Security Threats
Won't Let Up:
Attacks on Business Networks are Expected
to Grow as use of Spyware Increases
By George V. Hulme
Hackers, viruses, and worms provided a constant threat in
2003. The year started off badly in January when the Slammer worm in about three hours
infected hundreds of thousands of systems running Microsoft SQL Server. The trouble
continued in the spring when the Bugbear virus hit hundreds of thousands of systems
worldwide. More problems arose later in the year when in the same week a blackout struck
the Northeastern United States and the Blaster worm attacked hundreds of thousands of
systems. And those were just the highlights. There were tens of thousands of threats that
affected individual businesses in various ways, depending on what systems and applications
they had deployed and what kinds of security systems and practices they had in place.
Nobody was immune.
The numbers tell the story of a serious and growing threat.
In 2000, the CERT Coordination Center, a government-funded security group, recorded 21,756
security-related incidents. In 2002, it reached 82,094 incidents. In the first three
quarters of 2003, the number of incidents totaled 114,855.
Four out of five businesses were hit by a virus or worm in
2003, according to a survey of 404 security decision makers by the Yankee Group.
Denial-of-service attacks were the second-most-common security incident, hitting about 40%
of those surveyed.
The problem will get worse and continue to eat up
substantial amounts of companies' IT budgets. More than half of those surveyed by the
Yankee Group expect their security budgets to increase during the next three years, while
only 8% expect security spending to decline. Some of that money will be used to patch
security holes in desktop software. Patching a desktop can cost from $189 to $264, the
survey says.
Security analysts and vendors predict that 2004 will bring
thousands of new viruses and worms and a huge increase in the use of spyware.
They also say that spammers will increasingly adopt tools
used by virus writers, adding to the volume of spam and the problems it causes for
corporate networks. In addition, few security experts expect to see anything close to a
letup in the 50 or more security-related software vulnerabilities discovered each week.
Spyware ranges from software that collects information on
a user's Web-surfing habits (called adware) to more insidious applications that hackers
use to collect every keystroke-passwords, credit-card numbers, financial data, and other
personal information-that a user types.
Often, adware is installed when users download freeware or
shareware from the Internet but don't bother to read the license agreement that states the
snooping software is being installed. The more dangerous kinds of spyware can be
clandestinely inserted into a victim's system.
Even the most security-conscious businesses can find
themselves at risk if, for example, a mobile user's notebook is infected with spyware and
then the user logs on to the corporate network. "The issue gets serious when it comes
to telecommuters using home PCs, which may not have anti-virus and firewalls
installed," says Scott Blake, VP of information security at security firm BindView
Corp. "The corporation has no control over what software they install on their home
PC."
The bad guys are getting very sneaky, says John Pescatore,
VP and research fellow at Gartner. Increasingly, employees may log on to their corporate
networks from a coffee shop or a hotel room and see a screen pop up that appears to be a
legitimate message from the hotel or coffee shop they're patronizing. But it's not. It's a
fake message designed to get users to download a malicious Trojan or spyware application.
"Is it spyware or just a pop-up ad? How will you know?" Pescatore asks.
"This technique of collecting financial information, passwords, and being part of
identity theft is going to be a growing problem. We're going to see more real spyware
attacks."
It's already under way. In July, one person pleaded guilty
in federal court to installing key-logging software at several Kinko's Inc. locations in
Manhattan. For more than a year, he collected the keystrokes of the customers of the
printing and copying chain, including passwords and user names, and used that data to
fraudulently open bank accounts. A Boston College student was caught using a similar
application to steal student passwords and other information from more than 100 PCs at the
campus.
The number of tools available to combat spyware is growing,
and they're getting more effective. They're offered by software vendors that specialize in
standalone spyware-removal apps, such as offerings from PestPatrol Inc. and Webroot
Software Inc., which have apps to scan and remove spyware. And antivirus vendors such as
Symantec Corp. and Network Associates Inc. have begun adding spyware-detection and
-removal software to their antivirus apps.
Spyware also is attracting the attention of politicians.
Lawmakers are expected this year to introduce a new version
of the Safeguard Against Privacy Invasions Act, a bill to prohibit spyware. Reps. Mary
Bono, R-Calif., and Edolphus Towns, D-N.Y., have been working with privacy-rights groups
and the IT industry to refine the bill. One of the primary goals of the act is to direct
the Federal Trade Commission to prohibit the installation of spyware on computers used by
financial institutions or the federal government, unless the user first agrees to the
snooping.
Another trend that experts expect to see this year is more
spammers making use of virus-writing tools and techniques. Spammers are using the tools of
virus writers to anonymously send their ads. Vincent Weafer, senior director of
development at Symantec, says spammers will continue to use viruses and Trojan horses to
infect computers so they can then use those machines to anonymously send out waves of
E-mail. "They're now turning to home-user and small-business systems," Weafer
says. "They're hijacking tens of thousands of vulnerable systems and turning them
into anonymous spam mailers."
More than 65% of the spam messages intercepted by E-mail
security firm MessageLabs, which filters spam and viruses for companies, are sent from PCs
that have been hijacked by spammers and transformed into spam relays, the company reports.
