This week I’m sharing some analysis from the global field of information security. Every year numerous outlets publish their versions of cybersecurity. Hewlett-Packard, Cisco Systems, Brian Krebs, and Symantec are all part of the larger group of security specialists that produce such reports. This year marks Symantec’s 24th annual report, and I like theirs as well or more so than others I’ve reviewed. You too can read the full report for free by visiting Symantec’s website. In my experience, it’s one of the few places online where you can enter your email address and not end up receiving reams of advertisement throughout the year. Start that process at www.symantec.com and search for “ISTR 24,” or you can enter the complete URL to get to the report: https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf.
For the sakes of background and credibility, Symantec is a California based Fortune 500 company that has been in the security game for around 30 years, though it all started in 1982 with a National Science Foundation grant and numerous technological innovations. Perhaps the most widely known and used Symantec product, one that you may be familiar with, is its Norton Antivirus program. All told, Symantec firmly can be relied on for this information.
Symantec’s annual report that I’ve digested and commented on here is the Internet Security Threat Report, Volume 24. It results from collaborating with a network of security experts and systems. Thousands of threat events per second, over 300,000 global companies, nearly 4,000 researchers, and billions of monthly URL analyses are just some of the massive sets of inputs that lead to its report. Needless to say (though here I am saying it), the nature of the work can be described as comprehensive. Basically, the following is a year-in-the-life of information security, namely 2018 give or take.
First, let’s see the state of security from the mile-high view. When I wrote “URL,” that means uniform resource locator, and might be thought of as a website’s address. One company can have thousands of URLs. Amazon, for example, is easily reached by going to www.amazon.com, but there are probably more Amazon URLs than we could count. One of its URLs might be for when you’re shopping for toasters, and a separate one for four-slice toasters. This is why it’s logical that Symantec analyzes billions of URLs. It’s not looking at billions of companies. Also, with that brief background you have a reference about how Symantec concluded that 10% of all URLs include malicious computer code. Some might jump to the conclusion, thusly, that 10% of the internet is malicious. It’s not that simple. However, to me, that proportion of the billions of reviewed URLs being found as malicious is an important, and regrettable, statement about security.
Other big picture results from the 2018 analysis include the fact that web-based security attacks are up 56% over 2017. Ransomware, which are viruses that encrypt your computer or mobile phone until you pay a ransom, was up 37% last year. It was down overall as an attack, but your smartphones and business computer systems both experienced greater activity in the ransomware genre. Another area of concern is that the number of groups who are organized for levying cyberattacks is up 25%, and that greater number of attacking groups averaged around 55 targets each last year.
Symantec reported those large-scale trends, and then informed us about some of the more detailed computer crimes and threats out there. One of the newer plots is known as formjacking. In the 1970s, hijacking came into vogue mostly in the skies. In 2018, the hijacking was not concerned much with aircraft but rather with your payment information. When you visit one of those Amazon URLs intent on buying the newest gadget, you complete an online form that includes your name and credit card information. This eCommerce environment is rich with rewards for the criminals. To give you an idea of its prevalence, Symantec blocked 3.7 million such attacks last year. Ticketmaster, British Airlines, and many others succumbed. Nearly 5,000 websites were discovered to include formjacking tactics every month of Symantec’s analysis. Keeping your credit card in your front pocket doesn’t cut it any longer.
Cryptojacking is another relatively new crime being perpetrated online. Some of the most sophisticated internet criminals conduct cryptojacking operations. In this ploy, your computer, smartphone, and other devices are taken over without your knowledge. Then, the bad guys load software onto your machine or device. That software creeps around the internet looking for cryptocurrencies, such as the popular Bitcoin, Ethereum, or one of scores of other currency substitutes, which Warren Buffet, incidentally, recently said are “assets that create nothing.” Others disagree and have large deposits of cryptocurrency, and are subject to cryptojacking. The secret software, rarely detected, mines cryptocurrencies. When the criminal obtains enough data to cash out, he does just that and leaves your computer. You likely would never know you were indirectly part of the conspiracy even when you were not the target of the mining.
Other common attacks registered in 2018. Cloud computing hacking is up, and the Internet of Things—i.e., the billions of nontraditional computers such as smart refrigerators, cars, and connected doorbells—is continuing to be instrumental in large-scale security threats. The election hacking isn’t going anywhere soon, either. It will definitely be part of the 2020 election stories.
Do not be scared by these reports. Be wary though. You are undoubtedly a stakeholder in information security, just like you are one in transportation safety or healthcare. Your best bet, therefore, is to become knowledgeable in all those domains. When it comes to your security online, a great place to start building that knowledge is the Symantec report. I encourage you to read, learn, and then protect your family to the extent that you can.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at firstname.lastname@example.org.