Panda Security Insight

A few days ago we published the Second International Barometer of Security in SMBs. Even though this year we have increased the number of surveyed companies and countries, the results –generally speaking– are more or less the same as in the last edition:

• Awareness: Awareness about the need for protection is very high across all geographic areas, although an average of 7% of users still believe it is unimportant.

• Protection: 

o 80 to 84% of companies have a security system in place. It is interesting to note that between 11 and 13% of companies have no security system installed, figures which coincide with the results of last year’s study. 
o The most widely used security solutions are antivirus and firewall products, while anti-spam solutions are not extensively implemented.
o Whereas in 2009, the main reason given for not installing an antivirus was the price, this year the lack of realization of the need for these security products was an equally important factor. This indicates a lack of awareness about the problem. However, there has been a significant drop in the amount of companies who believe this type of software slows down systems, and an increase in those who declare that they are studying the implementation of security products.

• Infections: The infection ratio in companies has slightly decreased: 58% to 49%. However, these percentages are still very high, considering the negative impact that malware of any kind can have on a company.

o Loss of time and productivity as well as interference with computers, are the main consequences of infections (50% in Spain), followed by the loss of information.
o Security budgets remain broadly the same as last year, although when asked if they had anyone dedicated to security management, only 60% to 68% of companies confirmed they had.

Two pieces of information have truly caught my attention in this report. First, the percentage of companies that use free software to protect themselves:  14% in Europe; 18% in Latin America, and 32 % in the USA and Canada. 

Even though there is very good and competitive free software around in terms of protection, it is clearly insufficient to secure a corporate network, even a small one (bear in mind that this study surveyed companies with up to 1,000 computers). The fact that this type of application –highly recommended for home users– does not protect servers or network communications, and does not include advanced security features (such as a firewall ) or tech support poses a clear threat to companies which, if compromised, have a lot to lose.

Another significant aspect is the notable increase in the number of infections transmitted through external memory devices or USB drives (about 50% in the USA and Canada, the most technologically advanced countries).

This data shows the need for good security software and also complementary protection technologies; and obviously, security awareness and education to make users understand the need to protect their assets from any infection vector.

We will continue presenting subsequent editions of this Barometer, and we hope to obtain increasingly positive results showing the good security health of companies worldwide.

Tweet This Post 

Raising of awareness

The announcement has just been made public of the arrest of the suspected cyber-criminals behind Mariposa, one of the largest botnets ever reported. This operation has been possible thanks to the joint effort of the FBI and the Spanish Guardia Civil, together with Panda Security, Defence Intelligence, and Georgia Tech Information Security Center. CDmon, the ISP where the criminal domains were hosted, has also participated in the investigation.

The criminals behind the Mariposa botnet controlled almost 13 million personal, corporate, government and university computers in more than 190 countries. The stolen information included account information, user names, passwords, banking credentials and credit card data. The analysis is ongoing and a more comprehensive report from Panda Security will be available at http://pandalabs.pandasecurity.com shortly.

Of course, we’d like to congratulate law enforcement agencies – the FBI and the Spanish Guardia Civil- for their excellent work that has resulted in three arrests. This kind of operation is not always simple: The global nature of the criminal activities committed on the Internet makes it very hard and slow to prosecute Internet mafias.  However, in the words of Juan Salom, Chief of the Guardia Civil’s Cyber-Crime Unit, the coordinated effort of various international law enforcement agencies and the Guardia Civil, with collaboration from the Internet security industry, have been able to tackle the global threat of cyber-crime.

Operations like this are a great victory in the fight against Internet crime. However, this is just the first step, and its effectiveness will depend on the punitive action taken. Should this not be stiff enough, it will not serve as an example for those who are making millions of euros from these illegal activities. I am thinking of the likes of Ehud Tenenbaum who, after being found guilty of launching attacks on the US and Israeli governments computers, was finally sentenced to 6 months of community services. That was in 2001. In August last year, he was arrested again for a fraud operation amounting to 10 million dollars against a number of North American banks. There is a need for more dissuasive sentences.  If we want to fight cyber-crime, a more profitable activity for mafias than drug trafficking, we must make it less rewarding so that those who want to benefit from it understand that “it is not worth the risk”.

