IT under siege: The security arms race

The enterprise's security defense must get more sophisticated to stop criminal-minded attackers who are out for high stakes -- money and identities

The security arms race is escalating to unprecedented levels and has security professionals more nervous -- and more vigilant -- than ever.

What was once the domain of hacker hobbyists looking for glory and free digital content is now the realm of criminally minded professionals. For years, IT administrators viewed most malware as more of a nuisance than something that could inflict lasting, six- and seven-figure damage.

In years past, malware might leave “greetz” messages to other hackers in their code, set up file-trading sites, or open IM chat channels. Not anymore. Today’s top threats are professionally written programs coded to steal identities and passwords, break into restricted Web sites, conduct corporate espionage, and install spyware. Even after administrators discover and remove these intrusions, it is difficult to assess the extent of the damage or how much confidential information was compromised.

It’s not surprising, then, that when asked for the most serious security challenge their companies will face in the next 12 months, nearly half (49 percent) of the survey respondents in this year’s InfoWorld Security Research Report cited the increased sophistication of Trojans, viruses, worms, and other malicious code flooding the enterprise.

“You’re now looking at the low and slow attack,” observes Nand Mulchandani, vice president of marketing at the security software vendor Determina. The bad guys “don’t want to take a machine down. They want it up and running so it will give up user identities and so on.”

Click for larger view.
Fifty-seven percent of the 474 individuals who responded to our survey in July cited viral attacks as the most dangerous threat to network security, up from 29 percent last year. The respondent companies also reported that each had foiled an average of 368 attacks in the preceding 12 months. An average of 44 attacks, however, successfully breached defenses, and what is getting by is ever more threatening because their mechanisms are much more complex -- even self-evolving.

Mothership Code

In the past, most malicious code was stagnant. When released, it did only what it was programmed to do, exhibiting no deviation from its instructions. Often, malware would announce its presence to the user, as schemes were more about bragging rights than they were about genuine malice. Even the malware that was designed to inflict damage was relatively tame. The ILoveYou virus, for example, deleted files when executed, but only script and graphic files. Moreover, the SQL Slammer worm, which infected almost every Microsoft SQL Sever on the Internet in under 10 minutes, didn’t set out to delete every file on every file server it could touch, nor did it target Microsoft Office files.

The malicious programs now making the rounds leave corporate administrators wishing for the days when viruses and Trojans were relatively simple and benevolent, and when intrusive code was removed after the crisis was over. With much of todays malware, the initial infection vector is only the setup and data destruction is the least of the administrator’s worries. After a computer has been exploited successfully, many worms and bots will connect to outside servers and download new programs or instructions. Using this “mothership approach” the malware becomes self-updating. Its eventual instructions are never known -- many times, even to the code’s writer -- until it has run its course. Several bots end up installing themselves as malicious Web servers, awaiting connections from their related progeny. The malware removes itself after it successfully downloads code a certain number of times and completes its task.

Click for larger view.

Many malware programs record user keystrokes, capture screen shots, look for passwords, and pass the users Web surfing through a remote proxy server, which can record every bit of data. Phishing, spam, and adware are only making the problem worse.

Criminal Bot Nets

Malware is also becoming much more targeted. A growing percentage of rogue programs include mechanisms such as keyloggers, which are designed to capture confidential information over a long period of time. Hackers design worms to create sophisticated bot networks that infect and control thousands of PCs a night to do their bidding. When the bot net is up and running, the hacker “rents” the malicious network to criminal groups or businesses skirting the letter of the law. They even advertise “The First Hour Is Free” sales.

Security professionals are trying to deal with this trend, but for every bot they remove from a compromised PC, another two are added in the same timeframe. The problem is so widespread that we now have a new malware category -- crimeware -- as formal recognition that malware now springs from professionals.

In its July 2005 newsletter, e-mail security vendor MessageLabs said, “the number and sophistication of targeted e-mail-borne attacks on businesses is rapidly increasing, with the potential to defraud businesses, steal intellectual property, and extort money. Analysis of MessageLabs Intelligence data revealed that over the past year there has been a gradual occurrence of targeted e-mail attacks against businesses and organizations.” The July 2005 newsletter from the Anti-Phishing Working Group warns that phishers “are moving away from some traditional larger targets and hitting a wider base of smaller financial targets.”

