SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Size: px

Start display at page:

Download "SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet"

Juniper Anthony
5 years ago
Views:

1 SYMANTEC ENTERPRISE SECURITY Symantec Internet Security Threat Report September 00 Power and Energy Industry Data Sheet An important note about these statistics The statistics discussed in this document are based on attacks against an extensive sample of Symantec customers. The attack activity was detected by Symantec Managed Security Services and Symantec DeepSight Threat Management System between January 1 and June 0, 00. Symantec Managed Security Services and Symantec DeepSight Threat Management System use automated systems to map the IP address of the attacking system to identify the country in which it is located. However, because attackers frequently use compromised systems located around the world to launch attacks remotely, the location of the attacking system may differ from the location of the attacker. Despite the uncertainty that this creates, this type of data is useful in creating a high-level profile of global attack patterns. The number of contributing sensors in each industry varies. Combined with different standard security practices, these variations may result in different attack data being recorded in each industry. This may preclude valid comparisons between industries. Executive Summary In addition to gathering Internet-wide attack data for the Internet Security Threat Report, Symantec also gathers and analyzes attack data that is detected by sensors deployed in specific industries. This industry data sheet will discuss the top attacks, top targeted ports, and top source countries for attack activity targeting organizations in the power and energy industry. Between January 1 and June 0, 00, the top attack in the power and energy industry was the Possible Incoming Malicious Attachment Event. This attack is indicative of the presence of mass-mailing viruses or worms. Three of the top ten attacks in this sector are related to worms and . The top attacked port in the power and energy sector in the first half of 00 was 17. This port is largely associated with Microsoft networking and back-end servers. This port is used for Microsoft name resolution and attack activity targeting it often indicates username- and password-guessing attacks. The United States was the top country of origin for attacks detected by sensors in the power and energy sector. It accounted for % of the events targeting this industry during this period. China was the second ranked country of attack origin followed by South Korea.

2 Top Attacks Rank Attack Possible Incoming Malicious Attachment Event Microsoft SQL Server 000 Resolution Service Stack Overflow Attack Generic ICMP Flood Attack Microsoft Windows Shell Remote Code Execution Attack Generic DNS Poisoned Spoofing Attack Microsoft Internet Explorer TABLE Status Bar URI Obfuscation Attack Generic UPX Packed File Detected Generic SMTP Pipe Attack Generic DNS Malformed Packet Attack Dabber Incoming Worm Attack Percent of attackers 0% 17% 8% % % Affected service (SMTP) Worm Microsoft SQL Server Generic DoS Attack Microsoft Networking Name Resolution (DNS) Web (HTTP) Generic Malicious File Download (SMTP) Name Resolution (DNS) (SMTP) Worm Table 1. Top attacks, power and energy Source: Symantec Corporation Discussion For the purposes of this data sheet, top attacks were determined by the percentage of total attackers performing each attack. Between January 1 and June 0, 00, the most widespread attack detected by sensors deployed by the power and energy industry was the Possible Incoming Malicious Attachment Event. Detection of this generic attack often indicates the presence of suspicious attachments. It often indicates an attempt to spread a mass-mailing virus or worm. Although Symantec has seen a decrease in the volume of mass-mailing worms in the first six months of 00, they continue to be a problem for some organizations. Successful propagation consumes valuable organizational resources in detecting, identifying, and removing infections. Infection may also force administrators to take individual computers or entire networks offline while remediation takes place. In order to prevent malicious code infection, it is important to employ best practices as recommended by Symantec. 1 Administrators should keep patch levels up-to-date, especially on computers that host public services such as HTTP, FTP, SMTP, and DNS servers and are accessible through a firewall or placed in a DMZ. servers should be configured to only allow file types that are required for business needs. Additionally, Symantec recommends that ingress and egress filtering be put in place on perimeter devices to detect anomalous activity. End users should employ defense in-depth, including antivirus software and a personal firewall. Users should update antivirus definitions regularly. They should also ensure that all desktop, laptop, and server computers are updated with all necessary security patches from their operating system vendor. They 1 See the Internet Security Threat Report, Volume VII (March 00), Appendix A Ingress traffic refers to traffic that is coming into a network from the Internet or another network. Egress traffic refers to traffic that is leaving a network, bound for the Internet or another network. Defense in-depth emphasizes multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection methodology. Defense in-depth should include the deployment of antivirus, firewalls, and intrusion detection systems, among other security measures.

