This post profiles the threat landscape in Finland. This is part of a series of posts on the threat landscape in locations that consistently have low malware infection rates. I hope to offer insights into the threat landscape within regions in case this info proves helpful to other locations with higher infection rates.
Finland has consistently had a malware infection rate below the worldwide average since we started publishing regional malware infection rates back in 2007. The chart below illustrates the infection rate trend in Finland for 2009 and 2010.
Figure: Infection rates for Finland in 2009 and 2010 by quarter by CCM
The graph below provides some context on what Finland’s malware infection rate looks like versus the other 116 countries we provided malware infection data on in SIRv10.
Figure: CCM trend for Finland over 6 quarters, compared to 116 other locations and to the world as a whole
Looking at other data for Finland in 2010, we see the following:
· Phishing sites per 1,000 hosts in the United States was 2.1 times higher than in Finland in the first half of 2010, and 14 times higher in the second half of the year
· Malware hosting sites per 1,000 hosts in the United States was 14 times higher than in Finland in the first half of 2010 and 80 times higher in the second half of the year
· Percentage of sites hosting drive-by downloads in Finland was almost twice that of the United States in the first half of 2010
Figure: Phishing, Malware Hosting, and Drive-by Download Hosting Site Trends for Finland as published in SIRv10
Looking at the specific categories and families of threats found in Finland, as we saw in Austria, adware is the highest category of infections found in Finland. This is due to detections of JS/Pornpop, found on 21.4% of infected systems in Finland, and Win32/ClickPotato found on 6.3% of infected systems.
Also found in relatively high proportions are miscellaneous trojans and miscellaneous potentially unwanted software.
Figure: Malware and potentially unwanted software categories in Finland in 4Q10, by percentage of computers affected
Figure: The top 10 malware and potentially unwanted software families in Finland in 4Q10
Why has Finland’s malware infection rate consistently been a fraction of the worldwide average? To help answer this question we asked Erka Koivunen, Head of Unit, Computer Emergency Response Team, Finnish Communications Regulatory Authority, and we published the following in the Microsoft Security Intelligence Report volume 7.
Erka Koivunen, Head of Unit, Computer Emergency Response Team, Finnish Communications Regulatory Authority (http://www.cert.fi)
What is it that makes Finnish networks so safe? A couple of things comes to mind, and then one unavoidable conclusion.
First, the capability to detect needs to be complemented with the ability to take action. CERT-FI has tasked itself with concretely reaching out and finding factual technical information about malicious events taking place in Finland, out of Finland, or towards Finland. As it turns out, there are a plethora of community-driven projects gauging the level of malicious activity all over the internet: honeynets, darknets, log repositories, automated malware analysis tools, and others. What’s common for the majority of them is that the findings just sit in databases, with nobody trying to get rid of the troublemakers. Most of the projects are just dying to send the reports out to someone who would take care of finding the compromised ICT systems and helping the victims. Our automated tool, CERT-FI Autoreporter, downloads these reports en masse, anonymises the sources, determines the responsible Finnish network admins, and proceeds to let them know about the breaches, so they can take action.
Second, the lifetime of the malware infections and security breaches needs to be cut down. The general attitude among Finnish network admins is that it’s in their own and their customers’ interests to act quickly once the reports hit their desks. It saves helpdesk costs, cuts down the amount of malicious traffic, and helps increase customer confidence. As a result, the infected computers get treated fast or risk losing connectivity. Botnet controllers and malware distribution sites have proven to have a hard time staying online in Finnish networks.
Third, the positive regulative atmosphere regarding sensible information security…. There are clear and pragmatic provisions in Finnish legislation granting network admins the right (and at times an obligation) to defend their networks and interconnected IT systems against breaches of technical information security…. The rules start with administrative engagement: appointing responsible network security admins and the so-called abuse helpdesks to handle complaints is mandatory. The more technical stuff includes provisions such as exercising what we call “address hygiene” in core networks (e.g., filtering spoofed and source-routed packets) and restricting broadband subscribers’ ability to send spam or participate in denial-of-service attacks. There are also a requirement for ISPs to inform their subscribers about the possible dangers of the Internet and ways to mitigate them. As a side effect, this has greatly boosted the purchase of security software by private consumers.
As a result of all this, the number of “malicious” events in Finnish networks hasn’t exceeded the growth of the connected users in the past couple of years. Needless to say, we need to be constantly vigilant and adapt our posture to the changes in the security landscape. This will require some excellent navigation skills in the future, we know.
Ah, the Unavoidable Conclusion I mentioned earlier. While we acknowledge that the Finnish networks appear to be clean, at the same time we understand that this doesn’t necessarily make Finland any better prepared for a possible cyber attack than anyone else. We are just less likely to cause headaches for everybody else. In this sense, the description of Earth in the [Douglas Adams] book The Hitchhiker’s Guide to the Galaxy fits Finland quite nicely as well: “Mostly Harmless.”
I also asked Kimmo Bergius, Microsoft’s Chief Security Advisor in Finland, for his opinion.
The infection rates and other metrics for Finland have consistently been below the world-wide averages, and we have often wondered ourselves what the reason is for this. I agree with what Erka mentions earlier, that the first reason for this is legislation and regulation: in Finland computer and Internet security is legislated and in CERT-FI we have an active regulatory body that is not only able but also willing to take action on detected issues.
Finland is also a relatively small country, and in a small country it is possible to know your peers within the security community, which makes it a more fertile ground for active co-operation between the regulator and the various parties within both the public and the private sector.
End user education has much to do with the positive results. In Finland we have, for example, run the National Security Day initiative for the past eight years. This is a concept developed here and copied to various countries all over the world, with the goal of educating end users from school children all the way to seniors, and also small organisations, on the basics of keeping your computer secure and navigating the Internet safely, which has resulted in heightened level of awareness on security issues.
I think that the answer to the combination of legislation and regulation, co-operation between the players in public and private sector and finally end user education has had much to do with the good results. This doesn’t, however, mean that we can assume it will always be so: we need to focus on these issues even more in the future to maintain this situation.
The next part of this series of blog posts will be focused on Germany.
Director, Product Management