SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Similar documents
SYMANTEC SECURITY UPDATE JUNE 2005

SYMANTEC SECURITY UPDATE JUNE 2005

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

Symantec Client Security. Integrated protection for network and remote clients.

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Symantec Network Access Control Starter Edition

Symantec Network Access Control Starter Edition

Symantec Intelligence Quarterly: Best Practices and Methodologies October - December, 2009

Symantec Network Access Control Starter Edition

Symantec Network Security 7100 Series

INSIDE. Integrated Security: Creating the Secure Enterprise. Symantec Enterprise Security

Symantec Security Monitoring Services

Internet Security Threat Report Volume XIII. Patrick Martin Senior Product Manager Symantec Security Response October, 2008

CIH

Symantec Endpoint Protection

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

WHITE PAPER: BEST PRACTICES. Sizing and Scalability Recommendations for Symantec Endpoint Protection. Symantec Enterprise Security Solutions Group

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

NETWORK THREATS DEMAN

Deployment of security devices can result in significant financial savings from reduction or redirection of IT staff resources needed to deploy,

Building Resilience in a Digital Enterprise

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

INSIDE. Overview of Intelligent Message Filter Integration. Symantec Enterprise Security

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Certified Ethical Hacker (CEH)

Evaluation Program for Symantec Mail Security Appliances

PROTECTING INFORMATION ASSETS NETWORK SECURITY

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Symantec Business Continuity Solutions for Operational Risk Management

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Education Network Security

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Symantec Endpoint Protection

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Symantec Multi-tier Protection

Distributed Denial of Service (DDoS)

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Basic Concepts in Intrusion Detection

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

External Supplier Control Obligations. Cyber Security

: Administration of Symantec Endpoint Protection 14 Exam

Teleworking and Security: IT All Begins with Endpoints. Jim Jessup Solutions Manager, Information Risk Management June 19, 2007

Office 365 Buyers Guide: Best Practices for Securing Office 365

ANATOMY OF AN ATTACK!

Symantec Endpoint Protection 14

Configuring attack detection and prevention 1

Network Security Issues and New Challenges

Phishing Activity Trends Report August, 2006

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Client Guide for Symantec Endpoint Protection Small Business Edition

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

CS System Security 2nd-Half Semester Review

Botnet Detection Using Honeypots. Kalaitzidakis Vasileios

CTS2134 Introduction to Networking. Module 08: Network Security

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Future-ready security for small and mid-size enterprises

Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 4.1.x

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Distributed Denial of Service (DDoS)

The Evolving Threat of Internet Worms

NetDefend Firewall UTM Services

Phishing Activity Trends Report March, 2005

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.3 REVIEWER S GUIDE

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

Cloudflare Advanced DDoS Protection

The Anatomy of IM Threats

Configuring Access Rules

Be certain. MessageLabs Intelligence: May 2006

Coordinated Threat Control

FIREWALL BEST PRACTICES TO BLOCK

CERT-In. Indian Computer Emergency Response Team ANTI VIRUS POLICY & BEST PRACTICES

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

Configuring attack detection and prevention 1

Addressing PCI DSS 3.2

2. INTRUDER DETECTION SYSTEMS

Locking down a Hitachi ID Suite server

CSTNET Security Considerations

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Internet Security: Firewall

Phishing Activity Trends

Global DDoS Threat Landscape

Curso: Ethical Hacking and Countermeasures

Simple and Powerful Security for PCI DSS

HOW TO HANDLE A RANSOM- DRIVEN DDOS ATTACK

Systrome Next Gen Firewalls

A Survey of Defense Mechanisms Against DDoS Flooding A

Symantec Exam ST0-134 Symantec EndPoint Protection 12.1 Technical Assessment Version: 8.0 [ Total Questions: 282 ]



( ) 2016 NSFOCUS

Endpoint Protection : Last line of defense?