At Panda Security we strongly believe that the fight against Internet crime requires collaborative efforts from the computer security industry and public institutions in all countries along the following lines:  

1. Raise public awareness of the global threat that cyber-crime represents and its huge impact on our economy (we can’t just open our eyes to it whenever stories such as the Mariposa botnet shutdown make the headlines)
2. Push for implementation of proper legislation that is strictly applied through dissuasive sanctions (developing that legislation requires collaboration from regulators and the security industry so that laws reflect the ever-evolving reality);  
3. Train people in working groups, both in the security sector as well as government institutions and law enforcement agencies, so that they can develop adequate prevention and remediation technologies and prosecute criminals effectively.

Only when the public and private sectors work together will there be a chance to improve a situation which, unfortunately, gets worse every day due to the huge profits earned by hackers and Internet mafias. This collaboration must take place at an international level to be able to combat these supra-national organizations. Today’s news reassures us that it is possible to improve the situation. We cannot dream of eradicating cyber-crime, however, there is a clear opportunity to have a much more secure Internet if we keep working this way.

More information:

• Press release
• PandaLabs Blog
• Video: Q&A about Mariposa

Tweet This Post 

Malware, Raising of awareness, security

In my last post I talked about the need for cyber-security to become a priority. I also believe that the media could lend us a hand in generating awareness about the problem among the general public. Last week an article was published about the discovery of a zombie network controlled by a botnet called ‘Kneber’. According to the information available to date, it has infected some 75,000 computers in 2,500 organizations worldwide, also compromising user accounts on popular social networks. Kneber employs the infamous Zeus Trojan, which first appeared in 2007 and has been infecting computers ever since.
 
In fact, the number of computers affected is relatively low in comparison with other similar networks. The difference however is the coverage it has received in the media. We must bear in mind that what is not reported, simply doesn’t exist as far as the general public is concerned. Yet we work in a complex sector, and it is often very difficult to differentiate between what is important and what isn’t. The same applies to the media.  One criteria used to establish the significance of an issue is the number of affected users, but it isn’t the only one. If it is only massive attacks that get reported, we could be feeding the misconception that these are isolated cases, when the truth is that security labs are investigating these types of attacks on a daily basis. For users to fully comprehend the importance of proper protection and security, they must understand that apart from the massive attacks they hear about through the media, there are numerous threats which are surreptitiously targeting users every day, stealing their data or identity for financial gain.

These cyber-attacks are carried out by criminal organizations that earn millions every month through business models deployed across a channel that allows for anonymity and makes it difficult to track down the perpetrators, for a number of reasons: recruiting of ‘money mules’ to do the dirty work and cover the tracks of the real criminals; lack of legitimate tools and security personnel equipped to combat them, and an uncoordinated response from those responsible for security at an international level.

Although as security vendors we work to identify these new threats and offer solutions to our clients, it is not enough. Nowadays, cyber-crime is organized, and has evolved to the point that, as soon as we offer solutions or dismantle networks such as Kneber, criminals are able, in less than 24 hours, to adapt the code of bots and Trojans and redeploy the network, once again evading security systems.
 
In conversations I have had with others in the security industry, in public administration and the security forces, we tend to agree that we need to work together if we really want to combat cyber-crime. However, this will not be possible until we are able to make governments, companies and users aware of the real dimension of the problem. This is where the media comes in, as a vehicle for security information, awareness and education. In short, it can help us make cyber-crime a priority. Only in this way can we alert users to the true panorama, and jointly work to improve a situation which is steadily worsening.

Tweet This Post 

Malware, Raising of awareness, security

After the success of the Security Blogger Summit we organized last year in Madrid, we have decided to run a second edition of the event this year. This year’s summit will be focused more on end-user security, with the idea of directing the conversation towards conclusions that will help us improve security awareness among the public. This focus is the result of a series of conversations we have had with bloggers, opinion leaders and above all, with many of those who were present at last year’s event and who have given us much good advice (thanks to all of you!).
  
