Information security violations in 2015
The number of malware infections detected in Finnish communications networks remained at a relatively low level throughout 2015. During the year, FICORA detected nearly 64,000 Finnish computers sending malicious traffic. In 2013 and 2014, no extensive malware epidemics were observed.
Malware statistics are based on information provided by FICORA's Autoreporter service. Autoreporter automatically transmits information to telecom companies about international observations of malware operating in Finnish communications networks or other activities violating information security. Telecom companies are able to utilise the information provided by Autoreporter in order to contact customers whose subscriptions are sending malicious traffic. In addition to actual malware incidents, the reported figures are affected by changes in the data sources from which Autoreporter collects its information.
When reviewing the malware incidents in 2015, the most widespread malware was, surprisingly, XcodeGhost, which is directed at Apple products. Autoreporter transmitted nearly 10,000 observations of the malware. XcodeGhost was discovered in September 2015. It is an unauthorised program attached to Xcode, Apple's application development environment, and it is copied to every application developed using an infected development environment. Save the graph data as a CSV file
Figure: The number of malware incidents transmitted by the Autoreporter system by quarter Save the graph data as a CSV file
Figure: The number of malware incidents transmitted by the Autoreporter system in 2015
On a global scale, infected development environments have mainly been detected in China, but applications infected by XcodeGhost have been detected in large numbers around the world – also in Finland. XcodeGhost steals private user data.
In practice, only a single large infection of the Nymaim ransomware was detected in August 2015, when more than 6,000 related observations were transmitted. Individual observations of Nymaim have been made since 2014.
Conficker is still the cause of a significant number of Finnish malware incidents. In 2015, approximately 4,700 Conficker observations were transmitted, but the figure is decreasing. Conficker was discovered back in 2008, and only a few malicious programs are as old as this one.
Tinba, data-stealing malware, increased its spread in Finland during 2015, with a little more than 4,000 Tinba observations being made.
During the year, a little more than 4,000 unidentified internet scans were made. Scanning other networks without proper authorisation is not permitted because it can be regarded as preparation for an attack.
Telecom companies are obligated to report to FICORA any significant information security violations, threats thereof and information security violations directed at personal data. In 2015, FICORA received 25 such reports. Of these, only one information security violation led to a functionality incident in a communications service. The number of reports has decreased since 2012, when FICORA received 38 reports.
The causes of significant information security violations reported to FICORA vary greatly from one year to the next. A single information security violation may have a number of different causes. In 2015, a significant DoS attack was a cause of five information security violations, with this number being lower than in many previous years. Usually, DoS attacks are targeted at name servers of telecom companies or web servers they offer to their customers.
In addition, the number of system intrusions and the unauthorised use of communications services is showing a slight decrease. The use of a service is unauthorised, for example, if a party guesses the password of a system user and logs in to the system using that password. In 2015, a system break-in was a factor affecting five significant information security violations.
Vulnerabilities of data systems or threats thereof were involved in four significant information security violations. The exploitation of a vulnerability may lead to incorrect or unexpected operation of a system or software. A successful exploitation may lead to protected data being modified or leaked, or its legitimate use being prevented.
Since the beginning of 2013, telecom companies have been obligated to specifically report any information security violations directed at personal data. In 2015, a total of 19 information security violations were targeted at personal data. Of these, eight incidents were errors in customer data management.
In addition to the observations made by FICORA's Autoreporter service and the information security violations reported to FICORA, telecom companies continuously investigate large numbers of other information security incidents in their customer subscriptions and services. The number of all information security incidents handled by telecom companies has been clearly decreasing since 2013. Last year, there were a total of 200,000 information security incidents, whereas the corresponding figure was more than three times higher in 2013. Of these, the majority concerns malware detected by FICORA's Autoreporter system.
Regarding 2015, the number of all violations has only been reported over the latter half of the year due to an amendment to FICORA's regulation on telecommunications disturbances. If it is assumed that an identical number of violations occurred during the first half of the year, the total number of violations that occurred in 2015 is more than 196,000.
The trend concerning actions taken by telecom companies as a result of information security violations has been that problems can be increasingly solved by giving advice to customers who own the subscription in which the violation was detected. In as many as 70 per cent of the 196,000 incidents that occurred in 2015, contacting the customer was enough to resolve the situation. Filtering network traffic is a sufficient repair measure in more and more incidents. In 2015, network traffic was filtered in 14 per cent of all incidents. More rarely telecom companies need to disconnect a subscription that endangers information security. In 2015, this was necessary in only 5 per cent of all cases.
Unfounded observations and reports accounted for 11 per cent in 2015. Only an insignificant number of incidents to be resolved are forwarded to other parties. Save the graph data as a CSV file
Figure: Actions taken by telecom companies to resolve information security incidents in 2013–2015. The 2015 statistics only include the latter half of the year.
This article is a part of FICORA's Communications Sector Review 1/2016.