan Attacks
During the last six months of 2005, Trojans became the most reported threat, representing 33% of the top 50 malicious code.
> > Full Chart
Vulnerability to Exploit Growing
The window between the disclosure of a vulnerability and the unleashing of exploit code has been growing - a good thing for those waiting for patches to arrive.
> > Full Chart
Vulnerabilities with Exploit Code
Over the last six months of 2004, 201 vulnerabilities were documented for which associated exploit code was widely available. Because of the availability of exploit code, these vulnerabilities are considered easy to exploit.
> > Full Chart
Severity of Threats
The number of severities continues to grow, with high and low severities also increasing.
> > Full Chart
Targeting Industries
Attackers choose their targets for a number of reasons. In some cases, an attack may be targeted against a single company or a group of companies from a single industry.
> > Full Chart
Chatting into the Network
Intruders penetrate various domains by various means. This chart indicates intrusions via Internet Relay Chat (IRC) by domain.
> > Full Chart
Adware Advancing
Adware has increased over the first six months of 2004. Between January 1 and June 30, adware made up 4 of malicious code. Between July 1 and Dec 31, it increased to 5%.
> > Full Chart
Spam Attacks
Between July 1 and December 31, 2004, the number of unsolicited messages per day nearly doubled, including messages that may contain new, unknown spam messages.
> > Full Chart
Phishers on the Network
In mid-July 2004, there were 9 million phishing attempts per week. By the end of December this number had increased to a weekly average of over 33 million attempts.
> > Full Chart
Exploit Development Time
Continuing from the first half of 2004, the average amount of time between vulnerability publication and the appearance of a third-party functional exploit remains less than one week. This highlights the need for administrators to patch their systems or implement other measures to protect against new threats as soon as possible
> > Full Chart
Vulnerability Trends
The number of total vulnerabilities reported peaked in 2002 at 4,129, but has not fallen to its 2000 low of 1,090.
> > Full Chart
Thre |