How to Test Outbreak Commander

Transcription:

SYMANTEC ENTERPRISE SECURITY Symantec Internet Security Threat Report September 00 Power and Energy Industry Data Sheet An important note about these statistics The statistics discussed in this document are based on attacks against an extensive sample of Symantec customers. The attack activity was detected by Symantec Managed Security Services and Symantec DeepSight Threat Management System between January 1 and June 0, 00. Symantec Managed Security Services and Symantec DeepSight Threat Management System use automated systems to map the IP address of the attacking system to identify the country in which it is located. However, because attackers frequently use compromised systems located around the world to launch attacks remotely, the location of the attacking system may differ from the location of the attacker. Despite the uncertainty that this creates, this type of data is useful in creating a high-level profile of global attack patterns. The number of contributing sensors in each industry varies. Combined with different standard security practices, these variations may result in different attack data being recorded in each industry. This may preclude valid comparisons between industries. Executive Summary In addition to gathering Internet-wide attack data for the Internet Security Threat Report, Symantec also gathers and analyzes attack data that is detected by sensors deployed in specific industries. This industry data sheet will discuss the top attacks, top targeted ports, and top source countries for attack activity targeting organizations in the power and energy industry. Between January 1 and June 0, 00, the top attack in the power and energy industry was the Possible Incoming Malicious Attachment Event. This attack is indicative of the presence of mass-mailing viruses or worms. Three of the top ten attacks in this sector are related to worms and email. The top attacked port in the power and energy sector in the first half of 00 was 17. This port is largely associated with Microsoft networking and back-end servers. This port is used for Microsoft name resolution and attack activity targeting it often indicates username- and password-guessing attacks. The United States was the top country of origin for attacks detected by sensors in the power and energy sector. It accounted for % of the events targeting this industry during this period. China was the second ranked country of attack origin followed by South Korea.

Top Attacks Rank 1 6 7 8 9 10 Attack Possible Incoming Malicious Attachment Event Microsoft SQL Server 000 Resolution Service Stack Overflow Attack Generic ICMP Flood Attack Microsoft Windows Shell Remote Code Execution Attack Generic DNS Poisoned Spoofing Attack Microsoft Internet Explorer TABLE Status Bar URI Obfuscation Attack Generic UPX Packed File Detected Generic SMTP Pipe Attack Generic DNS Malformed Packet Attack Dabber Incoming Worm Attack Percent of attackers 0% 17% 8% % % Affected service Email (SMTP) Worm Microsoft SQL Server Generic DoS Attack Microsoft Networking Name Resolution (DNS) Web (HTTP) Generic Malicious File Download Email (SMTP) Name Resolution (DNS) Email (SMTP) Worm Table 1. Top attacks, power and energy Source: Symantec Corporation Discussion For the purposes of this data sheet, top attacks were determined by the percentage of total attackers performing each attack. Between January 1 and June 0, 00, the most widespread attack detected by sensors deployed by the power and energy industry was the Possible Incoming Malicious Attachment Event. Detection of this generic attack often indicates the presence of suspicious email attachments. It often indicates an attempt to spread a mass-mailing virus or worm. Although Symantec has seen a decrease in the volume of mass-mailing worms in the first six months of 00, they continue to be a problem for some organizations. Successful propagation consumes valuable organizational resources in detecting, identifying, and removing infections. Infection may also force administrators to take individual computers or entire networks offline while remediation takes place. In order to prevent malicious code infection, it is important to employ best practices as recommended by Symantec. 1 Administrators should keep patch levels up-to-date, especially on computers that host public services such as HTTP, FTP, SMTP, and DNS servers and are accessible through a firewall or placed in a DMZ. Email servers should be configured to only allow file types that are required for business needs. Additionally, Symantec recommends that ingress and egress filtering be put in place on perimeter devices to detect anomalous activity. End users should employ defense in-depth, including antivirus software and a personal firewall. Users should update antivirus definitions regularly. They should also ensure that all desktop, laptop, and server computers are updated with all necessary security patches from their operating system vendor. They 1 See the Internet Security Threat Report, Volume VII (March 00), Appendix A http://enterprisesecurity.symantec.com/content.cfm?articleid=19 Ingress traffic refers to traffic that is coming into a network from the Internet or another network. Egress traffic refers to traffic that is leaving a network, bound for the Internet or another network. Defense in-depth emphasizes multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection methodology. Defense in-depth should include the deployment of antivirus, firewalls, and intrusion detection systems, among other security measures.

