Internet security threats are on the rise but fail to be a top priority with the people who provide the money and resources to the experts fighting the war against hackers and viruses, according to a report released Wednesday.
Despite the huge losses projected (productivity, lost revenue, customer
confidence) from the attacks of Blaster and other worms in August, it seems the message still hasn’t hit t C-level executives that spending on security is an insurance policy worth having, Symantec Corp.’s annual Internet Security Threat Report says.
It is estimated that the cost of eight days of massive worm attacks in August may be valued at up to US$2 billion.
“”Whether $2 billion or $1 billion it’s important to realize the problem still exists regardless of what cost is attached to it,”” said Michael Murphy, general manager, Symantec Canada.
The report says the rate of attack activity increased by 19 per cent over this time last year and companies saw about 38 attacks per company, per week compared to 32 in the same time a year ago.
The report also indicates there is an increasing number of blended threats that represented 60 per cent of malicious code submissions in the first six months of the year.
“”Organizations are more aware of the problem, but frankly, I think they are not dealing with the complexity of the problems today. In essence I think corporations in general, U.S. or Canada, are somewhat behind the curve in dealing with the blended threats or the attacks we see more frequently,”” said Murphy.
For CXOs, Murphy says business continuity and disaster recovery remain the No. 1 priority.
“”It doesn’t really resonate that a security breach may have more impact than the power being out for a day. That becomes the job of the security professional in these organizations – the CSIO more than the CIO, to communicate the risks, the threat, the vulnerability up the chain to make them understand this is more problematic than a Web server going down and losing $1 million a day in revenue. A security breach can be just as problematic as a hardware failure,”” he said.
The Symantec report is based on information from 500 Symantec clients around the world and data from more than 1,000 companies and consumers that its security software. About 50 of those were Canadian customers.
Recent attacks such as Blaster and SoBigF caught companies by surprise because an incident hadn’t been waged for months and they were lulled into a false sense of security.
Even minor attacks should serve as a wake-up call to the more damaging attack that might be just around the corner, Murphy said. But what usually changes people’s minds is a severe breach that can cost a company customer loyalty and brand reputation.
Some executives are more acutely aware of the problem but it does make a difference when there is senior level buy-in, said e-security specialist Dan Bernier of Sharp Electronics of Canada Ltd. in Mississauga, where document security is the priority. Many copiers and printers today have built-in hard-drives that hold an image of all copied and printed documents, but Sharp has measures to lock those down as well.
“”It’s probably because we have our own product. Truth-be-told if we didn’t have a security product they wouldn’t (be as aware), it would be left to MIS or IT. Because of our awareness of security we’re trying to spread the word to our customers and potential customers regarding document security.””
Internally at Sharp, Bernier says a memo from one of its executive vice-presidents addressed issues such as locking down workstations, guiding others through the building and not giving out passwords.
That follows advice from Symantec that suggests companies enforce a password policy and configure e-mail servers to block or remove e-mail that contains file attachments often used to spread viruses.
Bernier says Sharp employees have been educated to know that company servers will remove certain e-mail attachments automatically.
“”Recently I was trying to download something from our New Jersey office and the router between the two of us sent me a text file saying ‘Unable to comply. This site poses a potential threat.’ I was quite surprised,”” he said.
But for other organizations, he agreed it often takes a serious breach before action is taken.
“”Unfortunately by then the damage is done. A small percentage is aware and had decided to take measures before it happens but they are not the rule, they are the exception,”” Bernier said.
Many IT managers claim keeping up with Microsoft patches dominates their agenda, but Symantec cautions that they should prioritize.
“”I certainly hear that there is that level of frustration in terms of keeping up with the patches but I don’t feel there is any panacea in 100 per cent patch management,”” said Murphy. “”Patch management is important but look at the patches that are important – the vulnerabilities that are easily exploitable and the vulnerabilities that have a short time from discovery to exploitation.””
Symantec lists patch management second in terms of best practices to protect information assets. The first course of action should be to turn off and remove unneeded services such as instant messaging and file sharing and Web services enabled by default or installed with the operating system that aren’t needed. This includes, for example, Microsoft IIS Web server which was exploited by Code Red and Nimda. It is typically installed by default even in Microsoft desktop operating systems.
“”A lot of the worms today and blended threats may come in via e-mail but exploit back-door channels through instant messaging to replicate or propagate. So the risk to the organization is not necessarily that they are the target but that their computing resource and bandwidth is used to facilitate a much greater attack against Internet infrastructure. It goes hand-in-glove with peer-to-peer problem,”” said Murphy.
While some companies may starting looking to embrace other application platforms such as Linux because they feel at risk deploying Microsoft solutions, Murphy said is unlikely there will be a mass migration in an attempt to reduce risk or find “”security through obscurity.””
“”I don’t think Linux is without its risk. It doesn’t have the market share or adoption today that Microsoft’s platforms do but over time as it does it will naturally become a target. Anything that has market share that is exploitable with vulnerability will become a target at some point in time,”” he said.