The number of viruses and worms launched via the Internet may be reaching a plateau, but the damage they inflict on enterprise systems is becoming more easily executed, leaving companies feeling even more vulnerable about how exposed they are to security flaws.
In its semi-annual report released
Monday, anti-virus software company Symantec Corp. said there were 2,636 vulnerabilities disclosed in 2003. And while there was a marginal two per cent increase over the number in 2002, about 70 per cent of those disclosed were easily exploited, which means there was no exploit code required or that the exploit code was publicly available on the Internet.
“”If there were 70 per cent of the 2,636 — that’s 1845 vulnerabilities easily exploitable — that’s of greater concern to me,”” said Michael Murphy, Symantec Canada’s general manager.
In a previous report released by Symantec six months ago, vulnerabilities targeted public infrastructure or server-based systems. In this report, for the first time there is a trend to targeting core components of Windows operating systems.
“”It’s what Blaster and Welchia exploited, which are all around client-side components versus server side that we’ve seen in the past, which means threats are more widespread, with greater reach and affect more systems more quickly,”” said Murphy.
In the first half of 2003, only one sixth of the companies analyzed reported a serious breach. In the second half of the year, half of the companies reported a serious breach.
Financial services, health care and power and energy companies were hardest hit and threats to privacy and confidentiality were the fastest-growing threat.
The value placed on the attacks worldwide has been pegged at $2 billion (based largely on time lost dealing with the viruses and any opportunities lost) according to Computer Economics, a California-based research firm.
“”The (dollar) amount isn’t as significant as is the insidious nature of the threats. That’s more telling than the number you associate with it,”” said Murphy.
The question for companies is how to best optimize resources to fight against those insidious threats, said Victor Keong, partner, security services with Deloitte in Toronto. He said a more holistic approach with a well-developed security plan that is management-driven from the top is critical, as opposed to fighting fires day-to-day.
“”Because it’s a newer kind of malicious code, they need to be vigilant about managing vulnerabilities if and when a specific vulnerability emerges and have an action plan or system process to address that,”” he said. “”A lot of IT people complain they already have a lot of work to do but still have to manage patches. Patch management is typically made a lesser priority but these viruses take advantage of that. They use exploit-driven virus code to get into the environment of an unpatched system.””
One of the most significant events of 2003 was in August, when three worms were released in only 12 days. Blaster, Welchia, and Sobig.F infected millions of computers worldwide. Blended threats like Blaster continue to serve as vehicles to launch large-scale denial of service attacks.
“”It’s always the same struggle. When budget comes up, the lowest price always wins. If a company decides not to spend as much money they need to have other mitigating controls in place to safeguard against these kinds of threats,”” said Keong. “”The more challenging issue is how do you get to a program that is working in a cost effective way, because there are so many different solutions, so many hardware and software solutions.””
In addition to top-down support for virus defence, Keong says there must be good bottom-up technical initiatives such as vulnerability management programs and intelligence monitoring put in place.
Microsoft systems continue to be the focus of virus attacks, with blended threats targeting Windows increasing significantly in 2003, but in future threats may well be focused on open source operating systems.
“”We’re already seeing attacks for Linux. A good example is the Slapper worm and the first example was an admin worm in early 98,”” said Murphy.
“”The Unix family of operating systems also has vulnerabilities and some might say per capita of market share it has as many if not more vulnerabilities than the Windows operating systems,”” he said. “”But what is of future concern is those operating systems being targeted by malware and direct attack. What we have seen is a preview of coming attractions as those applications for those platforms gain market share and deployment. I have no doubt we won’t see the same evolution in threats for those platforms.””
Murphy said malicious code for Linux will likely grow based on the Linux-based adoption rate or about three to six months behind.
“”When it’s readily adopted and the malicious threats are there — given it is open source and all the code is public — we may even see a steeper growth curve in attacks and threats than we have seen in the Windows-based platform because all of Windows isn’t public,”” he said.
In its report, Symantec included a list of security best practices to employ in the enterprise and while it was not No. 1, “”educate management on security budgeting needs”” made the top 10.
A recent survey of 270 Canadian CFOs, meanwhile, showed that 32 per cent indicated they felt security of information systems was an area their company is most vulnerable, followed by disaster recovery/preparedness at 20 per cent and protection of intellectual capital at 12 per cent.
“”It’s a battle that does have a lot of unknowns,”” said David King, regional manager of Robert Half Management Resources. “”A lot of systems were upgraded a few years ago and some of the Band-Aid solutions put into place are now begging for a complete overhaul and significantly more investment to compete with some of the threats that are out there.””
Murphy said one of the more practical moves an organization can make is to turn off and remove unneeded functions such as Web-based services.
“”Basically, if you don’t need it, turn it off and it can’t be exploited. For example, under Windows NT IIS (internet information service) was installed by default under Windows 2000 which was the service exploited by Code Red and Nimda and probably no need for individual users to have that service,”” he said.
In the last while, vendors and manufacturers are releasing products with features turned off by default and if people want them they have to go physically turn them on.
Other tips include:
• If a blended threat exploits one or more network services, disable, or block access to those services until a patch is applied.
• Always keep patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Train employees not to open attachments unless they are expecting them.