Paul Ferguson, a 20-year computer security veteran and senior network engineer and senior architect at Northrop Grumman, sees today’s malware and bot net schemes as “precursors and alerts to ongoing, massive criminal activity,” bringing with them “a predatory smell,” he says. “Some of the massive malware spreads seem to be unusually pre-emptive, more interested in information gathering,” and more inclined to target specific networks, Ferguson says. “After over 20 years of fighting worms, viruses, and Trojans, I’m used to not overreacting. Two weeks ago I was involved fixing a massive bot net DoS attack that infiltrated tens of thousands of PCs. I felt like Nero, fiddling while Rome burned.”

Click for larger view.

Web Attack Vectors

Malware attack vectors follow trends. In the 1980s, boot viruses were all the rage. File and executable viruses made up most of the attacks in the early 1990s, until macro viruses came onto the scene in 1995. Worms traveling as file attachments have been dominant for the last decade, but reliance on the SMTP protocol is waning. Many of today’s malicious programs take advantage of patched and unpatched exploits in Internet browsers. Unsuspecting clients surf to an infected Web page and their computers are exploited remotely without their even having to physically acknowledge anything.

The Anti-Phishing Working Group notes that the number of Web sites designed to steal passwords doubled in one month, from June to July 2005. Most of the exploited Web sites included online journals, blogs, and personal storage sites. Microsoft’s Strider HoneyMonkey project found a zero-day exploit being initiated by a malicious URL. The Santy worm infected Web sites running vulnerable PHP code and then used Google to find its next victims. The Web is expected to be a growing source for malware attacks over the next decade.

Exacerbating the problem is the decrease in response times before the latest announced vulnerability manifests in the latest worm. When the Slammer worm in 2003 started attacking SQL Servers around the world, a patch had been out for more than six months. And in 2001, IIS administrators had more than a month to prepare for the Code Red worm.

The Zotob worm, which this year hit Microsoft’s Plug and Play service, is a sign of things to come. Within two days of Microsoft’s public announcement and release of the related patch, Zotob variants were emerging. By day three, tens of thousands of computers were compromised. In fact, two of Microsoft’s three critical vulnerabilities in August 2005 resulted in worms within days. Within a week, Microsoft saw its first publicly announced zero-day exploit. No matter how you slice it, the time between a vulnerability announcement and the need to patch is shrinking.

The Enterprise Responds

Enterprises are demanding that vendors become better at blocking non-traditional threats and rise to the challenge through innovation. Firewalls and anti-virus solutions aren’t enough. Our survey revealed that the largest purchasing increases (19 percent) during the next year will be for anti-spyware software and appliances. IDS (intrusion detection system) and IPS (intrusion protection system) products continue to enjoy strong adoption (52 percent overall), but more administrators are actually enabling the blocking functionality of those products (44 percent), which suggests that security vendors are getting more accurate at filtering out the noise from the legitimate threats.

Click for larger view.
Interestingly, executives’ confidence level in their network security defenses is on the rise -- 53 percent responded that they consider themselves “extremely/very confident,” compared with 46 percent during the previous year. This confidence may be due in part to innovative vendors such as Determina, Sana Security, and Vernier Networks producing products that mark a departure from traditional lines of defense by augmenting signature-based solutions with vulnerability-based or behavioral-based software. Several vendors -- such as GreenBorder and SecureOL -- have products that prevent end-user workstation changes from being saved. Microsoft is stepping into the space with its Shared Computer Toolkit which allows an administrator to define what can and can’t be saved between reboots.

Major anti-virus vendors are pushing defenses past the normal scan-and-detect activities. Even non-traditional vendors are ramping up the fight in innovative ways. With its Network Access Control initiative, Cisco Systems is reaching past its firewall and router roots to provide more protection by pushing security policy checks from the perimeter to the computer client end points.

Click for larger view.
Even hardware vendors are offering defense-in-depth solutions. HP’s latest ProLiant servers and blades offer HP Virus Throttling.
Click for larger view.
If the software driver detects an unusually high number of connection requests from one client, it throttles that client’s bandwidth, a step up from the boot-sector protection BIOS chips of years past.

Tim Nolan, information systems security officer at Bridgestone Firestone, summarizes things this way: “We are engaged in defending networks with more challenging threats. We see a decrease in the patch window, an increase in virulence, and an increased speed of spread for worms. What this means is that our defenses must be multilayered, increasingly heuristic, and behavioral-based -- and involve end-user education. The solutions we pick must help us manage all of that.”