IT under siege: The security arms race

The enterprise's security defense must get more sophisticated to stop criminal-minded attackers who are out for high stakes -- money and identities

Click for larger view.

Paul Ferguson, a 20-year computer security veteran and senior network engineer and senior architect at Northrop Grumman, sees today’s malware and bot net schemes as “precursors and alerts to ongoing, massive criminal activity,” bringing with them “a predatory smell,” he says. “Some of the massive malware spreads seem to be unusually pre-emptive, more interested in information gathering,” and more inclined to target specific networks, Ferguson says. “After over 20 years of fighting worms, viruses, and Trojans, I’m used to not overreacting. Two weeks ago I was involved fixing a massive bot net DoS attack that infiltrated tens of thousands of PCs. I felt like Nero, fiddling while Rome burned.”

Web Attack Vectors
Malware attack vectors follow trends. In the 1980s, boot viruses were all the rage. File and executable viruses made up most of the attacks in the early 1990s, until macro viruses came onto the scene in 1995. Worms traveling as file attachments have been dominant for the last decade, but reliance on the SMTP protocol is waning. Many of today’s malicious programs take advantage of patched and unpatched exploits in Internet browsers. Unsuspecting clients surf to an infected Web page and their computers are exploited remotely without their even having to physically acknowledge anything.

The Anti-Phishing Working Group notes that the number of Web sites designed to steal passwords doubled in one month, from June to July 2005. Most of the exploited Web sites included online journals, blogs, and personal storage sites. Microsoft’s Strider HoneyMonkey project found a zero-day exploit being initiated by a malicious URL. The Santy worm infected Web sites running vulnerable PHP code and then used Google to find its next victims. The Web is expected to be a growing source for malware attacks over the next decade.

Exacerbating the problem is the decrease in response times before the latest announced vulnerability manifests in the latest worm. When the Slammer worm in 2003 started attacking SQL Servers around the world, a patch had been out for more than six months. And in 2001, IIS administrators had more than a month to prepare for the Code Red worm.

The Zotob worm, which this year hit Microsoft’s Plug and Play service, is a sign of things to come. Within two days of Microsoft’s public announcement and release of the related patch, Zotob variants were emerging. By day three, tens of thousands of computers were compromised. In fact, two of Microsoft’s three critical vulnerabilities in August 2005 resulted in worms within days. Within a week, Microsoft saw its first publicly announced zero-day exploit. No matter how you slice it, the time between a vulnerability announcement and the need to patch is shrinking.