2006 InfoWorld Security Survey: IT's confidence crisis

If incidents are down, why the crisis atmosphere? Because the attacks are much more targeted and severe

Click for larger view.

The attack on HostGator bears many of the typical hallmarks of today’s increasingly sophisticated security threats. And it underscores the growing number of zero-day vulnerabilities in Windows — which totals at least eight this year, according to eEye Digital Security — not to mention other applications. This point isn’t lost on survey respondents, 51 percent of whom rated the increasing sophistication of attacks as a top security challenge, while 50 percent said Trojans, viruses, and other malicious code represented the top threat to network security.

Eric Sites, vice president of research and development at Sunbelt Software, isn’t surprised. In years past, Trojans typically loaded machines with adware that was so poorly written it would bring the PCs to a grinding halt. They were a nuisance, says Sites, but nothing like today’s malware, which steals passwords, sends spam, and joins botnets — revealing few or no visible signs. To make matters even worse for enterprises, attackers have begun gathering at “cyberbazaars” where they can trade passwords and other information gathered via malware.

 “The guys currently out there will do anything to get your money, your credit card number, or whatever private information they can sell to make money,” Sites says.

Attacks drop, severity rises

Security professionals reported a modest drop in the number of attacks on their networks during the past 12 months, with a mean of 331 attempted breaches and 39 successful ones per company. That compares favorably with the mean of 368 attempted attacks and 44 successful intrusions per company noted in last year’s survey.

Unfortunately, this is not to say that networks are any safer — at least according to Jon Ramsey, CTO of SecureWorks, which monitors Internet attacks using about 5,000 intrusion prevention system devices. Although the volume of overall alerts has decreased, he points out that “the number of severe attacks is increasing precipitously.” The reason for the decrease in the number of attacks, according to this reasoning, is disturbing: As break-ins morph from prank to business, profit-driven attackers are less likely to waste time or take chances using outdated or ineffectual techniques.

Among successful intrusions, the spoofing of an organization’s identity to victimize customers — a common technique in phishing scams — was the most common, with 25 percent of respondents reporting they have been subjected to the practice, up from 23 percent last year. The increase is hardly surprising, Sunbelt’s Sites says, given the advent of $50 phishing kits that provide templates that mimic even the most minute details of the 10 most popular banking Web sites. To make matters even worse, phishing, which was once primarily focused on large enterprises such as eBay, is now becoming a problem for much smaller organizations. SecureWorks’ Ramsey says that 67 percent of the credit unions his company counts as clients have been subject to phishing attacks.