This year’s InfoWorld Security Survey shows an alarming and growing lack of confidence among IT security professionals — for the fourth year in a row.

It would be hard to find a better example of a distressed IT pro than Brent Oxley, the owner of the Web-hosting service HostGator. In September, Oxley found himself facing a potentially fatal catastrophe.

Of course it happened on Friday afternoon — and before long it turned into the biggest crisis in his company’s four-year history. What started as a handful of complaints from clients was starting to number in the hundreds, and each told a similar tale: People who tried to visit any of the legitimate Web sites that HostGator’s customers operated were redirected to rogue addresses that quickly dropped a virus onto the end-users’ PCs.

The next 12 hours were hell. Every time Oxley’s team scoured one machine clean, another system elsewhere in the network would get infected. “It was madness,” said Oxley, who began to feel he was trapped in a whack-a-mole game of incursion and parry — while simultaneously attempting to deflect the wrath of customers and end-users.

Metastasizing threat

Oxley isn’t alone. According to our survey, which polled 430 individuals responsible for their organization’s security, 56 percent are at most “somewhat confident” in their enterprise’s security system. And the rising tide of malware and phishing exploits is behind a great deal of that anxiety.

Click for larger view.

If 2005 marked the year that playful teenage hacker hobbyists gave way to more criminally minded professionals, 2006 is showing just how lethal this better-funded and -disciplined breed of thugs can be. Their malware is leaner and stealthier, and it burrows deeper into operating systems and applications to ferret out confidential information. You can even buy do-it-yourself malware and phishing kits online, including one called Web Attacker, which offers a maintenance contract for an extra fee. Sophisticated phishing attacks are targeting smaller enterprises, too.

“It’s not getting any better, and some would argue that it’s getting worse,” says Ed Skoudis, co-founder of security consultancy Intelguardians and an incident handler at the SANS Institute Internet Storm Center. Speaking of the security menace facing the average enterprise today, he adds, “The threat has metastasized in a very bad way, all based on the profit motive.”

Click for larger view.

The attack on HostGator bears many of the typical hallmarks of today’s increasingly sophisticated security threats. And it underscores the growing number of zero-day vulnerabilities in Windows — which totals at least eight this year, according to eEye Digital Security — not to mention other applications. This point isn’t lost on survey respondents, 51 percent of whom rated the increasing sophistication of attacks as a top security challenge, while 50 percent said Trojans, viruses, and other malicious code represented the top threat to network security.

Eric Sites, vice president of research and development at Sunbelt Software, isn’t surprised. In years past, Trojans typically loaded machines with adware that was so poorly written it would bring the PCs to a grinding halt. They were a nuisance, says Sites, but nothing like today’s malware, which steals passwords, sends spam, and joins botnets — revealing few or no visible signs. To make matters even worse for enterprises, attackers have begun gathering at “cyberbazaars” where they can trade passwords and other information gathered via malware.

 “The guys currently out there will do anything to get your money, your credit card number, or whatever private information they can sell to make money,” Sites says.

Attacks drop, severity rises

Security professionals reported a modest drop in the number of attacks on their networks during the past 12 months, with a mean of 331 attempted breaches and 39 successful ones per company. That compares favorably with the mean of 368 attempted attacks and 44 successful intrusions per company noted in last year’s survey.