The number of viruses and worms launched via the Internet may be reaching a plateau, but the damage they inflict on enterprise systems is more easily executed, leaving companies feeling even more vulnerable about how exposed they are to security flaws.
In its semi-annual report released earlier
this month, anti-virus software company Symantec Corp. said there were 2,636 vulnerabilities disclosed in 2003. And while there was a marginal two per cent increase over the number in 2002, about 70 per cent of those disclosed were easily exploited, which means there was no exploit code required or that the exploit code was publicly available on the Internet.
“”If there were 70 per cent of the 2,636 — that’s 1,845 vulnerabilities easily exploitable — that’s of greater concern to me,”” said Michael Murphy, Symantec Canada’s general manager.
In a previous report released by Symantec six months ago, vulnerabilities targeted public infrastructure or server-based systems. In this report, for the first time there is a trend to targeting core components of Windows operating systems.
“”It’s what Blaster and Welchia exploited, which are all around client-side components versus server-side that we’ve seen in the past, which means threats are more widespread, with greater reach, and affect more systems more quickly,”” said Murphy.
In the first half of 2003, only one-sixth of the companies analysed reported a serious breach.
In the second half of the year, half of the companies reported a serious breach.
Value on attacks worldwide US$2 billion
Financial services, health care and power and energy companies were hardest hit. Threats to privacy and confidentiality were the fastest-growing threat.
The value placed on the attacks worldwide has been pegged at US$2 billion (based largely on time lost dealing with the viruses and any opportunities lost) according to Computer Economics, a California-based research firm.
“”The (dollar) amount isn’t as significant as is the insidious nature of the threats. That’s more telling than the number you associate with it,”” said Murphy.
The question for companies is how to best optimize resources to fight against those insidious threats, said Victor Keong, partner, security services with Deloitte in Toronto. He said a more holistic approach with a well-developed security plan that is management-driven from the top is critical, as opposed to fighting fires day to day.
“”Because it’s a newer kind of malicious code, they need to be vigilant about managing vulnerabilities if and when a specific vulnerability emerges, and have an action plan or system process to address that,”” he said. “”A lot of IT people complain they already have a lot of work to do, but still have to manage patches. Patch management is typically made a lesser priority but these viruses take advantage of that. They use exploit-driven virus code to get into the environment of an unpatched system.””
One of the most significant events of 2003 was in August, when three worms were released in 12 days. Blaster, Welchia, and Sobig.F infected millions of computers worldwide. Blended threats such as Blaster continue to serve as vehicles to launch large-scale denial of service attacks.
“”It’s always the same struggle,”” said Keong. “”When budget comes up, the lowest price always wins. If a company decides not to spend as much money, they need to have other mitigating controls in place to safeguard against these kinds of threats,”” said Keong. “”The more challenging issue is how you get to a program that is working in a cost effective way, because there are so many different solutions, so many hardware and software solutions.””
Linux may be focus of future threats
In addition to top-down support for virus defence, Keong says there must be good bottom-up technical initiatives such as vulnerability management programs and intelligence monitoring put in place.
Microsoft systems continue to be the focus of virus attacks, with blended threats targeting Windows increasing significantly in 2003. But in future threats may well be focused on open source operating systems.
“”We’re already seeing attacks for Linux. A good example is the Slapper worm and the first example was an admin worm in early 1998,”” said Murphy, referring to the Linux.ADM.Worm. Slapper appeared in September 2002.
“”The Unix family of operating systems also has vulnerabilities and some might say per capita of market share, it has as many if not more vulnerabilities than the Windows operating systems. But what is of future concern is those operating systems being targeted by malware and direct attack. What we have seen is a preview of coming attractions as those applications for those platforms gain market share and deployment. I have no doubt we won’t see the same evolution in threats for those platforms.””
Murphy said malicious code for Linux will likely grow at a rate of about three to six months behind the adoption of Linux.
“”When it’s readily adopted and the malicious threats are there — given it is open source and all the code is public — we may even see a steeper growth curve in attacks and threats than we have seen in the Windows-based platform because all of Windows isn’t public,”” he said.
In its report, Symantec included a list of security best practices to employ in the enterprise and while it was not No. 1, “”educate management on security budgeting needs”” made the top 10.
A recent survey of 270 Canadian CFOs, meanwhile, showed that 32 per cent indicated they felt that the security of information systems was an area their company is most vulnerable, followed by disaster recovery and emergency preparedness at 20 per cent with protection of intellectual capital falling in the number three at 12 per cent.
“”It’s a battle that does have a lot of unknowns,”” said David King, regional manager of Robert Half Management Resources located in Toronto. “”A lot of systems were upgraded a few years ago and some of the Band-Aid solutions put into place then are now begging for a complete overhaul and significantly more investment to compete with the threats that are out there.””