2006 InfoWorld Security Survey: IT's confidence crisis

If incidents are down, why the crisis atmosphere? Because the attacks are much more targeted and severe

This year’s InfoWorld Security Survey shows an alarming and growing lack of confidence among IT security professionals — for the fourth year in a row.

It would be hard to find a better example of a distressed IT pro than Brent Oxley, the owner of the Web-hosting service HostGator. In September, Oxley found himself facing a potentially fatal catastrophe.

Of course it happened on Friday afternoon — and before long it turned into the biggest crisis in his company’s four-year history. What started as a handful of complaints from clients was starting to number in the hundreds, and each told a similar tale: People who tried to visit any of the legitimate Web sites that HostGator’s customers operated were redirected to rogue addresses that quickly dropped a virus onto the end-users’ PCs.

The next 12 hours were hell. Every time Oxley’s team scoured one machine clean, another system elsewhere in the network would get infected. “It was madness,” said Oxley, who began to feel he was trapped in a whack-a-mole game of incursion and parry — while simultaneously attempting to deflect the wrath of customers and end-users.

Metastasizing threat

Oxley isn’t alone. According to our survey, which polled 430 individuals responsible for their organization’s security, 56 percent are at most “somewhat confident” in their enterprise’s security system. And the rising tide of malware and phishing exploits is behind a great deal of that anxiety.

If 2005 marked the year that playful teenage hacker hobbyists gave way to more criminally minded professionals, 2006 is showing just how lethal this better-funded and -disciplined breed of thugs can be. Their malware is leaner and stealthier, and it burrows deeper into operating systems and applications to ferret out confidential information. You can even buy do-it-yourself malware and phishing kits online, including one called Web Attacker, which offers a maintenance contract for an extra fee. Sophisticated phishing attacks are targeting smaller enterprises, too.

Click for larger view.

“It’s not getting any better, and some would argue that it’s getting worse,” says Ed Skoudis, co-founder of security consultancy Intelguardians and an incident handler at the SANS Institute Internet Storm Center. Speaking of the security menace facing the average enterprise today, he adds, “The threat has metastasized in a very bad way, all based on the profit motive.”

The attack on HostGator bears many of the typical hallmarks of today’s increasingly sophisticated security threats. And it underscores the growing number of zero-day vulnerabilities in Windows — which totals at least eight this year, according to eEye Digital Security — not to mention other applications. This point isn’t lost on survey respondents, 51 percent of whom rated the increasing sophistication of attacks as a top security challenge, while 50 percent said Trojans, viruses, and other malicious code represented the top threat to network security.

Click for larger view.

Eric Sites, vice president of research and development at Sunbelt Software, isn’t surprised. In years past, Trojans typically loaded machines with adware that was so poorly written it would bring the PCs to a grinding halt. They were a nuisance, says Sites, but nothing like today’s malware, which steals passwords, sends spam, and joins botnets — revealing few or no visible signs. To make matters even worse for enterprises, attackers have begun gathering at “cyberbazaars” where they can trade passwords and other information gathered via malware.

 “The guys currently out there will do anything to get your money, your credit card number, or whatever private information they can sell to make money,” Sites says.

Attacks drop, severity rises

Security professionals reported a modest drop in the number of attacks on their networks during the past 12 months, with a mean of 331 attempted breaches and 39 successful ones per company. That compares favorably with the mean of 368 attempted attacks and 44 successful intrusions per company noted in last year’s survey.

Unfortunately, this is not to say that networks are any safer — at least according to Jon Ramsey, CTO of SecureWorks, which monitors Internet attacks using about 5,000 intrusion prevention system devices. Although the volume of overall alerts has decreased, he points out that “the number of severe attacks is increasing precipitously.” The reason for the decrease in the number of attacks, according to this reasoning, is disturbing: As break-ins morph from prank to business, profit-driven attackers are less likely to waste time or take chances using outdated or ineffectual techniques.

Among successful intrusions, the spoofing of an organization’s identity to victimize customers — a common technique in phishing scams — was the most common, with 25 percent of respondents reporting they have been subjected to the practice, up from 23 percent last year. The increase is hardly surprising, Sunbelt’s Sites says, given the advent of $50 phishing kits that provide templates that mimic even the most minute details of the 10 most popular banking Web sites. To make matters even worse, phishing, which was once primarily focused on large enterprises such as eBay, is now becoming a problem for much smaller organizations. SecureWorks’ Ramsey says that 67 percent of the credit unions his company counts as clients have been subject to phishing attacks.

For the second year in a row, security professionals reported a drop in the number of successful attacks that targeted flaws in operating systems. Only 23 percent of respondents reported being subjected to an intrusion that targeted the operating system, down from 24 percent last year and 40 percent in 2004. Similarly, reports of exploits that hit weaknesses in Web applications, routers, or other pieces of network infrastructure either decreased or remained flat.

