Symantec Security Intelligence Internet Security Threat Report Volume XVI June, 2011 Tiffany Jones Director – Programs and Strategy Symantec Public Sector Division Symantec Internet Security Threat Report

Agenda Global Intelligence Network 1 Threat Landscape Overview 2 3 ISTR XVI Key Facts and Figures 3 Symantec Internet Security Threat Report

Global Intelligence Network Identifies more threats, takes action faster & prevents impact Calgary, Alberta Dublin, Ireland San Francisco, CA Tokyo, Japan Mountain View, CA Austin, TX Chengdu, China Culver City, CA Taipei, Taiwan Chennai, India Pune, India Information Protection Preemptive Security Alerts Threat Triggered Actions Global Scope and Scale Worldwide Coverage 24x7 Event Logging Rapid Detection Attack Activity 240,000 sensors 200+ countries Malware Intelligence 133M client, server, gateways monitored Global coverage Vulnerabilities 40,000+ vulnerabilities 14,000 vendors 105,000 technologies Spam/Phishing 5M decoy accounts 8B+ email messages/day 1B+ web requests/day Symantec Internet Security Threat Report 3

2010 Threat Landscape Symantec Internet Security Threat Report

Threat Activity Trends AV Signatures in Perspective 3.1B 10M We used to use virus signatures as an indirect measure of the activity on the threat landscape. However today cybercriminals are using evasion techniques to get around the traditional signature model. So although there is no longer a one to one mapping between signature and a single threat variant (today we try to write signatures as generically as possible to catch multiple variants), counting signatures is no longer a good way of representing changes in the threat landscape. Instead we like to look at the number of unique malware variants seen by Symantec and the total number of malware attacks we blocked. 286M 10M Signatures Malware Variants Malware Attacks Symantec Internet Security Threat Report

Organized Crime Rings Well Meaning Insiders Malicious Insiders Threat Landscape 2010 Overarching Actors Organized Crime Rings Well Meaning Insiders Malicious Insiders Nationalists

Threat Landscape 2010 Trends  Targeted Attacks continued to evolve  Social Networking + social engineering = compromise  Hide and Seek (zero-day vulnerabilities and rootkits) Here are the trends we saw in 2010 – we will drill down into each of these areas in the following slides. Targeted Attacks: Targeted attacks, while not new, gained notoriety in 2010 from high profile attacks against major organizations (Hydraq/Aurora) and significant targets (Stuxnet). Social Networking + Social Engineering = Compromise: The ability to research a target online has enable hackers to create powerful social engineering attacks that easily fool even sophisticated users. It’s also proven to be fertile ground for attackers to Hide and Seek (zero-day vulnerabilities and rootkits): Targeted attacks depend on their ability to get inside an organization and stay hidden in plain sight. Zero-day vulnerabilities and rootkits have made this possible and were featured largely in attacks in 2010. Attack Kits get a caffeine boost: Innovations from targeted attacks will make their way into massive attacks, most likely via attack toolkits. Attack kits Mobile Threat increase: All of these attacks are moving to mobile devices, limited only by attackers getting a return on their investment (ROI). They are not widespread today, but we see this shifting and will be something to watch closely in 2011.  Attack Kits get a caffeine boost  Mobile Threats increase Symantec Internet Security Threat Report (ISTR), Volume 16

Threat Landscape  Targeted attacks continue to evolve High profile targeted attacks in 2010 – Hydraq and Stuxnet – raised awareness of the consequences of APTs Stuxnet signaled a leap in the sophistication of these types of attacks Four zero-day vulnerabilities Stolen digital signatures Ability to “leap” the air gap Potential damage to infrastructure - As illustrated by Stuxnet, you can no longer rely on “security by obscurity” and “physical isolation”, yet many industries still do e.g. manufacturing, telecom etc. All it takes is one weak link to establish a beachhead to further penetrate inside an organization. High profile attacks like Hydraq and Stuxnet were extensively covered Both attacks employed zero-day vulns with Stuxnet using a record 4 of them – almost one-third of the zero-day vulnerabilities reported in 2010 While Hydraq was quickly forgotten and, in time, Stuxnet may be forgotten as well, their influence will be felt in malware attacks to come. Stuxnet and Hydraq teach future attackers that the easiest vulnerability to exploit is our trust of friends and colleagues Detailed review in the: W32.Stuxnet Dossier & W32.Stuxnet More Info: Symantec Internet Security Threat Report

