SecureWorks has published details on the originating sources of attacks aimed that its clients during 2008. The details reveal that almost all of the cyber attacks originated from sources within the United States, followed closely by The People's Republic of China.
However, there were 12.9 million more attacks originating in the U.S., suggesting that American businesses have yet to take appropriate steps to secure their systems.
The United States topped the list with 20.6 million attempted attacks originating from computers within the country, while China ran second with 7.7 million attempted attacks emanating from computers within its borders.
Brazil led a considerable drop-off in third with 166,987 attempted attacks, while South Korea and Poland rounded out the top-five positions with 162,289 and 153,205 respectively. The likes of Japan (142,346), Russia (130,572), Taiwan (124,997), Germany (110,493), and Canada (107,483) rounded out the listing.
“We believe these statistics are significant because it clearly shows that the United States and China have a lot of vulnerable computers that have been compromised and are being used as bots to launch cyber attacks,” said Hunter King, security researcher for SecureWorks.
“This should be a warning to organizations and personal computer users that, not only are they putting their computers and networks at risk by not securing them, but they are actually providing these cyber criminals with a platform from which to compromise other computers,” he added.
What about simply blocking the IP address of known rogue hosts as a possible solution, some may suggest? When defending against known malicious IP blocks, there is more to it than simply stopping a known source of attack.
“These findings illustrate the ineffectiveness of simply blocking incoming communications from foreign IP addresses as a way to defend your organization from cyber attacks, as many hackers hijack computers outside their borders to attack their victims,” said Don Jackson, the director of Threat Intelligence for SecureWorks.
As Jackson points out, there is a recent example of how blacklisting can fail to meet expectations.
“The Georgia/Russia cyber conflict was a perfect example of this. Many of the Georgian IT staff members thought that by blocking Russian IP addresses they would be able to protect their networks, however, many of the Russian attacks were actually launched from IP addresses in Turkey and the United States so consequently they were hit hard. This was a perfect example where we saw Russian cyber criminals using compromised computers outside their borders.”
Yet, the problem is larger than that, Jackson says. Chinese criminals, both large gangs and smaller cells, will take over their own internal networks and use them as bots to attack other organizations. “For example, entire university networks in China will belong to local hacker groups,” he said.
“China's hackers do create botnets from spamming through email and blogs, but a relatively larger percentage of the compromised hosts under Chinese control are simply machines in schools, data centers, companies -- in other words, on large networks -- that are mostly unguarded and consequently are entirely controlled by hacker groups, as opposed to distributed bots harvested from widely distributed international spam runs," said Jackson.
“Often the groups have an insider in the networks they own,” Jackson adds. “We also see many local hacker groups in Japan and Poland compromise hosts within their own country to use in cyber attacks, so the Chinese hackers are not alone in using resources within their own borders.”
What the report ultimately shows is that, based on the attacks aimed at SecureWorks’ customer base, there is a lack of layered security on several levels in networks both large and small. These issues have to be dealt with first and foremost, if you truly want to control the protection available on the Enterprise.
The location of origin really only serves to show who has the most work to do. China has several infrastructure problems as it is, and there is no real surprise to see how well connected some of its criminals are, and to see the expansive reach of their network control.
The confusing aspect is that the networks within the U.S. appear to have larger issues. Blacklisting can help to a point but, as mentioned, ultimately it solves nothing.
Likewise, Whitelisting can help to a degree, but only if controlled and monitored. Patching systems, performing auditing and process-control testing, each have to be included in any type of resolution -- this is because IT changes so quickly no company can afford to rest on its laurels.
Yet, with all of these mitigations viewed as common knowledge, where is the gap that causes them to be forgotten or ignored, which ultimately leads to compromise?
If a company claims to know what it needs to secure its network, why are there still problems?
We may never know. Take your pick of excuses and they can fit here and with politics, budgets, training, staffing, the economy, or simple ignorance.
Whichever way you look at it, something has to change or network security will continue to slip.