informa
/
Risk
Commentary

Security's Sisyphean Situation

Did you hear that? It's the sound of your network and applications being attacked. Hear that? It just happened again. What's worse, the nature of these attacks is changing. Gone are the good old days of simply having your Web site defaced, your e-mail corrupted by indiscriminant worms, and your networks flooded by brute-force denial-of-service attacks. Sure, you'll see plenty of those in 2006, but what you should really be worried about are the attacks you can't see. Where did it all go wrong? L
Did you hear that? It's the sound of your network and applications being attacked. Hear that? It just happened again. What's worse, the nature of these attacks is changing. Gone are the good old days of simply having your Web site defaced, your e-mail corrupted by indiscriminant worms, and your networks flooded by brute-force denial-of-service attacks. Sure, you'll see plenty of those in 2006, but what you should really be worried about are the attacks you can't see. Where did it all go wrong? Let's take a look.The thought on everyone's mind as we close out 2005 is how hacking has morphed from a hobby to a criminal enterprise. The people who keep an eye on such trends say they're seeing an increase in Trojans and other malware designed to "own" computers. This means hackers are assembling botnets for profit-making ventures, as launching pads for spam, for denial-of-service extortion, to steal passwords and other personal information, and to run phishing attacks.

"Criminal attacks represent a new threat for most organizations," Bruce Schneier, CTO of Counterpane Internet Security Inc., wrote in a report issued earlier this month by the company. "Most organizations have built their computer and network-security systems to defend against the hobbyist threat. Criminals are more highly motivated, better funded, less risk-averse, and more tenacious. Defending against them will require even more expertise and resources." Great.

But take heart. This criminal behavior apparently doesn't affect all industries equally. If you're not in, say, the financial services industry, you've got a much better chance of being left alone. In its report, Counterpane indicates that 50% of all the targeted scans the company detected on the 500 networks it monitors were aimed at financial services companies. The only other vertical close that even came close was bio-health with 17% of the targeted scans. In case you were wondering, such scans occur when someone interrogates multiple targets looking for potential vulnerabilities.

It's interesting to note that utility and power companies were low on Counterpane's list of attack targets. I don't know about you, but my utility and cable companies are constantly after me to pay my bills online, which I steadfastly refuse to do this, given that it takes five visits for the cable company to fix any problem with their service. One of Schneier's colleagues, Doug Howard, who's Counterpane's VP of services and delivery, at a teleconferenced security industry roundtable recently confirmed that utilities are looking to gather an increasing amount of personal information about their clients. This could be a dangerous trend, however, since "these companies haven't traditionally invested as much in IT security as security for their other systems," Howard said.

Not a comforting thought, given that today's attacks are all about gathering personal information. In the beginning of the year, half of the malware Symantec's Security Response division tracked was targeted at stealing confidential information. "From where we stand right now, 83% of what we're seeing is about stealing confidential information," Dave Cole, director of Symantec Security Response, told me this week. "That's a sizable shift. We're not seeing the big, noisy stuff." When asked what he meant by "noisy," Cole pointed out that Symantec categorizes malware according to its severity, with a Category 5 attack signifying pure poison for IT systems. In 2004, Symantec counted 33 Category 3 or Category 4 malware events (none, thankfully, in Category 5). This year, that number was down to only five. "Instead of seeing these huge, Internet-shaking events, we saw death by a thousand cuts," Cole said.

The relentless flood of spam doesn't help matters. As a global average, spam makes up 70% of all e-mail traffic, according to MessageLabs Ltd., a provider of e-mail security and management services that claims to process 1 billion messages weekly (I kind of feel the same way). To put a finer point on it, in August, one in 43 e-mails MessageLabs monitored was infected with a virus. Five years ago, only one in every 2,500 e-mails would contain a virus.

So, what's on tap for 2006? Look for rootkit-based attacks to continue. If you're not sure what that is, ask Sony. Also look for attackers to hit client-side applications growing in popularity, including VoIP, instant messaging, and media players. If we're really lucky, we'll even start to see attacks against networked consumer devices, such as gaming systems that let players face off via the Internet (again, sorry Sony). "The goal here would be to put these systems into an unusable state and worth about as much as a doorstop," Cole said. We may also see an increase in short-message-service spam. "Korea actually saw more SMS-borne spam than e-mail spam this year," Cole added.

I'd like to think I covered all of the bases here, but there's way more. My InformationWeek colleague Tom Claburn this week wrote a story about a report from the SANS Institute, in conjunction with government representatives from the U.S. and the UK, that highlights the 20 most critical Internet security vulnerabilities for 2005. SANS found that software applications and network devices are becoming the preferred targets of hackers, as opposed to the operating systems, Web servers, and e-mail servers they favored over the past several years. Look for an even more comprehensive story from Tom next week about the changing nature of security threats and what's being done (and what should be done) to arrest the problem.

At this point, I'd like to wish each and every one of my readers (you know who you are) a very happy and healthy Thanksgiving. For those of you who don't celebrate Thanksgiving, well, enjoy the rest of the week. Please send me your thoughts and comments on the challenges you're facing related to security. I'd like to hear about them and include your experiences in future blogs.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5