Threat Landscape  Targeted attacks continue to evolve Less sophisticated attacks also cause significant damage The average cost to resolve a data breach in 2010 was $7.2 million USD. Targeted attacks don’t have to employ zero-day vulnerabilities or target senior executives – social engineering targeting a single user with appropriate access is sufficient Although hacking was only the third most common cause of data breaches that could lead to identity theft in 2010, it was the top cause for reported identities exposed, with 42 percent of the total Customer-related information was the most exposed type of data in 2010, both for deliberate breaches and the identities exposed in those breaches Messaging: The high profile Hydraq and Stuxnet breaches garnered significant media attention in 2010, but it’s important to remember that targeted attacks occur regularly and don’t always affect large mutlinational corporations or government entities. These attacks serve to highlight targeted attacks but even SMBs can be affected for simple purposes such as the theft of financial information or customer and employee records. Average Number of Identities Exposed per Data Breach by Cause Symantec Internet Security Threat Report

Threat Landscape  Social networking + social engineering = compromise Detailed review of Social Media threats available in The Risks of Social Networking More Info: Whether the attacker is targeting a CEO or a member of the QA staff, the Internet and social networks provide rich research for tailoring an attack Information gathered from social networking sites can be used to mount a targeted attack using social engineering to compromise the target Social networking compromises also take advantage of implicit trust between members of the same social networking circle. Users are more likely to follow links in their newsfeed posted by friends. Shortened URLs can help to further mask the true nature of the destination website. During a three-month period in 2010, two-thirds of malicious links in news feeds observed by Symantec used shortened URLs 73% were clicked 11 times or more, with 33% receiving between 11 and 50 clicks while only 12% didn’t receive any clicks. Recent versions of Koobface send direct messages to an infected user’s friends and also post status updates and add other text to profile pages to install fake security applications Messaging: Companies continue to struggle to find a balance between making the most of the advantages of social networking and keeping their users happy while limiting the dangers posed by the increased exposure of potentially sensitive and exploitable information. Organizations need to create specific policies for sensitive information, which may inadvertently be posted by employees, while at the same time being aware that users visiting these sites from work computers may introduce an avenue of infection into the enterprise network Hackers have adopted social networking Use profile information to create targeted social engineering Impersonate friends to launch attacks Leverage news feeds to spread SPAM, scams and massive attacks Symantec Internet Security Threat Report

Threat Landscape  Social networking + social engineering = compromise Shortened URLs hide malicious links, increasing infections Shortened URLS leading to malicious websites observed on social networking sites, 73% were clicked 11 times or more Whether the attacker is targeting a CEO or a member of the QA staff, the Internet and social networks provide rich research for tailoring an attack Information gathered from social networking sites can be used to mount a targeted attack using social engineering to compromise the target Social networking compromises also take advantage of implicit trust between members of the same social networking circle. Users are more likely to follow links in their newsfeed posted by friends. Shortened URLs can help to further mask the true nature of the destination website. During a three-month period in 2010, two-thirds of malicious links in news feeds observed by Symantec used shortened URLs 73% were clicked 11 times or more, with 33% receiving between 11 and 50 clicks while only 12% didn’t receive any clicks. Recent versions of Koobface send direct messages to an infected user’s friends and also post status updates and add other text to profile pages to install fake security applications Messaging: Companies continue to struggle to find a balance between making the most of the advantages of social networking and keeping their users happy while limiting the dangers posed by the increased exposure of potentially sensitive and exploitable information. Organizations need to create specific policies for sensitive information, which may inadvertently be posted by employees, while at the same time being aware that users visiting these sites from work computers may introduce an avenue of infection into the enterprise network Regular URL 35% Short URL 65% Symantec Internet Security Threat Report

Threat Landscape  Hide and seek (zero-day vulnerabilities and rootkits) Although the short term trend in exploits of zero-days vulnerabilities is up, the long term is not Nevertheless, zero days are being used in a more aggressive way, e.g. they featured heavily in the targeted attacks of 2010 Attack toolkits help to spread knowledge of exploits that leverage vulnerabilities Rootkits taking more aggressive hold Tidserv, Mebratix, and Mebroot are current front-runners A rootkit is a collection of tools that allow an attacker to hide traces of a computer compromise from the operating system and, by extension, the user. The current frontrunners in the rootkit arena are Tidserv, Mebratix, and Mebroot. These samples all modify the master boot record (MBR) on Windows computers in order to gain control of the computer before the operating system is loaded. Variants of Conficker, ZeuS, as well as Stuxnet all use rootkit techniques to varying degrees Since the objective of targeted attacks and malicious code that steals confidential information is to remain undetected to gather as much information as possible it is likely that we will see further use of these techniques in the near future. Messaging: As malicious code becomes more sophisticated it is likely that they will increasingly turn to rootkit techniques to evade detection and hinder removal. As users become more aware of malicious code that steals confidential information and competition among attackers increases, it is likely that more threats will incorporate rootkit techniques to thwart security software. Number of documented ‘zero-day’ vulnerabilities Symantec Internet Security Threat Report