3 should never view, open, or execute any attachment unless the attachment is expected and comes from a trusted source, and the purpose of the attachment is known. The Microsoft SQL Resolution Service Stack Buffer Overflow Attack was the second most common attack detected by sensors based in the power and energy sector. Also known as the Slammer Worm, it was performed by 17% of attackers targeting the power and energy sector. This attack is commonly associated with three high-profile malicious code samples: Slammer, Gaobot, and Spybot. 6 This attack can affect both the Microsoft SQL Server and the Microsoft Desktop Engine (MSDE). The MSDE is included with some third-party software. This makes protecting against this attack very difficult, as each affected software package must be patched. Furthermore, the vulnerability that this attack exploits will be reintroduced whenever a vulnerable application is installed. If patches are not applied to the software shortly after installation, it is likely that a compromise will occur. This attack uses as a transport mechanism, which may contribute to the high ranking of this attack in two ways. First, the use of allows a complete attack to be sent to every potential victim computer, regardless of whether an SQL server is installed and running or not. 7 Most intrusion detection systems will interpret each attempt as a full attack, even if the destination computer is not turned on. Second, the use of allows this attack to come from a spoofed source address, which may inflate the number of observed source IP addresses. Slammer did not spoof its source; however, as the attack is now used by other malicious code this ability could be added. This attack is particularly risky for mobile computers. A single infected host can transfer the malicious code inside the perimeter through a VPN connection or by plugging directly into the network. Perimeter filtering of Microsoft SQL ports and strong policy compliance can significantly reduce the risk of compromise by this attack. The third most common attack during the last six months of 00 was the Generic ICMP Flood Attack. ICMP is used to identify problems with Internet connections, and the ping component of ICMP is used to determine if a machine is functioning and accessible. As with any network communication, ICMP traffic can be used to overwhelm a target with messages, thereby saturating the bandwidth and creating a denial of service (DoS) condition. DoS attacks are a major threat to organizations that rely on Internet connectivity to carry out their operations. These attacks are a particular threat to companies that rely on the Internet to generate revenue. As was discussed in the Attack Trends section of the current Symantec Internet Security Threat Report, this attack may be related to financial motivation, as DoS attacks have reportedly been threatened in extortion attempts. 8 This attack is relatively old and simply relies on bandwidth exhaustion. There are a variety of methods that have been put in place by operating system designers to minimize its effectiveness in creating DoS conditions. Organizations should ensure that a documented procedure exists for responding to DoS events. This should include working with the Internet service provider to assist in filtering out the flood of connections. Additionally, many firewall and operating systems have configuration parameters that does not require that any form of synchronization be done before data is sent and accepted by the target service. By contrast, an attack that uses must go through the three-way handshake to synchronize the systems prior to data being sent; therefore, a -based attack will only be seen if the service being targeted is accepting connections. In the case of, the attacking system can simply send the complete attack without regard for whether the service is listening. 8

4 can be changed to help mitigate the effect of a traffic flood. Organizations should ensure that all systems that are being used in situations where they might be a target for DoS attacks are appropriately hardened to minimize the disruption should an attack occur. Top Targeted Ports Rank Port Portocol Service NetBIOS Name Service (Microsoft networking) Microsoft SQL Server DCE-RPC (Remote Microsoft Windows communication) Unknown Trojan / Backdoor Trojan / Backdoor Unknown Web Service (HTTP) Time synchronization (NTP) DCE-RPC (Remote Microsoft Windows communication) Table. Top attacked ports, power and energy sector Source: Symantec Corporation Discussion Monitoring the ports that are being attacked can give security analysts an understanding of which services are being targeted and thus indicate which attacks are most prevalent. The top targeted ports are determined by the number of unique IP addresses that launched attacks against each one. During the first half of 00, the most widely targeted port was 17. Microsoft networking uses this port as a method of domain name resolution and service queries. Scans targeting this port often indicate an attacker attempting to guess common usernames and passwords for file-shares. Organizations should ensure that all ports are blocked at the perimeter firewall except those required for enterprise operations. Strong passwords should be employed to minimize the chance that a username and password combination can be guessed. Finally, end users should be educated to create and use passwords of sufficient complexity. The second most targeted port between January 1 and June 0, 00, was port 1. This port, commonly used for Microsoft SQL Server, was targeted by the highly successful SQLExp worm (also known as Slammer) and has since been used by common bot network applications including Gaobot and Spybot. The frequency of activity on this port is indicative of the high frequency of the Microsoft SQL Server 000 Resolution Service Stack Overflow Attack, which was discussed in the Top Attacks section of this document.

5 The third most widely targeted port in the period was port 1. This port is associated with Microsoft Remote Procedure Call System, which allows remote computers to request services from a target computer. This port was widely targeted by the Blaster 9 and Welchia 10 worms, and continues to be a popular target for Gaobot and Spybot. Symantec recommends that organizations filter all ports at the perimeter except that those that are required for enterprise operations. Mobile computers and VPN connections can also be a risk, so organizations should ensure that these computers have strong policy compliance and a personal firewall to help mitigate the risk. Top Source Countries Rank Country United States China South Korea Japan Canada United Kingdom France Germany Hong Kong Taiwan Percent of attacks % 17% 6% % Worldwide percent of attacks 6% 7% % 7% % Table. Top source countries, power and energy sector Source: Symantec Corporation Discussion The United States was the top country of origin for attacks detected by sensors in the power and energy sector, accounting for % of detected attacks (table ). This is significantly higher than the of Internet-wide attacks that originated there during this period. The United States continues to have more Internet users than any other country, which may explain the high level of general attack activity originating there. Furthermore, Symantec has noted that attacking computers target their own region at a greater rate than other region. The fact that more power and energy-based sensors are deployed in the United States than in other regions may explain the higher rate of attacks originating in the United States. China was the second highest country of attack origin, accounting for 17% of attacks against the power and energy sector. This is significantly higher than the 6% of Internet-wide attacks originating there. South Korea was the source country of 6% of the attacks targeting the power and energy industry, up from the of Internet-wide attacks originating there

6 About Symantec Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 0 countries. More information is available at For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free (800) Symantec Corporation World Headquarters 00 Stevens Creek Blvd. Cupertino, CA 901 USA +1 (08) (800) Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Symantec DeepSight Threat Management System and Symantec Managed Security Services are trademarks of Symantec Corporation. Microsoft and Windows are registered trademarks of Microsoft Corporation. Other brands and products are trademarks of their respective holder/s. Copyright 00 Symantec Corporation. All rights reserved. Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. 09/

SYMANTEC SECURITY UPDATE JUNE 2005

SYMANTEC SECURITY UPDATE JUNE 005 Symantec Security Update - June 005 Worldwide and APAC Monthly report examining recent high severity vulnerabilities, cyber attacks, malicious code and spam activity.