The top threats to government systems, and where they're coming from

The global government threat landscape was dominated last year by Web-based attacks and targeted, advanced persistent threats intended to quietly steal valuable information, according to the latest annual assessment by Symantec.

China was the top country of origin for attacks against the government sector in 2009, accounting for 14 percent of the total, but too much should not be read into that statistic. The apparent country of origin says little about who actually is behind an attack, said Dean Turner, director of Symantec’s Global Intelligence Network.

China’s ranking is due primarily to the large number of computers in the country, Turner said. Less than a quarter of attacks originating in China were directed at government targets, while more than 48 percent of attacks from Brazil — No. 3 on the hit list — were directed at government. This makes it unlikely that China is specifically targeting government systems.

Related stories:

Lessons from Google attack could help bolster U.S. cyber defense

Which country is most feared as a cyber threat? Guess again.

Compromised computers that are the apparent source of attacks often are controlled from elsewhere, and an attack apparently emanating from China does not necessarily mean that the Chinese government, or even anyone in China, is behind it. Attribution of attacks is notoriously difficult, and statistics do not necessarily indicate that the United States is under cyberattack by China. In fact, the United States ranked second in origin of government attacks in 2009, accounting for 11 percent.

The source of malicious traffic has more to do with available infrastructure than with politics. The highest growth in malicious activity is taking place in countries with emerging digital infrastructures, Turner said.

The Government Internet Security Threat Report is a subset of the annual global Internet threat report compiled by Symantec from data culled from 240,000 sensors in 200 countries and 133 million client endpoints, as well as from an analysis of 8 billion e-mails and 1 billion Web requests a day in 16 data centers.

The vast majority of the threats in 2009 were coming from the Web, and Web server attacks accounted for 46 percent of the top 10 attacks.

“They aren’t breaking into your network,” Turner said. “They don’t have to. You are going to them.”

The growth in advanced persistent threats, which are targeted and often sophisticated, was one of the most serious trends in 2009, according to the report. In contrast to more visible smash-and-grab attacks that steal personal information, persistent threats are intended to operate quietly, looking for and siphoning off high-value data such as software source code or other intellectual property over a long period of time.

“Aurora is a perfect example of targeted threats against the enterprise,” Turner said, referring to the breaches reported in January by Google. Aurora reportedly hit more than 100 other companies.

Because these attacks are targeted, they often rely on social engineering to deliver malicious code, which means that traditional network and perimeter defenses often are not effective. Social networking sites are a growing source of personal information used by attackers in targeting their attacks.

“Social networking sites should be of particular concern to government organizations,” the report states. Not only are they a source of targeting information, they also can be a vector for delivering malicious code.

Although the threat from such sites has been recognized, the response has not been consistent across government. Symantec noted that the Marine Corps has banned access to such sites from its network, while the Army has established guidelines for their use by soldiers and civilian employees. “To effectively manage social networking within government networks, clear policies on access to these sites is required, along with appropriate countermeasures to prevent unauthorized information from being posted,” the report states.

Other areas of concern for government include emerging technologies such as cloud computing and virtualization, in which risks and defenses have not yet been adequately identified and addressed.

The volume of malware continues to grow, and Symantec created 2.9 million new malicious code signatures in 2009, most of the signatures covering multiple instances of malware. This represented a 71 percent increase over 2008. Much of this new malware is not used in mass distribution, but in targeted one-off attacks against individual users. Because malicious code can easily be modified on the fly by automated tools, signatures are becoming less efficient for countering malware.

“Nobody can rely on signature-based detection alone anymore,” Turner said. Effective defense requires application blacklisting and whitelisting as well as behavior and reputation-based detection.

Last year, 51 percent of all code Symantec blocked based on reputation scoring was found on only one computer, which means a signature would not have been effective against it, Turner said. “If you are relying on signatures alone, you are dead.”