News Releases

Once the Firewall is Penetrated by an Intruder, 44% of Systems are Defenseless
- Cyber Security Trend - Annual Review 2011 -

NRI Secure Technologies, Ltd. (HO: Minato-ku, Tokyo, President: Hiroshi Masutani, hereinafter "NRI Secure") has compiled the "Cyber Security Trend - Annual Review 2011" based on the data they collected through their information security services in FY 2010.
This report sends out a warning that 44% of corporate information systems are defenseless once an intruder penetrates through the firewall*1 and 40% of corporate websites which underwent web application assessment for the first time had risks of information leakage in the event of an external attack.

[The essence of the analysis results in the 2011 report]

• More than 40% systems are equipped insufficiently for attacks from inside the firewalls

  The results of platform assessment revealed that many systems are heavily relying on the firewalls and 44% of systems contained servers which were defenseless on their own and can be attacked any time (Figure 1). Therefore, if an intruder once penetrates through the firewall, almost half of systems will allow him to attack servers and exploit all information on them.

• 40% of corporate websites without web application assessment experience are in a dangerous status

  The results from web application assessment shows that while the proportion of dangerous websites has been gradually decreasing, critical flaws which can result in leakage of confidential information still exist in 31% of websites (Figure 2). The information security level varies among organizations. Critical flaws were found in 40% of websites run by organizations without previous experience of web application assessment (Figure 3).

• Malware*2 was detected even in major domestic sites

  Last year, widespread damage was caused among websites with mashup*3 by malware which used a certain access analysis service as its infection route (Figure 4). One must be aware that damage can still be caused to the website users even when security measures in their own website are perfect. According to the logs on the virus check servers managed within the Managed Security Services, 30% of websites where malware was detected were in .jp domains*4 (Figure 5) and these websites contained a noticeable number of those owned by listed organizations on the stock exchange.

• Preventing escalation of internal fraud

  From the view point of criminological analysis on intentional information leakage, restricting Internet access for non-business purposes as well as strict access control on information assets may be effective. Employees' web access recorded before and after the Japan earthquake on March 11 implies that most of web access may have been non-business purposes (Figure 6). Measures such as prohibiting access to websites which are clearly not related to business, and taking detailed logs of websites access which are difficult to determine would be effective.

NRI Secure presented specific measures together with the assessment results for information systems where flaws were found in the security assessment and measures were applied swiftly. In order to protect corporate systems from increasingly malicious cyber attacks, it is necessary to take overall security measures including employees' awareness raising through training and drills in addition to strict measures on systems such as at the Internet boundary and on PCs.

The "Cyber Security Trend - Annual Review 2011" is available at the following website.
http://www.nri-secure.co.jp/news/2011/pdf/cyber_security_trend_report_en.pdf

*1 Firewall:

A system to prevent external intruders from getting into the organization's internal computer network via the Internet.

*2 Malware:

The general term for malicious illegal software such as computer viruses and worms.

*3 Mashup:

A method to implement a new website by combining APIs (Application Programming Interface) from multiple web services.

*4 Domain:

An address-like system to identify computers and networks on the Internet.

Queries on the News Release

Yuko Kaito and Yukako Nakayama of the NRI Corporate Communications Division
Phone: +81-3-6660-8370
E-mail: kouhou@nri.co.jp

Queries on the Report

Tomohisa Ishikawa of the NRI Secure Technologies, Ltd. Technical Consulting Division
Hitomi Nemoto of the Sales Planning Division
Phone: +81-3-6274-1011
E-mail: info@nri-secure.co.jp

References

Research Outline
Research methods:
Analysis was based on the data collected through information security associated services which NRI Secure Technologies offered their customers in FY 2010 (April 1, 2010 - March 31, 2011). Historical data collected through security assessment services from 2006 onwards was also used.

Analyzed data: Logs obtained from the following items managed by managed security services

1. Firewall
Logs from 36 devices connected to the Internet.

2. IDS (Intrusion Detection System)
Logs from 43 IDSs monitoring customers' websites.

3. WAF (Web Application Firewall)
Logs from WAFs protecting websites under 149 IP addresses.

4. Spam filtering server
Logs from spam filtering servers located in DMZs of 14 organizations.

5. Virus check server
Logs from virus check servers located in DMZs of 42 organizations.

6. URL filtering server
Logs from URL filtering servers located in DMZs of 18 organizations.

Managed Security Services
An outsourcing service offered by NRI Secure that provides security measures necessary to connect corporate networks or open systems to the Internet.

Results of security assessment services

7. Platform assessment
Results of system infrastructure assessment on 107 systems*1
82 systems were assessed via the customers' firewalls (remote assessment) and 25 systems were assessed by directly accessing devices within the customers' networks(on-site assessment).

8. Web application assessment
Results of web application assessment on 229 sites*2

Security Assessment Service
A service offered by NRI Secure that assesses overall system safety from various aspects.

• *1 A group of devices which provides one service is counted as one system.
• *2 A group of sites which provides one service is counted as one site.

• Managed Security Services（MSS）
• Security Consulting
• Security Assessment
• Cryptobin
• SecureCube
• Security Learning
• Company Profile
• Office Locations
• NRI Group