Threat Landscape  Attack kits get a caffeine boost Attack kits continue to see widespread use – 61% of web based attacks are due to toolkits. Java exploits added to many existing kits Kits exclusively exploiting Java vulnerabilities appeared More Info: Detailed information available in ISTR Mid- Term: Attack Toolkits and Malicious Websites While targeted attacks are focused on compromising specific organizations or individuals, attack toolkits are the opposite side of the coin, using broadcast blanket attacks that attempt to exploit anyone unfortunate enough to visit a compromised website Mpack 31%, Neosploit 31% and Zeus 19%. Phoenix toolkit and others increasingly implement exploits targeting Java vulnerabilities The sixth highest ranked Web-based attacks during the reporting period was also an attempt to exploit Java technologies One of the appeals of Java to attackers is that it is a cross-browser, multi-platform technology Messaging: Since exploits for some vulnerabilities will eventually cease to be effective, toolkit authors must incorporate new vulnerabilities to stay competitive in the marketplace. Currently, attackers are heavily targeting exploits for Java vulnerabilities. However, this could change if their effectiveness diminishes. Toolkit authors are constantly adapting in order to maximize sales of their kits Symantec Internet Security Threat Report

Threat Landscape  Mobile threats Currently most malicious code for mobile devices consists of Trojans that pose as legitimate applications Will be increasingly targeted as they are used for financial transactions More Info: Security Issues for Mobile Devices and a review of Apple iOS and Google Android 163 vulnerabilities 2010 115 vulnerabilities 2009 42% increase Recently, with the growing uptake in smartphones and their increasing connectivity and capability, there has been a corresponding increase in attention, both from threat developers and security researchers. Symantec documented 163 vulnerabilities in mobile device operating systems in 2010 compared to 115 in 2009 As with desktop computers, the exploitation of a vulnerability can be a way for malicious code to be installed on a device While it may be difficult to exploit many of these vulnerabilities successfully, there were two vulnerabilities that affected Apple’s iPhone iOS operating platform that allowed users to “jailbreak” their devices Currently most malicious code for mobile devices consists of Trojans that pose as legitimate applications. These applications are uploaded to mobile app marketplaces in the hopes that users will download and install them. In March 2011, Google reported that it had removed several malicious Android applications from the Android Marketplace and even deleted them from users’ phones remotely With the financial motivation of most malicious code, it is likely this will also be a driving factor for mobile threats Some of the first threats of this kind to arrive will likely be either phishing attacks or Trojans that steal data from mobile devices Messaging: Currently, mobile threats have been very limited in the number of devices they affect as well as the type of impact they have. While these threats are not likely to make significant inroads right away, they are probably looming over the horizon. As more financial transactions are made through mobile devices it is more likely that this will drive the development of malicious code for these devices in order to achieve return on investment. Symantec Internet Security Threat Report

Internet Security Threat Report XVI - Key Facts and Figures Symantec Internet Security Threat Report

Threat Activity Trends Malicious Activity by Country NOTE: It is important to point out that attackers are not necessarily located in the same country where the malicious activity originates. As noted in previous reports, emerging countries like Brazil, India, and Russia still figure prominently in malicious activity. US and China continue to dominate, but the bottom 8 countries separated by only 4% Symantec Internet Security Threat Report (ISTR), Volume 16

Threat Activity Trends Malicious Activity by Country The US is the main source of bot-infected computers Higher broadband capacity allows more attacks per second Large-scale attacks using the ZeuS attack kit contributed to the high-ranking of China for Web-based attacks. For the botnet associated with the Tidserv Trojan over half of all infected computers are in the US. The United States is the main source of bot-infected computers for the botnet associated with the Tidserv Trojan with over half of all infected computers in this botnet located in the United States. Mexico bots – very low – #33 in the world. 155 per day and only 15,827 in total with over half in Mexico City (52%) and the rest in Monterrey (9%), San Nicolas De Los Garza (8%) and Tijuana (5%)   Network attacks are closely tied to the broadband connectivity of a country. Since higher broadband capacity allows more attacks per second, compromised computers in those countries will help to boost their rankings. Large-scale attacks using the ZeuS attack kit contributed to the high-ranking of China for Web-based attacks. These attacks compromised around 75,000 users in 196 countries. Symantec Internet Security Threat Report

