The numbers tell the story of a serious and growing
threat. In 2000, the CERT Coordination Center, a
government-funded security group, recorded 21,756
security-related incidents. In 2002, it reached
82,094 incidents. In the first three quarters of
2003, the number of incidents totaled 114,855.
 Four
out of five businesses were hit by a virus or worm
in 2003, according to a survey of 404 security
decision makers by the Yankee Group.
Denial-of-service attacks were the
second-most-common security incident, hitting about
40% of those surveyed.
The problem will get worse and
continue to eat up substantial amounts of companies'
IT budgets. More than half of those surveyed by the
Yankee Group expect their security budgets to
increase during the next three years, while only 8%
expect security spending to decline. Some of that
money will be used to patch security holes in
desktop software. Patching a desktop can cost from
$189 to $264, the survey says.
Security analysts and vendors
predict that 2004 will bring thousands of new
viruses and worms and a huge increase in the use of
spyware. They also say that spammers will
increasingly adopt tools used by virus writers,
adding to the volume of spam and the problems it
causes for corporate networks. In addition, few
security experts expect to see anything close to a
letup in the 50 or more security-related software
vulnerabilities discovered each week.
Spyware ranges from software that
collects information on a user's Web-surfing habits
(called adware) to more insidious applications that
hackers use to collect every keystroke--passwords,
credit-card numbers, financial data, and other
personal information--that a user types. Often,
adware is installed when users download freeware or
shareware from the Internet but don't bother to read
the license agreement that states the snooping
software is being installed. The more dangerous
kinds of spyware can be clandestinely inserted into
a victim's system.
Even the most security-conscious
businesses can find themselves at risk if, for
example, a mobile user's notebook is infected with
spyware and then the user logs on to the corporate
network. "The issue gets serious when it comes to
telecommuters using home PCs, which may not have
antivirus and firewalls installed," says Scott
Blake, VP of information security at security firm
BindView Corp. "The corporation has no control over
what software they install on their home PC."
The bad guys are getting very
sneaky, says John Pescatore, VP and research fellow
at Gartner. Increasingly, employees may log on to
their corporate networks from a coffee shop or a
hotel room and see a screen pop up that appears to
be a legitimate message from the hotel or coffee
shop they're patronizing. But it's not. It's a fake
message designed to get users to download a
malicious Trojan or spyware application. "Is it
spyware or just a pop-up ad? How will you know?"
Pescatore asks. "This technique of collecting
financial information, passwords, and being part of
identity theft is going to be a growing problem.
We're going to see more real spyware attacks."
It's already under way. In July,
one person pleaded guilty in federal court to
installing key-logging software at several Kinko's
Inc. locations in Manhattan. For more than a year,
he collected the keystrokes of the customers of the
printing and copying chain, including passwords and
user names, and used that data to fraudulently open
bank accounts. A Boston College student was caught
using a similar application to steal student
passwords and other information from more than 100
PCs at the campus. The number of tools available to
combat spyware is growing, and they're getting more
effective. They're offered by software vendors that
specialize in standalone spyware-removal apps, such
as offerings from PestPatrol Inc. and Webroot
Software Inc., which have apps to scan and remove
spyware. And antivirus vendors such as Symantec
Corp. and Network Associates Inc. have begun adding
spyware-detection and -removal software to their
antivirus apps.
Spyware also is attracting the
attention of politicians. Lawmakers are expected
this year to introduce a new version of the
Safeguard Against Privacy Invasions Act, a bill to
prohibit spyware. Reps. Mary Bono, R-Calif., and
Edolphus Towns, D-N.Y., have been working with
privacy-rights groups and the IT industry to refine
the bill. One of the primary goals of the act is to
direct the Federal Trade Commission to prohibit the
installation of spyware on computers used by
financial institutions or the federal government,
unless the user first agrees to the snooping.
Another trend that experts expect
to see this year is more spammers making use of
virus-writing tools and techniques. Spammers are
using the tools of virus writers to anonymously send
their ads. Vincent Weafer, senior director of
development at Symantec, says spammers will continue
to use viruses and Trojan horses to infect computers
so they can then use those machines to anonymously
send out waves of E-mail. "They're now turning to
home-user and small-business systems," Weafer says.
"They're hijacking tens of thousands of vulnerable
systems and turning them into anonymous spam
mailers."
 More
than 65% of the spam messages intercepted by E-mail
security firm MessageLabs, which filters spam and
viruses for companies, are sent from PCs that have
been hijacked by spammers and transformed into spam
relays, the company reports. This trend came to
light with the Sobig.F virus. At the peak,
MessageLabs says one in every 17 E-mails it
intercepted contained a copy of the Sobig.F virus.
By Dec. 1, it had stopped more than 32 million
E-mails infected with the virus.