 “Software vendors seem to have definitely gotten the message that enterprises are valuing security as a very important feature in the products they want to buy,” says John Pescatore, Gartner’s vice president for Internet security. “We see more and more software vendors using vulnerability testers.”

Click for larger view.

Click for larger view.
Threat from within

As predatory as today’s criminally minded hackers are, IT professionals face plenty of threats from within their own enterprises — none more glaring than their own lack of a comprehensive plan for security. No fewer than 42 percent of respondents reported that their organization had no documented security policy. (That’s a slight improvement over last year, when 46 percent of security professionals polled reported no formal policy.) Almost as distressing is the finding that 18 percent of those groups that do have a policy do not train their employees how to follow it. “It’s the old saying, ‘Well, I’d love to fix the plane, but I’m busy flying it across the ocean,’ ” Pescatore says. Although it’s true that implementing a policy can be a lot of work, the SANS Institute has taken much of the cost out of this process by offering a draft security policy on its Web site for free.

Resistance to implementing and enforcing security policies goes a long way toward explaining the long list of front-page headlines detailing privacy breaches that dominated much of the past year. In one of the better known cases, a laptop with confidential information pertaining to approximately 26.5 million veterans was stolen when the residence of a contractor with the Department of Veterans Affairs was burglarized. The incident highlights the troublesome fact that even when an organization has a strict security policy — in this case, the contractor was not authorized to take the data home — getting workers to follow it can be difficult. The episode also underscores a finding in the InfoWorld survey that just 55 percent of respondents deploy encryption software on PCs and handheld devices — a solution that would go a long way toward securing data that falls into the wrong hands.

The threat posed by their own employees isn’t lost on security pros, 56 percent of whom rated workers who fail to follow security policy as a significant security challenge. “We’re at the point now where we have to look and say, ‘What are we going to do about the internal threat?’ ” says Jim Brockett, CIO of Washington Trust Bank, referring to rank-and-file employees. He remains particularly wary of the risks of “social engineering,” in which some smooth-talking visitor posing as a PC repairman, or a customer’s long-lost relative, talks an employee into handing over confidential data, or providing physical access to the network. “It’s a constantly moving target,” he says.

Employee monitoring

Brockett is also vigilant to the threat that employees might pilfer data, something Dan Clements, CEO of privacy protection company CardCops, sees every day—as he lurks anonymously in online chat rooms that traffic in stolen Social Security numbers, credit card accounts, and other confidential information. “The value of the data in the underground is pulling this data from corporate America into cyberspace,” Clements says. He notes that data thieves now pay as much as $20 for data pertaining to a single identity.

Enterprises are currently looking to a host of solutions to combat this threat from within. Alongside the anti-virus, firewall, and VPN programs they’ve been using for years to keep bad guys out, IT professionals are now using products that help keep information in. Fully 24 percent of security professionals surveyed said they deployed employee-monitoring solutions, while another 8 percent said they planned to introduce such systems during the next year. And 44 percent said they monitored or filtered outbound e-mail, with an additional 8 percent saying they would begin doing so in the next 12 months.

Brockett uses a fraud monitoring service from a company called NextSentry

to prevent data theft by his employees. It notifies him whenever a worker copies information from a trusted application, such as the bank’s database, and pastes it into an untrusted one, such as a Web browser or e-mail program. The solution also blocks the use of thumb drives and other unapproved USB devices.

Traditional technology, when properly configured, can provide important tools in the struggle to stay secure. But increasingly, according to our respondents, what’s needed are new technologies that do more than scan for malicious code or network probes. “We need to move to a behavioral-driven monitoring system,” says Dave Rand, chief technologist for Internet content security at Trend Micro. “Is the machine supposed to wake up at 3 a.m. and send e-mail or not?”

Assuming security providers are able to develop such sophisticated products— a big “if” in the minds of many IT professionals — there’s the less-than-trivial question of how they’ll be received in a market that’s already saturated with expensive security solutions. According to the survey, only 35 percent of respondents expect their security budget to grow next year.

Click for larger view.

HostGator strikes back

Meanwhile, back at HostGator, Oxley and his team finally gained the upper hand when it figured out that the attackers were penetrating HostGator’s defenses via a previously unknown hole in a Web site management application called cPanel. Once inside, the criminals used HostGator’s servers as a beachhead to exploit a separate zero-day weakness in the way Microsoft Windows uses VML (Vector Markup Language) to render graphics. All told, the predators infected more than 200 machines that served the majority of the 500,000 domains that HostGator runs. (They also targeted at least two other hosting services, according to Oxley, who declines to name them.)

Although Oxley’s team finally resolved the episode, Oxley himself, like many of our survey respondents, is still looking over his shoulder. “The biggest risk we have,” he says, “is waking up one morning and finding there’s an exploit bad enough to put all the Web hosting companies out of business.”

It would be nice to ascribe statements like that to professional paranoia. Unfortunately, as many of Oxley’s peers can attest, his concern is all too real.

Copyright © 2006 IDG Communications, Inc.

How to choose a low-code development platform