Threat Activity Trends Malicious Activity by Country Spam zombies dropped significantly in China but continue to be a major source of malicious activity in Brazil. Phishing host in a country are tied to the broadband connectivity in that country as well as web hosting providers. Many phishing sites are hosted on free web space provided by ISPs. New regulations requiring ISPs to register email servers and maintain logs in China likely contributed to this drop Spam zombies dropped significantly in China but continue to be a major source of malicious activity in Brazil.   New regulations requiring ISPs to register email servers and maintain logs in China likely contributed to this drop. Brazil is a strong source of bot-infected computers for major botnets that send out spam email messages, such as Rustock, Maazben, and Ozdok (Mega-D). Phishing host in a country are tied to the broadband connectivity in that country as well as web hosting providers. Many phishing sites are hosted on free web space provided by ISPs. Messaging: Slight changes in rankings and percentages of countries below the US and China show that malicious activity is becoming more spread out. With high-profile ISP takedowns occurring in the past few years along with wider proliferation of high-speed connectivity it is likely that attackers are becoming more opportunistic than ever before and compromise computers regardless of their physical location. Symantec Internet Security Threat Report

Threat Activity Trends Data Breaches by Sector Top three sectors only accounted for a quarter of all identities exposed The average cost to resolve a data breach in 2010 was $7.2 million USD Customer data accounted for 85% of identities exposed Important to point out that these are breaches that could lead to identity theft – ie. we don’t know if the info from a stolen laptop was sold. The data used is from Open Security Foundation (OSF) Dataloss DB. In 2010, the average cost per incident of a data breach in the United States was $7.2 million healthcare sector had the highest percentage of data breaches that could lead to identity theft, with 27%—an increase from 15% in 2009 financial sector was the top sector in 2010 for identities exposed in data breaches, with 23 percent—a decrease from 60 percent in 2009 Messaging: Single large breaches were responsible for the most identities exposed but small breaches exposing fewer identities are just as damaging to the organizations and individuals involved. This shows that enterprises and SMBs need to mitigate their risk. Four measures that can be taken are protecting the infrastructure, protecting the information, developing and enforcing IT policies, and managing systems Average Number of Identities Exposed per Data Breach by Cause Volume of Data Breaches by Sector Average Number of Identities Exposed per Data Breach by Sector Symantec Internet Security Threat Report

Vulnerability Trends Web Browser Vulnerabilities Internet Explorer had the longest window of exposure Number of vulnerabilities in Firefox dropped from 169 to 100 150 more vulnerabilities documented in Chrome than in 2009 but window of exposure was less than a day Increase in Chrome vulnerabilities tied to rapid development including nearly 20 stable versions of the browser being released in 2010. Also related to Google’s bug bounty program Safari benefited indirectly from this as many vulnerabilities reported in Webkit used by both Chrome and Safari Drop in Firefox vulnerabilities may be due to the relative maturity and stability of the browser. Researchers may have abandoned Firefox to focus efforts on easier vulnerabilities in other browsers with bounty programs. The window of exposure for Safari in 2010 was less than one days, based on a sample set of 110 patched vulnerabilities The average window of exposure for Internet Explorer in 2010 was 4 days, based on a sample set of 47 patched vulnerabilities Chrome had a window of exposure of less than a day in 2010, from a sample set of 191 patched vulnerabilities In 2010, the window of exposure for Opera was one day, based on a sample set of 27 patched vulnerabilities In 2010, Firefox had a window of exposure of 2 days for a sample set of 99 patched vulnerabilities Messaging: As always, the number of vulnerabilities in a browser does not reflect the overall security of that browser. Browsers with the largest user base are more likely to be targeted by attackers in order to maximize their return on investment. With the doubling of web-based attacks this shows how important it is to keep browsers and all their components patched on a regular basis. Symantec Internet Security Threat Report