Participants include, among others, Brian Krebs, Kurt Weismer, Marcelo Rivero, Joseph Menn, Alejandro Suárez Sánchez-Ocaña, Javier Sanz, Marc Cortés, Yago Jesús and one of two other surprises, which for the moment we are not revealing.

We’ll be taking a look at the main threats and trends for 2010, and evaluating whether we are really doing all that is necessary to ensure we are more secure and particularly, that we avoid becoming the victims of fraud, with all the harm that entails. Similarly, we will be discussing legislation, collaboration between countries, the limits of privacy… And of course, we’ll talk about the specific action that can help us towards the dual goal of improving security and increasing end-user awareness.

We want the Summit once again to be a meeting point that encourages reflection, the exchange of opinions and experiences… and also for people to have a good time among others who, whether for professional or personal reasons, have a keen interest in security issues. We have set up a Twitter profile to follow the event in real time so that those attending (and others) can offer questions or comments. In addition to producing videos summarizing the highlights, we are also looking at offering video streaming of the event.  Keep an eye on the Security Blogger Summit Web page  in order to follow it through video streaming if you can’t make it to Madrid.

Last year’s summit was more like a meeting of friends, albeit a somewhat numerous gathering, and we hope to achieve the same atmosphere this year. You’ll find more information on the Security Blogger Summit Web page, where you can also sign up to attend the event. We look forward to seeing you!

Tweet This Post 

Malware, Raising of awareness, security

According to recent reports, MEPs have proposed creating a court specialized in digital crime as yet another step in the fight against cyber-criminals. The European Parliament has voted in favor of creating a European Court of Cyber Affairs. This proposal will now have to pass through other EU filters before reaching the heads of state who will have the last word. This will probably be decided at the European Council Summit on December 10-11.

We still don’t know the final decision and whether the initiative will go ahead, but I believe it’s worth underlining the importance that the fight against cyber-crime seems to finally have been given in the heart of the EU. After several years in which Internet crime figures have risen without a corresponding rise in the resources made available to combat it, it is certainly positive to hear that the EU is making a move.

And it is particularly positive that it is being done at the level of the EU. The fight against cyber-crime from a national perspective is necessary, but limited in scope: it is difficult to fight against a type of crime and criminals who are not restricted by borders from a jurisdiction limited to a national territory. That’s why this effort must be undertaken by supra-national organizations. In this respect, the National Cyber-Security Advisory Council in Spain (founded by Panda) has backed the initiative put forward by the Spanish senate in favor of creating a European Plan for Cyber-Security. This motion favors the creation of a European Plan for Cyber-Security during the Spanish presidency of the European Union in 2010.

The motion put forward by MEPs to create the European Court of Cyber Affairs is driven by the “significant increase in recent years” of online crime. The dark side of the Net. Yet we must still not forget that the Internet is a medium that offers substantial opportunities to society -and is vital for its financial/economic fabric-, as well as bringing together cultures and organizations without geographic frontiers. To defend a solid Internet, free from threats, is a collective exercise in which institutions have a key role.

Tweet This Post 

Raising of awareness, security

I read this morning in Michael Krisgram’s blog, the US congressman that has twitted (by the way, we should use as an indicator of business success the acceptance of company names as verbs …) confidential information about his route while travelling through Iraq recently.  Krisgram wonders whether the massive adoption of  Twitter may become a security/confidentiality issue for governments going forward.  In the corporate world, we are asking ourselves if this avalanche of business information communicated by employees which are not official speakers may have consequences through the leakage of sensitive information to the market that may even put companies’ strategies at risk.

Read more…

Tweet This Post 

Raising of awareness, Twitter, Uncategorized blog, business, communication, confidenciality, information, Iraq, Michael Krisgram, security, Twitter, US

It was reported yesterday that information relating to the monthly Barometer published by the Spanish CIS (Centro de Investigaciones sociológicas) was leaked.  The Chairman of this Government organization has initiated an investigation to clear if there has been a security breach.  The blogger that published the information in advance has apologized for all inconveniences caused and explained that he did not have any access to privileged information.  He explained that he just “guessed” the URL where the report had been posted because they always follow the same structure.

Read more…

Tweet This Post 

Raising of awareness, Uncategorized blogger, CIS, information, Panda, personal data, security, web