Cyber attacks have intensified, study shows

The new survey reveals that browser-based attacks and phishing scams have increased in the last 12 months. To cope, one bank recommends the use of reduced sign-on to avoid a single point of failure.

SINGAPORE--A new study confirms that cyber criminals have increased their attacks on organizations, and security experts say this further underscores the need for IT managers to ensure their networks are not compromised.

The Computing Technology Industry Association (CompTIA) released a new study Wednesday which indicates that browser-based attacks and phishing scams have escalated in the past year. Backed by more than 20,000 members in 102 countries, CompTIA is a global IT trade group that aims to promote industry standards, IT training and certification.

Of the nearly 500 organizations that participated in the study, 10 percent of which were from the Asia-Pacific region, 56.6 percent reported that they have suffered a browser-based attack, according to the study. This is significantly more than the 36.8 percent reported last year and 25 percent the year before.

The study also found that the number of phishing attacks have intensified--25 percent of organizations said that they were victims of at least one phishing attack in the last 12 months, compared to 18 percent last year.

Exacerbating the problem are online businesses such as Russia-based iframeDOLLARS, which pay Web site owners US$0.061 for each machine they successfully infect with adware and spyware, said Kang Meng Chow, Microsoft's Asia-Pacific chief security and privacy adviser, during a security conference track at CommunicAsia Wednesday.

iframeDOLLARS has boasted of using exploits that take advantage of unpatched vulnerabilities in Internet Explorer and Java ByteVerify, and that do not "give away the fact that the code is dropping malware onto (the user's) machine", explained Chow.

At press time, the company’s site claims to have paid out US$4,670 in dues last week, which effectively translates to 76,557 infected PCs.

In fact, the spyware industry is reportedly worth billions of dollars annually.

To curtail criminal exploitation of corporate networks, IT managers need to understand the organization's technology profile, threat environment and draw up a risk profile, Kang said.

The CompTIA study also showed that viruses and worms continue to be the number one security threat, although the percentage of organizations reporting such threats have decreased. Two-thirds of responding organizations reported such attacks in the past year, down from 68.6 percent a year ago.

Although organizations cited data theft least frequently--about 16.9 percent--as a security issue, the problem poses a great risk to an organization's reputation, said Michael Mudd, director of public policy at CompTIA Asia Pacific.

Both Kang and Mudd made reference to the loss of industry confidence in Seisint and ChoicePoint, after hackers stole customer data belonging to the two consumer database companies.

Mudd said: "A 20GB iPod that is logged into your network can suck out 20GB of data, but you (normally) assume that someone (with an iPod) is listening to music. But perhaps they're not."

IT managers looking for more secure ways to control identity and access management in the organizations could perhaps take a leaf from the books of Chan Kin Chong, who is deputy chair of security and privacy standards, technical committee, JPMorgan Chase Bank Singapore.

Speaking during the same security track at CommunicAsia yesterday, Chan recommended the use of reduced sign-on (RSO) within the organization. Compared to password synchronization and single sign-on, RSO is emerging as a more flexible and pragmatic approach, he said.

The tool allows JPMorgan to select and group systems that share a common logon, though that also means users may be required to have additional passwords to access different clusters of systems. "But there is increased security as there is no single point of failure," he pointed out.