Many security experts believe the
writer or writers behind the Sobig.F virus were
actually spammers or working with spammers, looking
to use that virus to infect thousands of machines
that could then be used to anonymously blast
millions of spam messages. The technique keeps
spammers' identities secret and can also sidestep
black lists used by Spam filters. Sobig.F's success
will likely lead to similar outbreaks.
Another relatively new and growing
danger: peer-to-peer networks and instant messaging.
Expect virus writers and snoops to start exploiting
the popularity of peer-to-peer networks, such as
Grokster, Kazaa, and Morpheus, and instant-messaging
services offered by America Online and others.
Any company with employees using
peer-to-peer file-sharing networks is inviting
trouble. Consider the following experiment conducted
by Bruce Hughes, director of malicious-code research
at TruSecure Corp.'s ICSA Labs. He set up a crawler
program on Kazaa and other peer-to-peer networks,
scanning for popular file types using keywords such
as sex and antivirus. Hughes says 45% of the files
he downloaded contained malicious applications. "If
you're downloading files from these networks, you're
going to get infected with something," he warns.
Almost all the big attacks last
year were aimed at Microsoft PC and server software.
This year, new threats will appear aimed at emerging
operating systems and devices, such as Linux,
handheld devices, and smart cell phones. "We'll see
a cell-phone virus. It's almost a certainty," says
David Perry, global director of education for
antivirus and content security firm Trend Micro Inc.
"We'll also probably see a virus designed to spread
over wireless LANs. We just don't know when; it
could be this year or it could be five years."
Linux is more susceptible to
attack because it offers increased functionality and
more users are using a graphical interface such as
Lindows, which makes Linux easier to run, says
TruSecure's Hughes.
Still, most experts agree that
Microsoft will remain the target of choice for worm
and virus writers, at least for the short term,
because of its market dominance. Microsoft and other
software vendors have been devoting much time and
effort to reducing the number of flaws in their
code. But that won't eliminate the software
vulnerabilities that make it easier for hackers and
virus writers to attack. CERT says that more than
4,000 software vulnerabilities were reported in 2002
and nearly 3,000 were reported in the first three
quarters of 2003. Security experts expect that
reported software vulnerabilities will continue to
number between 50 and 60 each week.
The real issue isn't the number of
vulnerabilities reported, but the severity of the
security flaws. The vulnerabilities discovered last
year and expected this year are increasing in
severity, says Symantec's Weafer, who expects that
trend to continue. About 80% of all software
vulnerabilities are "remotely exploitable," which
means virus and worm writers can write malicious
apps that can attack these flaws from anywhere, he
says.
Security analysts are less
concerned about so-called zero-day worms that have
gotten a lot of publicity recently. A zero-day worm
is one that starts attacking before the software
flaw it takes advantage of is publicly known or
before a patch is available. "It takes a lot of
skills to discover software vulnerabilities and to
write worms that will spread effectively," says Dan
Ingevaldson, engineering manager for X-Force, a
research group at security firm Internet Security
Systems Inc. "It's very rare to find those two
skills in one person."
 Yet
worm and virus writers are getting faster, which
means companies have less time to prepare once a
software flaw is found. "We don't foresee many
day-zero worms. But we do see more day-seven to
day-14 worms," Gartner's Pescatore says. "Fewer than
15% of attacks occur within a month of the
vulnerability announcement today. That will double
by 2006."
One good bit of security news is
that Microsoft isn't expected to launch any major
new operating system or database products this year.
"Windows 2003 server is now in its second year, and
many of the vulnerabilities have already been
uncovered," Pescatore says. "So we should see fewer
vulnerabilities from them next year." Plus, major
software vendors spend more time and energy trying
to find security-related bugs before they ship
applications. "All of the vendors are very scared of
looking like they have more bugs than Microsoft, and
they're starting to spend the money to make sure
that doesn't happen," Pescatore says.
Businesses battling continuing
waves of security threats may need to add new
weapons to their arsenals. In addition to quick
patching, effective firewall policies, strict
remote-user security rules, and keeping antivirus
software up to date, businesses should look at
intrusion-prevention applications such as those
offered by Cisco Systems, Internet Security Systems,
Network Associates, Platform Logic, and Sana
Security. These applications don't rely on threat
signatures and software policies to thwart attacks.
Instead, they attempt to block new attacks long
before antivirus, intrusion-detection, and firewall
systems and policies can be updated.
Want a safe prediction for the new
year? Here's one: Companies will face new threats
that no one expects, plus many variations of the old
threats. Information-security pros aren't willing to
predict much progress in the battle against worms,
viruses, and other security threats. But there's one
thing nearly all of them do agree on: Businesses
must continue to devote time, money, and personnel
to keep their systems as safe as possible. |