should never view, open, or execute any email attachment unless the attachment is expected and comes from a trusted source, and the purpose of the attachment is known. The Microsoft SQL Resolution Service Stack Buffer Overflow Attack was the second most common attack detected by sensors based in the power and energy sector. Also known as the Slammer Worm, it was performed by 17% of attackers targeting the power and energy sector. This attack is commonly associated with three high-profile malicious code samples: Slammer, Gaobot, and Spybot. 6 This attack can affect both the Microsoft SQL Server and the Microsoft Desktop Engine (MSDE). The MSDE is included with some third-party software. This makes protecting against this attack very difficult, as each affected software package must be patched. Furthermore, the vulnerability that this attack exploits will be reintroduced whenever a vulnerable application is installed. If patches are not applied to the software shortly after installation, it is likely that a compromise will occur. This attack uses as a transport mechanism, which may contribute to the high ranking of this attack in two ways. First, the use of allows a complete attack to be sent to every potential victim computer, regardless of whether an SQL server is installed and running or not. 7 Most intrusion detection systems will interpret each attempt as a full attack, even if the destination computer is not turned on. Second, the use of allows this attack to come from a spoofed source address, which may inflate the number of observed source IP addresses. Slammer did not spoof its source; however, as the attack is now used by other malicious code this ability could be added. This attack is particularly risky for mobile computers. A single infected host can transfer the malicious code inside the perimeter through a VPN connection or by plugging directly into the network. Perimeter filtering of Microsoft SQL ports and strong policy compliance can significantly reduce the risk of compromise by this attack. The third most common attack during the last six months of 00 was the Generic ICMP Flood Attack. ICMP is used to identify problems with Internet connections, and the ping component of ICMP is used to determine if a machine is functioning and accessible. As with any network communication, ICMP traffic can be used to overwhelm a target with messages, thereby saturating the bandwidth and creating a denial of service (DoS) condition. DoS attacks are a major threat to organizations that rely on Internet connectivity to carry out their operations. These attacks are a particular threat to companies that rely on the Internet to generate revenue. As was discussed in the Attack Trends section of the current Symantec Internet Security Threat Report, this attack may be related to financial motivation, as DoS attacks have reportedly been threatened in extortion attempts. 8 This attack is relatively old and simply relies on bandwidth exhaustion. There are a variety of methods that have been put in place by operating system designers to minimize its effectiveness in creating DoS conditions. Organizations should ensure that a documented procedure exists for responding to DoS events. This should include working with the Internet service provider to assist in filtering out the flood of connections. Additionally, many firewall and operating systems have configuration parameters that http://securityresponse.symantec.com/avcenter/venc/data/w.sqlexp.worm.html http://securityresponse.symantec.com/avcenter/venc/data/w.hllw.gaobot.aa.html 6 http://securityresponse.symantec.com/avcenter/venc/data/w.spybot.worm.html 7 does not require that any form of synchronization be done before data is sent and accepted by the target service. By contrast, an attack that uses must go through the three-way handshake to synchronize the systems prior to data being sent; therefore, a -based attack will only be seen if the service being targeted is accepting connections. In the case of, the attacking system can simply send the complete attack without regard for whether the service is listening. 8 http://www.newscientist.com/channel/info-tech/mg1871.900