Malicious Code Trends Top Malicious Code Families Sality virus continues to be the most prominent sample. It spreads through USB devices and relies on the Autorun feature In Mexico, SillyFDC is #1 followed by Gammima.AG (online game creds). Mexico is 9th in the world for malicious code activity and #1 in Brazil. With the recent patch that disables Autorun we will see if this has any affect on Sality’s dominance next year Ramnit is a virus that also propagates through removable USB drives so this may also be affected by the autorun patch Estimations are that Downadup (Conficker) was on as many as 5 million PCs by the end of 2010 despite the availability of patches In Mexico, Worms (49%) and Trojans (39%) are the most prevelant types of malware – approximately 5% higher than in other countries within LAM. Messaging: A significant number of the top malicious code samples this year propagate through removable media such as USB drives and through file sharing. This demonstrates the need for adequate policy and defense strategy for these vectors in addition to more traditional vectors like email attachments and more recently web-based attacks. Symantec Internet Security Threat Report

Malicious Code Trends Threats to confidential information 64% of potential infections by the top 50 malicious code samples were threats to confidential information Malicious code that allows remote access accounted for 92% of threats to confidential information in 2010, up from 85% Remote access has been the most prominent threat to confidential information for some time, likely because of the convenience and versatility it provides attackers In Mexico – 68% of all malicious code is spread through filesharing, 29% via CIFS and 29% remotely exploitable vuln Exporting user data and logging keystrokes are effective means for attackers to harvest sensitive financial information, online banking or other account credentials, and other confidential information Increase in threats to confidential information is another sign that financial motivation is the primary driver behind the development of malicious code. Messaging: Threats to confidential information are a key part of the underground economy. These along with phishing attacks and data breaches are the primary means through which attackers can achieve financial gain. Symantec Internet Security Threat Report

Fraud Activity Trends Phishing categories Banks were spoofed by 56% of phishing attacks Many email-based fraud attempts referred to major events in 2010 Phishing URLs spoofing banks attempt to steal a wide variety of information that can be used for identity theft and fraud. Attackers seek information such as names, government-issued identification numbers, bank account information, and credit card numbers. Mexico has 16% of LAM’s phishing hosts but only approximately 1% of the the world’s phising hosts Phishing schemes also continue to use major events like the Haiti earthquake and FIFA world cup to lure users Messaging: The continued dominance of phishing against financial institutions and the retail sector shows that attackers are likely still seeing success in this tactic. The quick monetary payout from these sectors continues to be a lucrative tactic for attackers. This is unlikely to change significantly in the near future. Symantec Internet Security Threat Report

Fraud Activity Trends Underground economy servers Credit card information and bank account credentials continue to be the top two advertised items by a large margin Bulk rates for credit cards range from 10 cards for $17 to 1000 cards for $300 Location affects credit card prices but not bank credentials Similar to phishing attacks, cybercriminals selling goods on the underground economy are most closely tied to those that provide the fastest financial gain as evidenced by the continued high rankings of credit cards and online banking credentials. Credit card information can be stolen anywhere – phishing schemes, compromise of financial institutions, keystroke loggers, and physical skimmers Supply and demand is the main driver behind credit card prices – US cards are advertised for the lowest prices while those from Asia, South America, and some European countries commanded higher prices Advertised balances of bank accounts for sale ranged widely from $400 to $1.5 million. While the top end may be a false advertisement, there are enough accounts with balances in the thousands of dollars to indicate that they may be small and medium sized business accounts. Attack toolkits saw a significant increase in advertisements. This is likely due to the increased availability of these kits as well as their increasingly advanced nature. Messaging: The tools to commit cybercrime as well as its spoils are readily available to those searching for them. Increased advertising for attack kits shows that cybercriminals are profiting not just on the results of compromises but also on the tools to achieve them. This emphasizes what we’ve been saying about the underground economy being a constantly evolving, self-sustaining ecosystem. Symantec Internet Security Threat Report

