A report issued Monday by anti-virus vendor Symantec Corp. has confirmed what most IT managers probably already know: it’s a dangerous world out there network-wise, and it’s not going to get any better.
According to the Internet
Security Threat Report, although the volume of cyber-attacks dropped slightly — by six per cent — over the prior six-month period, the discovery rate for new IT product vulnerabilities jumped to 2,524, slightly more than 80 per cent over the same period.
Michael Murphy, Symantec’s general manager, Canada, attributes the rise in the number of reported vulnerabilities to the general increase in the number of vendors and researchers looking for them.
But reporting on vulnerability codes means more opportunities for those codes to be exploited, he notes.
“”The exploit code for about 60 per cent of those vulnerabilities is available at about the same time the vulnerabilities are disclosed, so that 60 per cent is pretty much the low-hanging fruit of attack traffic,”” he says. “”I would expect going forward that number would continue to grow.””
Murphy cautions that the six per cent decline in cyber attack volume should be taken with a grain of salt, since that figure excludes blended threats, or attacks spread through the use of multiple techniques, such as Code Red and the Nimda worm, both of which wreaked havoc worldwide.
“”Despite the decline, attacks on the energy and power and financial services sectors were up significantly, and the damage to financial services companies almost doubled from the previous year,”” says Murphy.
Attacks on the not-for-profit sector, which include government organizations, were also up considerably. According to the report, that number increased by 43 per cent over the past six months.
The good news is that more than 99 per cent of all events detected by Symantec were classified as non-severe. Severe event incidence rates remained quite a bit lower than they were during the same six-month period in 2001 (21 per cent in 2002 versus 43 per cent in 2001).
Much of the activity, says Symantec, can be classified as reconnaissance, or information-gathering about a target system.
“”Often what’s happening is people are looking for information — they’re looking for the low-hanging fruit,”” explains Sharon Ruckman, senior director of product management at Symantec’s Santa Monica, Calif.-based office. “”There are a lot of automated systems out there that are constantly scanning and looking for systems that are vulnerable so they can go in later and decide if they’re going to do more of a joy ride or actually attack.””
The solution to security, says Murphy, is possibly to outsource that function to a company whose sole business is managing security. Barring that option, organizations need to first make sure al the technologies they have deployed work together, he adds.
Prioritizing patch management is also essential, he says. Symantec sees anywhere from seven to 10 new vulnerabilities a day. Patches are usually available for about 80 per cent of those, resulting in a staggering number of potential patches for systems administrators to deal with.
“”I don’t think the problem is patch management,”” says Murphy. “”We know people aren’t going to deploy 2,500 patches a year — they’d be forever patching their systems — so you need to prioritize those patches and have a good response mechanism in place for getting those patches deployed.””
In many cases, he adds, systems can be protected even without patches. The vulnerability that allowed the proliferation of the recent SQL worm existed was known since July 2002, he notes.
“”There were other defence mechanisms, such as good inbound and outbound firewall rules, that could have been put in place even without the patch.””
So what’s ahead for 2003? According to Ruckman, more of the same, only worse. Emerging technologies such as instant messaging and peer-to-peer networks pose a growing threat, she says.
“”Anytime there’s a new technology that’s widely available not only to end users but also to folks who write attacks you will see more attacks starting in those areas.””