This trend came to light with the Sobig.F virus. At the peak, MessageLabs says one in
every 17 E-mails it intercepted contained a copy of the Sobig.F virus. By Dec. 1, it had
stopped more than 32 million E-mails infected with the virus.
Many security experts believe the writer or writers behind
the Sobig.F virus were actually spammers or working with spammers, looking to use that
virus to infect thousands of machines that could then be used to anonymously blast
millions of spam messages. The technique keeps spammers' identities secret and can also
sidestep black lists used by Spam filters. Sobig.F's success will likely lead to similar
outbreaks.
Another relatively new and growing danger: peer-to-peer
networks and instant messaging. Expect virus writers and snoops to start exploiting the
popularity of peer-to-peer networks, such as Grokster, Kazaa, and Morpheus, and
instant-messaging services offered by America Online and others.
Any company with employees using peer-to-peer file-sharing
networks is inviting trouble. Consider the following experiment conducted by Bruce Hughes,
director of malicious-code research at TruSecure Corp.'s ICSA Labs. He set up a crawler
program on Kazaa and other peer-to-peer networks, scanning for popular file types using
keywords such as sex and antivirus. Hughes says 45% of the files he downloaded contained
malicious applications. "If you're downloading files from these networks, you're
going to get infected with something," he warns.
Almost all the big attacks last year were aimed at
Microsoft PC and server software. This year, new threats will appear aimed at emerging
operating systems and devices, such as Linux, handheld devices, and smart cell phones.
"We'll see a cell-phone virus. It's almost a certainty," says David Perry,
global director of education for antivirus and content security firm Trend Micro Inc.
"We'll also probably see a virus designed to spread over wireless LANs. We just don't
know when; it could be this year or it could be five years."
Linux is more susceptible to attack because it offers
increased functionality and more users are using a graphical interface such as Lindows,
which makes Linux easier to run, says TruSecure's Hughes.
Still, most experts agree that Microsoft will remain the
target of choice for worm and virus writers, at least for the short term, because of its
market dominance.
Microsoft and other software vendors have been devoting
much time and effort to reducing the number of flaws in their code. But that won't
eliminate the software vulnerabilities that make it easier for hackers and virus writers
to attack. CERT says that more than 4,000 software vulnerabilities were reported in 2002
and nearly 3,000 were reported in the first three quarters of 2003. Security experts
expect that reported software vulnerabilities will continue to number between 50 and 60
each week.
The real issue isn't the number of vulnerabilities
reported, but the severity of the security flaws. The vulnerabilities discovered last year
and expected this year are increasing in severity, says Symantec's Weafer, who expects
that trend to continue. About 80% of all software vulnerabilities are "remotely
exploitable," which means virus and worm writers can write malicious apps that can
attack these flaws from anywhere, he says.
Security analysts are less concerned about so-called
zero-day worms that have gotten a lot of publicity recently. A zero-day worm is one that
starts attacking before the software flaw it takes advantage of is publicly known or
before a patch is available. "It takes a lot of skills to discover software
vulnerabilities and to write worms that will spread effectively," says Dan
Ingevaldson, engineering manager for X-Force, a research group at security firm Internet
Security Systems Inc. "It's very rare to find those two skills in one person."
Yet worm and virus writers are getting faster, which means
companies have less time to prepare once a software flaw is found. "We don't foresee
many day-zero worms. But we do see more day-seven to day-14 worms," Gartner's
Pescatore says. "Fewer than 15% of attacks occur within a month of the vulnerability
announcement today. That will double by 2006."
One good bit of security news is that Microsoft isn't
expected to launch any major new operating system or database products this year.
"Windows 2003 server is now in its second year, and many of the vulnerabilities have
already been uncovered," Pescatore says. "So we should see fewer vulnerabilities
from them next year." Plus, major software vendors spend more time and energy trying
to find security-related bugs before they ship applications. "All of the vendors are
very scared of looking like they have more bugs than Microsoft, and they're starting to
spend the money to make sure that doesn't happen," Pescatore says.
Businesses battling continuing waves of security threats
may need to add new weapons to their arsenals. In addition to quick patching, effective
firewall policies, strict remote-user security rules, and keeping antivirus software up to
date, businesses should look at intrusion-prevention applications such as those offered by
Cisco Systems, Internet Security Systems, Network Associates, Platform Logic, and Sana
Security. These applications don't rely on threat signatures and software policies to
thwart attacks. Instead, they attempt to block new attacks long before antivirus,
intrusion-detection, and firewall systems and policies can be updated.
Want a safe prediction for the new year? Here's one:
Companies will face new threats that no one expects, plus many variations of the old
threats. Information-security pros aren't willing to predict much progress in the battle
against worms, viruses, and other security threats. But there's one thing nearly all of
them do agree on: Businesses must continue to devote time, money, and personnel to keep
their systems as safe as possible.
Copyright 2004 CMP Media LLC
InformationWeek January 5, 2004, GEORGE V. HULME (ghulme@cmp.com) |