can be changed to help mitigate the effect of a traffic flood. Organizations should ensure that all systems that are being used in situations where they might be a target for DoS attacks are appropriately hardened to minimize the disruption should an attack occur. Top Targeted Ports Rank 1 6 7 8 9 10 Port 17 1 1 9898 10 80 1 106 Portocol Service NetBIOS Name Service (Microsoft networking) Microsoft SQL Server DCE-RPC (Remote Microsoft Windows communication) Unknown Trojan / Backdoor Trojan / Backdoor Unknown Web Service (HTTP) Time synchronization (NTP) DCE-RPC (Remote Microsoft Windows communication) Table. Top attacked ports, power and energy sector Source: Symantec Corporation Discussion Monitoring the ports that are being attacked can give security analysts an understanding of which services are being targeted and thus indicate which attacks are most prevalent. The top targeted ports are determined by the number of unique IP addresses that launched attacks against each one. During the first half of 00, the most widely targeted port was 17. Microsoft networking uses this port as a method of domain name resolution and service queries. Scans targeting this port often indicate an attacker attempting to guess common usernames and passwords for file-shares. Organizations should ensure that all ports are blocked at the perimeter firewall except those required for enterprise operations. Strong passwords should be employed to minimize the chance that a username and password combination can be guessed. Finally, end users should be educated to create and use passwords of sufficient complexity. The second most targeted port between January 1 and June 0, 00, was port 1. This port, commonly used for Microsoft SQL Server, was targeted by the highly successful SQLExp worm (also known as Slammer) and has since been used by common bot network applications including Gaobot and Spybot. The frequency of activity on this port is indicative of the high frequency of the Microsoft SQL Server 000 Resolution Service Stack Overflow Attack, which was discussed in the Top Attacks section of this document.

The third most widely targeted port in the period was port 1. This port is associated with Microsoft Remote Procedure Call System, which allows remote computers to request services from a target computer. This port was widely targeted by the Blaster 9 and Welchia 10 worms, and continues to be a popular target for Gaobot and Spybot. Symantec recommends that organizations filter all ports at the perimeter except that those that are required for enterprise operations. Mobile computers and VPN connections can also be a risk, so organizations should ensure that these computers have strong policy compliance and a personal firewall to help mitigate the risk. Top Source Countries Rank 1 6 7 8 9 10 Country United States China South Korea Japan Canada United Kingdom France Germany Hong Kong Taiwan Percent of attacks % 17% 6% % Worldwide percent of attacks 6% 7% % 7% % Table. Top source countries, power and energy sector Source: Symantec Corporation Discussion The United States was the top country of origin for attacks detected by sensors in the power and energy sector, accounting for % of detected attacks (table ). This is significantly higher than the of Internet-wide attacks that originated there during this period. The United States continues to have more Internet users than any other country, which may explain the high level of general attack activity originating there. Furthermore, Symantec has noted that attacking computers target their own region at a greater rate than other region. The fact that more power and energy-based sensors are deployed in the United States than in other regions may explain the higher rate of attacks originating in the United States. China was the second highest country of attack origin, accounting for 17% of attacks against the power and energy sector. This is significantly higher than the 6% of Internet-wide attacks originating there. South Korea was the source country of 6% of the attacks targeting the power and energy industry, up from the of Internet-wide attacks originating there. 9 http://securityresponse.symantec.com/avcenter/venc/data/w.blaster.worm.html 10 http://securityresponse.symantec.com/avcenter/venc/data/w.welchia.worm.html

About Symantec Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 0 countries. More information is available at www.symantec.com. For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free (800) 7 60. Symantec Corporation World Headquarters 00 Stevens Creek Blvd. Cupertino, CA 901 USA +1 (08) 17 8000 +1 (800) 71 9 www.symantec.com Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Symantec DeepSight Threat Management System and Symantec Managed Security Services are trademarks of Symantec Corporation. Microsoft and Windows are registered trademarks of Microsoft Corporation. Other brands and products are trademarks of their respective holder/s. Copyright 00 Symantec Corporation. All rights reserved. Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. 09/0 107998

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback