IBM's Internet Security Systems just released their
X-Force 2006 year-end summary. This document summarizes the changes and trends in the security landscape, from exploit releases to spam and phishing.
While this document makes for an interesting read (particularly since there are few words and lots of pictures), two things caught my attention. First, there are lots of floating statistics. These are numbers without any context that would make them relevant. For example:
- How did they collect the data? Is there a bias in their collection.
- They mention percents and increases, but not raw values or baselines. For example, they mention that 90% of spam messages use HTML, but the don't say how much email is spam.
- Are there any sample overlaps? For example, do their spam statistics include their phishing statistics?
- They use a lot of terms like "spam" and "trojan" and "exploit", but they don't define them. For example, are they using the CAN-SPAM Act definition of spam? Or are they using the Yahoo definition? Every company has their own definition for spam, and while definitions are similar, there is no single consensus. Similarly, how does IBM define phishing? Over the last few years, the APWG has evolved their definition to include spyware that collects banking information.
The other thing that caught my attention was their graphs on day of the week when exploits are publicly disclosed. Weekdays have always been more popular than weekends, but Tuesdays are now noticeably more common. The question becomes: Why? I came up with two possible reasons.
- Upcoming Standard. Microsoft has set a precidence by doing their Patch Tuesday releases. Other people either try to release on Tuesdays as they follow Microsoft's lead, or want to release something to compete with Microsoft's monthly announcements.
- Respect for administrators. I always tell people to not release exploits on weekends, Fridays, or Mondays. My reason is simple: administrators who need to deal with exploits usually don't work on weekends. A weekend release only helps the bad guys. Fridays are when people rush to finish everything before the weekend, so there isn't much time for a new exploit. And Mondays are when they have to deal with everything that broke over the weekend. That means Tuesdays are a good day to release exploits since admins will have most of the week to respond.
There has been talk that some bug hunters have gone professional and only work Monday through Friday. This would explain the weekday bulge, but not the focus on Tuesdays.
Frankly, I interpret this increase in disclosures on Tuesdays as the first real
positive sign that security is being taken seriously by a larger audience.
