NetObservatory: A National Observatory for Internet Security in Switzerland
Swiss Internet security relies on activities and services which companies and other organisations exploit and use on a daily basis. While large companies have the means to minimise risks inherent to their presence on the Internet, such is not the case for the majority of SMEs which make up the greater part of the Swiss economy. Any presence or visible service on the Internet constitutes a hazard for both the structure and the stability of our activities – and not only for one’s personal activities but also for the entire nation’s economy.
Today, Websites, e-mails and management applications are mandatory elements of a company’s productivity. These systems are linked to one another via a computer network, itself linked to the Internet. Given the extraordinary variety of hardware and software that are used, web hosts and access suppliers are no longer able to offer targeted security measures. Within this context, the advent of an observatory for computer security is not only an opportunity for web hosts and access suppliers but also for SMEs which represent the majority of their clients.
The NetObservatory project
Initiated in 2009, the NetObservatory Project sprung from a collaboration between the Fribourg-based College of Engineering and Architecture and two international leaders in computer security: Dreamlab Technologies AG, whose headquarters are in Bern, and OS Objectif Sécurité SA based in Gland. The project is supported by the Cluster IT Valley of the Scientific and Technological Centre of the Canton of Fribourg, whose goal is to encourage the growth and the creation of high value-added jobs by speeding up collaborations between the private and public sectors. NetObservatory also enjoys financial contributions made by four local partners: CDI SA, Tebicom SA, Accessible Sarl and Eb-Qual SA.
At the end of 2010, the NetObservatory issued its first assessment of the Internet security landscape for Swiss SMEs. Our premises was that it should be an easy way of measuring the attack surface – the result of Internet activity by Swiss companies – without using aggressive or intrusive methods and tools. Therefore, collected information was taken from the public domain. Domain servers and open interfaces (web, e-mails or other specialised services) provide, upon request, a lot of information that can be exploited. The NetObservatory Project has succeeded in developing so-called public information collection tools and methods which provide an astonishing amount of quality information and are a measure of the project’s first success. Thanks to the use of a satisfactory method of investigation (known as « CI scouting »), the NetObservatory Project has succeeded in measuring the Swiss Internet attack surface.
NetObservatory has been able to measure and quantify Swiss internet security as the quantity of collected data is huge. The figures below give an idea of the volume of data processed by NetObservatory.The 1.2 million domain names ending with « .ch » and « .li » are:● owned by 589’570 distinct individuals or companies● hosted by 30’669 DNS servers (name servers)● hosted by 44’774 e-mail servers● hosted by 615’747 websites on 65’893 web servers
76% of Web Server Apache, 50% vulnerable
The first report describing the state of the Internet in Switzerland was published on December 1st 2010 (http://www.netobservatory.ch/report.html). A number of threats and risks hang heavy on companies that depend hugely on Internet connexions. The correlation of all these data highlights breaches made in the management of the « Internet playfield ». While these breaches are far from serious, they do represent a significant number of short-term exploitable weaknesses by hostile groups or individuals. As an example, figure 1 (See Services and ports opened without apparent justification) shows the number of servers which have ports that, unless justified, should not be visible. In principle, each port can be exploited and will constitute a hazard for the infrastructure which hosts it.
Following the analysis of the measured values, it became apparent that an inordinate amount of server software (e-mail, web, domains) is not updated regularly. Supplier updates correct exploitable security errors on a very frequent basis. Figure 2 (Vulnerability of Web Server Apache) shows the proportion of web servers (the market leader Apache has a share of 76%) which have not been updated; their infrastructure is therefore prone to website defacing or other types of aggression.
To conclude, the study shows that not only half of the Web Server Apache are vulnerable to cyber attack but also that it is the case for content management systems. 80% of the Typo3 applications and 57% of Wordpress are not updated correctly even though they are among the most used applications. In the long run, the NetObservatory Project results will be exploited by an independent entity which should become financially self-reliant thanks to custom-made service exploitation for companies who seek it.