A growth in the threat vector from emerging economies is the highlight of the latest Symantec Internet Security Threat Report, and any continuation of the trend could alter the picture for companies selecting offshore outsourcing partners.
The report, the 15th in a regular series and covering calendar 2009, states there are "firm signs that malicious activity is now taking root" in countries building out broadband capabilities including Brazil, Poland Russia and Vietnam. This is likely to be in part because of increasingly available infrastructure but could also point to a desire on behalf of criminals to launch attacks from countries in which they are unlikely to be prosecuted.
"The whole shift to outsourcing and offshoring is [potentially] exposed because "these countries are" not up to speed on, or don't place the same emphasis on, security," said Kevin Hogan, Symantec senior director of global security response operations, noting that India was 11th most likely source of malware in 2008 and is now fifth in the rankings.
Separately, speaking with reference to web browsers, Hogan praised Microsoft for reducing the "window of exposure" between exploit code release and patching from seven days in 2008 to less than one.
"We work with Microsoft very seriously and in the last couple of years anyone would have to admit that Microsoft has done pretty well," he said. "IE 8 has had fewer issues than IE 6 certainly and fewer than IE 7. Unfortunately, there's still a very large user base for IE 6 and we see enterprises in particular that are slower to move because they have internal systems that depend on it."
However, Hogan said we should resist the temptation to equate longer windows of exposure, for example the 13 days average of Apple's Safari, or growth in new vulnerabilities, led by Mozilla Firefox with 169, with compromises.
For Safari, "ideally you'd like that bar be lowered but it might be inherently safer" because it is predominantly used on Mac OS X, for example, Hogan said. He also noted that choice of browser is irrelevant when it comes to the threat of many social engineering attacks.
His advice is to use "a recent and properly patched browser" but pushed on his own usage, he said that waiting three or four months after a new browser release is about right in order to ensure that the latest version has not introduced new issues.