Fraud Activity Trends Spam by category Approximately three quarters of all spam in 2010 was related to pharmaceutical products Symantec estimates that 95.5 billion spam emails were sent globally each day in 2010 Most pharmaceutical spam was related to “Canadian Pharmacy” websites and related brands. This spam was sent primarily by Rustock, Grum, Cutwail, and Donbot. Since these botnets were associated with Spamit the level of pharmaceutical spam dropped temporarily but resumed again shortly after Where some of the categories above represent 0.5 percent of spam, this still equates to almost 500 million spam emails in a single day spam related to unsolicited newsletters, sex/dating, casino/gambling, job scams, and software all increased. Sex/dating spam primarily originates from Cutwail and Mega-D. The total amount of global spam in circulation decreased toward the end of 2010, with a number of major botnets reducing their output. A major reason for the decrease in volume of spam email from botnets in 2010 is likely the shutdown of the Spamit affiliate program in the fall of 2010 In Mexico – 3% of the region’s Spam Zombies and 5% of spam overall (approx. 1% WW) Increased throughput of Rustock was related to decrease in use of TLS (transport layer security) encryption. This may have been done to maintain message capacity while the size of the botnet contracted. Rustock, Grum, and Mega-D all saw decreases in number of bots likely due to the Spamit shutdown but Cutwail and Maazben increased The largest single source of botnet spam from one country was India, which accounted for 8 percent of global botnet spam followed by the US, Russia, and Brazil Messaging: As in the past, spam-friendly ISP shutdowns have had temporary effects on spam volumes and the number of bots in some botnets. Unfortunately botnets resurface on different IP addresses or other botnets rise to fill the void. Messaging: Spam is created in a variety of different styles and complexities. Some spam is plain text with a URL; some is cluttered with images and/or attachments. Some comes with very little in terms of text, perhaps only a URL. All of these techniques are used to attempt to evade simple spam filters showing a need for more advanced solutions. Symantec Internet Security Threat Report

Best Practices for Protection We’ve covered the five key trends we observed in 2010 (in our main report) and highlighted some of the key findings from the appendices of the ISTR. Best Practices for Protection Symantec Internet Security Threat Report (ISTR), Volume 16

Defenses Against Targeted Attacks Detect and block new and unknown threats based on reputation and ranking Advanced Reputation Security Implement host lock-down as a means of hardening against malware infiltration Host Intrusion Prevention Restrict removable devices and functions to prevent malware infection Removable Media Device Control Scan and monitor inbound/outbound email and web traffic and block accordingly Email & Web Gateway Filtering Discover data spills of confidential information that are targeted by attackers Data Loss Prevention Create and enforce security policy so all confidential information is encrypted Encryption Monitor for network intrusions, propagation attempts and other suspicious traffic patterns Network Threat and Vulnerability Monitoring This is not the place to pitch Symantec products, but this is an opportunity to talk about the types of solutions organizations need to have in place to defend against targeted attacks. These “Defenses” slides are meant to be an opportunity to have a broader conversations with customers. These are Symantec products that tie to the solution areas Symantec Endpoint Protection 12 – Insight reputation- based security technology. Up-to-date signatures against IE 0-day exploit via IPS and protection against Hydraq via AntiVirus. Device control capabilities Symantec™ Critical System Protection – This HIPS system is extraordinarily powerful in defending against attacks against key repositories of Intellectual Property. Symantec™ Web Security and Symantec Brightmail™ Gateway – Potentially infected files are scanned for infection and blocked accordingly Symantec™ Data Loss Prevention – DLP is highly effective at cleaning up “data spills” left in place by well-meaning insiders that are frequently a target of hackers Symantec .Cloud (MessageLabs™)– SaaS email infrastructure implements disinfection and novel defenses against PDF/XLS borne attacks Symantec™ Managed Services Symantec DeepSight™ Early Warning Services– Actionable intelligence on changing nature of threat landscape Symantec™ Managed Security Services – Deep bench of analysts watching for incursion throughout your infrastructure Security Awareness Training Ensure employees become first line of defense Symantec Internet Security Threat Report (ISTR), Volume 16

Defenses Against Hide and Seek (Zero-Days & Rootkits) Detect and block new and unknown threats based on reputation and ranking Advanced Reputation Security Detect and correlate suspicious patterns of behavior Security Incident and Event Management Leverage external services to monitor and correlate security events Network Threat and Vulnerability Monitoring Ensure network devices, OS, databases and web applications systems are properly configured Determine whether or not a vulnerability is truly exploitable Vulnerability Assessment Implement host lock-down as a means of hardening against malware infiltration Host Intrusion Prevention This is not the place to pitch Symantec products, but this is an opportunity to talk about the types of solutions organizations need to have in place to defend against rootkits and zero-days. These “Defenses” slides are meant to be an opportunity to have a broader conversations with customers. These are Symantec products that tie to the solution areas Symantec Endpoint Protection 12 – Insight reputation- based security technology. Up-to-date signatures against IE 0-day exploit via IPS Symantec™ Security Information Manager– Highly effective means to find correlations of network activity indicating probes/attacks into internal systems Symantec™ Managed Services Symantec DeepSight™ Early Warning Services– Actionable intelligence on changing nature of threat landscape Symantec™ Managed Security Services – Deep bench of analysts watching for incursion throughout your infrastructure Control Compliance Suite (CCS) Vulnerability Manager:  CCS Vulnerability Manager (VM) provides end-to-end vulnerability assessments of network devices, OS, databases, web applications and Supervisory Control and Data Acquisition (SCADA) systems. CCS VM also features a vulnerability risk-scoring algorithm which delivers insight into whether or not a vulnerability is truly exploitable so that remediation efforts can be prioritized accordingly. Symantec™ Critical System Protection – This HIPS system is extraordinarily powerful in defending against attacks against key repositories of Intellectual Property. Symantec Internet Security Threat Report (ISTR), Volume 16

