The amount of time it takes for hackers to take advantage of a software vulnerability is declining, and IT departments are already fining it difficult to keep up with the deployment of necessary patches.
Though a patch exists for it — and has existed for more than 18 months — the
Slammer worm isn’t going away. For the second year in a row, it was ranked No. 1 in Symantec Corp.’s yearly roundup of worms and viruses responsible for attacks.
In the first six months of 2004, Slammer accounted for 15 per cent of attacking IP addresses. This shows that organizations either aren’t properly patching their systems or, if they are patching, are missing the systems within their confines they are unable to detect, said Michael Murphy, Symantec’s Toronto-based Canadian general manager.
This is a concern as Symantec’s Internet Security Threat Report, released Monday, also found that the amount of time it takes for hackers and crackers to exploit a vulnerability once it has been discovered has dropped from seven to 5.8 days.
“”Corporations today have very little capability to patch systems or even discover systems that need to be patched, let alone respond with a patch,”” Murphy said.
Not only is there a shortage of skills and security professionals in Canada, he said, but IT workers are “”overwhelmed”” by the sheer variety of the computing systems under their care and the complexity of threats. Today’s corporations are highly heterogeneous, making it difficult for IT managers to keep track of what they have in-house. Further complicating matters is the existence of rogue systems that employees bring into a company unbeknownst to the IT department, Murphy said.
There were 1,237 new vulnerabilities between January 1 and June 30, which means that organizations have to deal with an average of almost seven new vulnerabilities per day. Over 70 per cent of these new vulnerabilities are considered easy to exploit, the report found.
Furthermore, 96 per cent of the vulnerabilities represent either a moderately or highly severe threat. Symantec defines moderately severe threats as those which give an attacker enough access to a system compromise or cause damage to it and highly severe threats as those which provide full system or administrative access to a computer.
“”Patch management and patch deployment is an area that has been under-invested in,”” Murphy said.
Symantec documented 4,496 new Windows-based viruses and worms in the six-month period of the study. That represents an increase of 4.5 times from the same period a year ago.
“”This six-month period is at least 100 per cent greater than all 12 months of last year — more and more code is available,”” Murphy said, adding that most of the Window-based viruses and worms were aimed at Win32 operating systems.
Also on the rise are threats from Gaobot and its variants — to the tune of a 600 per cent increase over the past six months, the report found. The number of bot-infected computers rose substantially over the past six months, from less than 2,000 to more than 30,000 per day, peaking at 75,000 in a one-day period.
“”That’s an alarming rate of growth, and frankly a concerning rate of growth,”” Murphy said.
E-commerce a prime target
The report also found e-commerce received the most targeted attacks of any industry. The intention behind attacks is changing from individuals seeking bragging rights and notoriety to attacks motivated by the desire for monetary gain, Murphy said. “”Attackers are becoming more organized, more sophisticated.””
An evidence of the shift in motivation is that adware and spyware is becoming more problematic, Murphy said. Peer-to-peer services, Internet relay chat and network file sharing continue to be popular propagation vectors for worms and other malicious code, Symantec found.
“”Attackers know they are widely deployed, widely accessible,”” Murphy said.
Port 80, or the HTTP port, accounted for 30 per cent of attacks, he said.
“”We’re so dependent on that port, and candidly, the protocol itself is many, many years old and it was developed without security in mind. Actually, most of the Internet protocols we use today are more than 20 years old and are in need of an update.””
As in previous reports, Canada ranked in the top five both in terms of the aggregate number of attacks originating within our borders and in terms of Internet capita. A total of 5.8 per cent of all attacks originated from Canada, while 37.3 per cent originated from the U.S.
“”Our adoption of broadband is the single reason we rank in the top five. It is because we are a very connected country.””
Like Symantec, IDC Canada has also found that the length of time it takes for hackers to exploit a vulnerability once it has been discovered is decreasing, said David Senf, a senior analyst and manager of IT business enablement at IDC Canada in Toronto. The time it takes to get a patch out there once a vulnerability is discovered is also decreasing, but organizations aren’t applying the patches within a reasonable length of time, he said.
Organizations either don’t have policies in place, or if they do, they aren’t communicating them to their employees, Senf said. This is despite the fact that more than 80 per cent of Canadian organizations are saying they are seeing a loss of business productivity due to security breaches, he said. The problem is organizations aren’t calculating the cost of those breaches, he said.
“”That’s one of the big reasons that they’re not reducing the time from the availability to deployment of a patch. Theyr’e not calculating the cost and understanding what it means.””
IDC’s six-step strategy
IDC recommends a six-step patch management process for organizations, most of which do not have an end-to-end systematic approach, Senf said. First, organizations must lay the foundation by surveying all of the various operating systems, applications, servers and computers they have in-house. Second, companies must assess which systems need patching and whether there is software out there that can help automate the patching process. They must also ensure they are getting their patches from an authentic source. Third, organizations need to assess and test available patches, as it is possible the patches could open up the company’s computers to further vulnerabilities.
Fourth, organizations need to have a rollback plan for patches — a contingency plan they can put into effect if a patch causes unforeseen damage. Fifth, organizations should roll out patches in predefined schedules using best practices. Lastly, IDC recommends validation reporting and logging. Organizations should regularly review their log files, Senf said.
But such measures are only the first step, a report by analyst firm Gartner Inc. argues.
“”The long-term answer is to use operating-system and application software with fewer vulnerabilities and more built-in safety and protection features,”” the report sates.
“”Worms, viruses and other hybrid attacks that take advantage of software vulnerabilities prove that enterprise protection strategies must move from attempting to change user behaviour to ensuring that vendor behaviour changes.””