Ripping yarns

Riptech recently released its "Internet Security Threat Report" summarizing "Attack Trends for Q3 and Q4 2001."

The primary authors of this report, CTO Tim Belcher and Founder and Executive Vice President Elad Yoran correctly note in their introduction to the study that many previously published reports on Internet attacks suffer from methodological flaws. Surveys, for example, inevitably suffer from self-selection bias; automated analysis of unedited firewall and intrusion-detection system (IDS) log files can distort or mask trends by swamping real attack data with spurious false alarms.

Riptech used a sample of 300 clients from its security monitoring service clientele. It analyzed 5.5 billion firewall log records and IDS alerts and identified 128,678 attacks over the latter half of 2001. During that period, they found that 63% of the attack activity was caused by Code Red and Nimda worms; these data were excluded from further analyses to prevent other interesting trends from being swamped.

Even during the six-month study period, the researchers found a significant increase in the average number of attacks per company: 79% overall between July and December 2001. Many of the attacks (around 40%) seemed to be deliberately targeted at specific organizations. Most (70%) of the attacks came from 10 countries (in descending order of frequency: the U.S., South Korea, China, Germany, France, Canada, Taiwan, Italy, Great Britain and Japan) and almost half came from the first three. Using published estimates of the numbers of Internet users in the countries of origin coupled with population figures, the Riptech team also estimated the per-user incidence rate of attack. In descending order, topping the list were: Israel, Hong Kong, Thailand, South Korea, France, Turkey, Malaysia, Poland, Taiwan and Denmark.

The authors write, "Overall, Microsoft Internet Information Services (IIS) ulnerabilities... were the target of the majority of the attacks."

Interestingly, the most frequent targets of "severe" attacks ("categorized as either emergency or critical") were on power and energy companies (an average of 12.5 per company over the study period). Among the attacks originating in the Middle East, the average of all types of attack per target company was 66.5 (over six months) for power and energy firms. In contrast, among attacks originating in Asia, financial services companies suffered an average of 339 attacks each over the last half of 2001.

This summary provides a taste of the interesting material found, analyzed, summarized and graphed in this stimulating report. To download your free PDF version of the full report, fill out the form at:

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about MicrosoftRiptech

Show Comments