Defenses Against Social Engineering Scans all potentially malicious downloads regardless of how the download is initiated Prevent users from being redirected to malicious Websites Web Gateway Security    Discover concentrations of confidential information downloaded to an employee’s PC Data Loss Prevention Monitor and protect critical systems from exploitation Protect against misleading applications like fake antivirus Prevent drive-by download web attacks Network and Host Based Intrusion Prevention Two-factor authentication to protect against socially engineered password theft Strong Authentication Ensure employees become the first line of defense Security Awareness Training This is not the place to pitch Symantec products, but this is an opportunity to talk about the types of solutions organizations need to have in place to defend against rootkits and zero-days. These “Defenses” slides are meant to be an opportunity to have a broader conversations with customers. These are Symantec products that tie to the solution areas Symantec Web Gateway Security    Scans all potentially malicious downloads regardless of how the download is initiated Prevent users from being cross-site scripted to IP addresses that contain malicious code Data Loss Prevention Monitor sensitive data from leaving via email, IM, Web, and FTP Blocks files transferred over e-mail, IM, HTTP/HTTPS or FTP Discover concentrations of confidential information downloaded to an employee’s PC Symantec Endpoint Protection – Network Intrusion Prevention protects against multiple types of threat categories, including web attacks, fake app attacks and protection against unpatched vulnerabilities. Symantec™ Critical System Protection – This HIPS system is extraordinarily powerful in defending against attacks against key repositories of Intellectual Property. VeriSign Identity Protection (VIP) Authentication Service:  A cloud-based authentication service that protects enterprises from unauthorized account access above and beyond simple username and password with an additional factor of authentication.  VIP Authentication Service is a cloud-based second-factor of authentication (2FA) service. It is based on open standards, offers a wide choice of credentials, and can easily integrate into enterprise applications and infrastructure. Through its innovative cloud-based delivery model and breadth of credential options, VIP offers significant cost and time savings over typical 2FA solutions.  Security Awareness Training Give employees the knowledge and understanding they need to better protect valuable information assets Symantec Internet Security Threat Report (ISTR), Volume 16

Defenses Against Mobile Threats Remotely wipe devices in case of theft or loss Update devices with applications as needed without physical access Get visibility and control of devices, users and applications Device Management Guard mobile device against malware and spam Prevent the device from becoming a vulnerability Device Security Identify confidential data on mobile devices Encrypt mobile devices to prevent lost devices from turning into lost confidential data Content Security Strong authentication and authorization for access to enterprise applications and resources Allow access to right resources from right devices with right postures Identity and Access This is not the place to pitch Symantec products, but this is an opportunity to talk about the types of solutions organizations need to have in place to defend against rootkits and zero-days. These “Defenses” slides are meant to be an opportunity to have a broader conversations with customers. These are Symantec products that tie to the solution areas Symantec Mobile Management – Addresses: Device Security Guard device against malware and spam Prevent the device from becoming a vulnerability Content Security Identify confidential data on mobile devices Encrypt mobile devices to prevent lost devices from turning into lost confidential data Device Management Be able to remotely wipe devices in case of theft or loss Update devices with applications as needed without physical access Get visibility and control of devices, users and applications Identity and Access Authentication and authorization for access to enterprise applications and resources Allow access to right resources from right devices with right postures Symantec Internet Security Threat Report (ISTR), Volume 16

