State Of Siege

Catch yourself before you say, “it can’t get any worse than this.” It can.The one thing that’s absolutely certain about network security is that, no matter how well you prepare for the threats you know and expect, there is a whole legion of new menaces waiting to burn you. Being open to the Internet, says Forrester Research’s David Friedlander, means being in a constant state of siege.
“That’s one of the costs of being on the Internet,” he says. “By taking traffic in, you’re inevitably going to take in something that might hurt you.”
By far and away, the biggest, most insidious emerging security threat is malware — the spyware and adware that jumps through the network to graft itself onto your system registries and clog your computers. Those old standbys, viruses and worms, are still the biggest threats facing networked businesses but, according to a report released by Forrester in March, a quarter of the companies surveyed identified spyware as one of the top three threats. Almost two thirds reported plans to invest in anti-spyware tools, so you know it’s bad.
“It’s going to get worse before it gets better,” Friedlander says. “Spyware has already become a major issue for businesses. The enterprises we surveyed estimated that 17 per cent of their systems were infected. But only 60 per cent actually knew how many were infected.”
Superficially, malware doesn’t seem like such a bad threat, as threats go. After all, what are a few pop-up ads going to do to your company? Plenty, it turns out. “In terms of financials, it’s a serious problem,” says Sioux Fleming, Computer Associates Inc.’s director of product management for eTrust security management. “Companies that monitor the source of help desk calls are finding that 40 per cent of the calls are for spyware. There are real costs associated with someone’s computer being down.” Fleming notes that the problem is like that OEM software bundle that comes with the computers you can buy at big-box retailers: malware installs automatically when you install a spyware-enabled program. And no matter how benign that program is, spyware developers often have deals with other guys, who have deals with other guys, all the way along the line, creating a chain that can end in something particularly nasty. It infects systems when users install an allegedly “free” file-sharing program — though nothing is ever free — and Friedlander has noted that spyware can even self-install when you click through certain phishing e-mails.
“The reason why it’s such a scourge is that every one of these little programs is phoning home every time you start your computer,” Fleming says. “And this is just the adware. That’s not counting the more nefarious stuff like keyloggers. That’s identity theft.”
Indeed, although most spyware and adware is financially motivated — adware promotes sites and products and earns money for the developer with every click-through — some of the nastier spyware is particularly scary. “A keylogger waits for you to log onto your bank account, for example,” Friedlander says. “Then it watches for your password and sends it home.”
This can be a serious security breach, and one that an employee inadvertently lets in unawares. Keyloggers might not just be watching for your bank account login, and what you don’t know can hurt you. “This is a really big issue if you are a business under any kind of regulatory requirement to report security problems,” Fleming says. “Two people have already been fined in the U.S. under Sarbanes-Oxley (the United States’ 2002 financial and accounting disclosure law) for not reporting a virus outbreak. It’s only a matter of time before someone will be fined for not reporting a keylogger.”
Remediation is possible, and there are anti-spyware tools on the market. Moreover, network perimeter defences can foil some malware. But Friedlander points out that disinfecting an infected system can be difficult and time-consuming. In this age of pervasive, mobile computing, a lot of users are doing a lot of work in places like cafes and airport concourses, where the company firewall can’t protect them.
“You have to keep up with security patches, of course,” Fleming says. “The fact that spyware is still coming in through the JPEG exploit is evidence of that. But more important is user education. Users don’t always know that the convenient filesharing utility or the innocent e-mail can put them in a whole world of worry.”
As bad as malware is today, however, network convergence has raised the threat from spyware as well as viruses and worms to unprecedented levels. Instead of a keylogger, what about a voice logger on your voice over IP (VoIP) system, or a worm that crashes your phones during your busiest season?
“As VoIP increases in popularity and number of deployments, so will its attractiveness to potential attackers who now have a more accessible playground to poke at this new technology,” observes David Endler, head of TippingPoint Technologies’ Digital Vaccine security research division and the newly elected president of the Voice Over IP Security Alliance. “VoIP networks inherit most of the same security threats that traditional data networks are plagued with today.”
The bottom line is that a company with phones, even in this Internet age, is paralyzed, and new convergence technologies have opened a squirming can of worms — and viruses and malware and denial of service attacks. “We can expect to see over the next year one or two VoIP specific attacks emerge that go beyond today’s more prevalent data network vulnerabilities, but try to exploit the VoIP applications themselves,” Endler warns.
At its worst, the perils can make Mafiaboy’s much-publicized mischief in 2000 pale in comparison, and the potential privacy implications. According to Endler, “the worst case scenarios involve life and death implications when you look at emergency services call centers” like 911, police and fire departments. Imagine a VoIP-specific worm on the loose during a natural disaster. Security is a catch-as-catch-can proposition at the best of times. The good guys will always be one step behind the bad guys. The key, says Friedlander, is to not fall and further back than that and to recognize that, as bad as things are, they can get worse.