Determine Your Level of Security Symantec offers security assessments to reveal gaps in protection Data Loss Risk Assessment Vulnerability Assessment Malicious Activity Assessment Targeted Attack Assessment Security Advisory Services Assessment Services PCI Assessments Security Program Assessments Objective for Slide: Close for a follow-up with customer, using these assessments as opportunities to uncover potential risks. Symantec has a number of assessments and advisory services available to help your organization determine where you could be at risk. Four of these are free assessments: (1) Data Loss Risk Assessment Many organizations have little visibility into where their confidential data is stored on the network, control over where that data is going, or what to do once they find it. A Symantec™ Data Loss Prevention Risk Assessment answers those questions. In a typical Data Loss Prevention Risk Assessment, Symantec helps create and implement data security policies to discover and monitor confidential data in a segment of your shared file systems and network – all without interfering with your current operations. Symantec™ Data Loss Prevention Network Monitor will inspect all network communications for confidential data sent in violation of data security policy. Symantec™ Data Loss Prevention Network Discover will find confidential data wherever it is stored including file servers, databases, document and email repositories, and web sites. Following the monitoring and discovery phase, our team gathers with the key decision makers and information owners from your organization for a one-hour executive level meeting to review the results of the project. In addition, Symantec will build an overall business case for investing in Data Loss Prevention solutions with preliminary best practice recommendations. (2) Control Compliance Suite Vulnerability Assessment will identify threats you may have missed in your environment. In just one day, using actual data from your environment, you will see where your existing vulnerability programs are working and where you are still exposed. Other IT professionals have taken advantage of this offer and have found: • Flaws in custom-built applications that could lead to SQL injection attacks • Client side vulnerabilities that could allow an attacker to take control of a system • Systems missing critical patches, leaving them exposed to a buffer overflow attack and remote code execution • Rogue devices on their network that were not hardened (3) Malicious Activity Assessment The Symantec Malicious Activity Assessment enables you to automatically collect, analyze, and draw conclusions on malicious activities that are happening in your environment right now. Through a quick, no charge, 3-day engagement, Symantec can provide you a quick way to assess how well your security strategies are meeting your goals . By aggregating and correlating a limited scope of your security source data, you can gain immediate insight into malicious traffic, suspected bot activity and end point threats. The Malicious Activity Assessment is delivered with the Symantec™ Security Information Manager (SIM) framework. Security Information Manager will provide a unique and compelling view into previously unknown malicious activities and offer an objective assessment of how to improve your overall security posture. (4) Targeted Attack Assessment The Symantec Targeted Attack Assessment uses our expertise in reputation-based security to discover evidence of infection in a way nobody else can. Symantec’s reputation-based security system leverages the anonymous software usage patterns of over 75 million participating customers to automatically compute safety ratings for every software file in the world – both good and bad. You tell us which systems you want us to scan, and we will compare them against our database of software files to find any evidence of infection. If we find any suspicious files, we will start working with you immediately to isolate and fix the problem. Consider the peace of mind that a Symantec Target Attack Assessment will afford you. Security Advisory Services (Paid-for Services in NAM only– Please engage Clint Sand’s team if a customer is interested) There are three focus areas for security advisory services, as outlined below. Application Security Services Application Penetration Assessment Application Code Review Application Architecture Review Network Security Services Network Vulnerability Assessment Network Penetration Assessment Wireless Network Security Assessment Network Architecture Review Operational Security Services Security Policy Assessment Third Party / Vendor Risk Assessment Host/Device Security Assessment Symantec Internet Security Threat Report (ISTR), Volume 16

Stay Informed: Additional Resources Build Your Own ISTR go.symantec.com/istr Symantec has many resources for you to stay on top of the security threat landscape and here are a few of the best tools we have: Build Your Own ISTR: (go.symantec.com/istr) This year, Symantec is offering its annual report on the Internet threat landscape in a whole new way. With the online “Build Your Report” tool, you can create your own custom version of the Internet Security Threat Report by selecting only those topic areas in which you are most interested. You can then print your custom report or share it on social networking sites like Twitter and Facebook. This online tool contains data from the 4 appendices that we used to include in the full ISTR in past years. It also contains regional data for EMEA and LAM as well as best practices. Norton Cybercrime Index: This is a tool produced by the Norton consumer team. It’s a daily measure of cybercrime risks globally and is available online at nortoncybercrimeindex.com Threat Intel Twitter Feed: These are updates from our Security Response analysts around the globe – subscribing to this feed will keep you informed about the latest threats and trends that Symantec is seeing across it Global Intelligence Network. Daily measure of global cybercrime risks nortoncybercrimeindex.com Stay Abreast of Latest Threats Twitter.com/threatintel Symantec Internet Security Threat Report (ISTR), Volume 16

Tiffany Jones Tiffany_jones@symantec.com Symantec Internet Security Threat Report