Cybercrime Tsunami
"We're going to get more of everything," Slodichak says. "There will be more personal viruses like Melissa, and platform-targeted attacks like Slammer. We are also seeing more attacks targeting the very infrastructure of the Internet, such as BIND exploits that bring down entire networks." BIND (Berkeley Internet Name Domain) software is used by the majority of DNS servers in the world. Buffer-overflow exploits are the most frequent attacks made on BIND.
Infrastructure attacks lead WhiteHat's list of potentially devastating threats. "My colleagues feel that an even bigger Slammer is coming that will take three to four days to recover from," Slodichak says.
"Any business that relies on high availability [of its Internet resources] is a target for DNS or other 'shut-down' attacks," says Chris Roland, director of the X-Force security research and development arm of Internet Security Systems (ISS).
"What concerns us is the dramatic rise in both overall attacks and new types of attacks," he adds. "Gartner Group estimated [in 2001] that there would be 20 million active hackers by the end of 2002. That large population yields creative, new ways to cost victims money," Roland says. "For example, there have been new attacks on [Web store] shopping carts during the past two years," he says. "Many Web merchants use third-party, low-cost shopping-cart service providers. On some of those, it's been possible to download the cart's Web page, edit the prices in the form and resubmit the form. There are multiple vulnerabilities associated with shopping carts, and they affect mainly small to medium merchant users." A white paper describing shopping-cart vulnerabilities can be found on ISS' Web site.
"We are seeing 300 to 400 new exploits per month," Roland says. "Large enterprises have a hard time keeping up with the patches required. Small to medium businesses can't possibly keep up."
Viruses, while still proliferating and becoming more sophisticated, are decreasing in proportion to "hacks" designed to gain access to victims' IT resources and information, according to Roland.
Microsoft Exchange is a notorious gateway into corporate networks for viruses and other types of exploits. Nemx Software develops server-based software to protect Exchange environments, which employ Microsoft Outlook heavily.
"Outlook is a front door," says Nemx president John Young. "It hooks into Internet Explorer, the operating system and other MS Office components," providing many avenues for malicious content to travel.
"Outlook's biggest problem is it's a client-based product. Any bug or vulnerability has to be fixed on many desktops," he adds. It's also very difficult to transfer Outlook action-prevention rules and other safeguards developed on one desktop to others.
Antivirus software alone doesn't plug all of the holes in Exchange/Outlook. "One thing that gets through antivirus software are referrals embedded in HTML mail to off-site bits of information," Young explains. An embedded image file, for instance, must be retrieved from its site of origin, then rendered for viewing. "Every time people open that message, it burns bandwidth." More unpleasant things can happen via HTML mail, too.
"HTML mail can pass information to Web sites via cookies. Also, they know that an e-mail was read when the referral comes in, proving that there's a live person and a valid e-mail address on your end. Malicious code can come down that HTML stream."
Business partners provide a rapidly growing number of doors into a corporate network. The larger the firm and its network of suppliers, the more vulnerable its internal systems become.
"One large retailer caught an infection via a less secure cardboard-box supplier," says Joel McFarlane, Cisco security products manager. "Large firms have many more vectors of infection or vulnerability than smaller ones. Attackers are often trying to gain notoriety, and a prominent target provides more exposure. But large companies are often better protected than their smaller partners. It's often easier to launch an attack through a trusted partner." That fact is beginning to make enterprises more cautious.
"Corporate trust is not the same as security trust,"
McFarlane says. What do you know about your partner's IT security? Driven in part by government regulations such as HIPAA (Health Insurance Portability and Accountability Act), many enterprises are now demanding that their partners prove that they meet specific security standards.
Targetless vandalism is also on the rise. "Mindless, self-propagating attacks [like Slammer] are trying to cause widespread disruption," McFarlane says. "It's truly cyberterrorism, wreaking havoc and concern on the network for its own sake."
The speed and scale of such attacks is breathtaking. "Slammer spread to every known potential host in just half an hour. At its peak, it was generating 55 million port scans per second," says Stig Ravdal, senior manager of the security practice at Cap Gemini Ernst & Young.
At just 373 bytes, Slammer was an incredibly elegant machine-language creation, which required strong programming skills. But just as much havoc can be wreaked by millions of monkeys. "[Hacking] tools available to the general public are becoming more numerous and sophisticated," Ravdal says. "They are becoming easier to use, too. Some have very user-friendly GUIs. [For example,] AdMutate, a buffer-overflow attack tool, changes the attacking code's signature to evade antivirus software. Each time a new attack is launched from an infected host, it appears to be something the antivirus software does not recognize." Such powerful tools in the hands of millions of malicious vandals are enough to give security specialists nightmares. But they also must deal with people who want to get personal.
"Attacks targeting specific organizations usually involve people with axes to grind, political agendas or who want specific information," McFarlane says. "We don't know much about crimes committed for financial gain because the victims don't talk about [those]. Smaller companies usually don't see targeted attacks. They are typically victims of [much more numerous] random attacks." But the cost of being even an innocent bystander is high, especially if one wants to prosecute the offender.
"It costs a minimum of $500,000 to do complete forensics on a breached Web server," says David Aitel, founder of Immunity Security. Aitel, an alumnus of security consultancy @ Stake and the National Security Agency, is familiar with the forensics procedures necessary to secure a conviction of a cybercriminal. And, it's expensive. His fee is $3,000 per day to find out what happened and trace who did it. "Then you're looking at preserving chains of evidence, calling in the FBI... It makes more sense to avoid getting hit in the first place," Aitel says, adding he can usually tell when a customer is serious about security.
"Good customers have made their technical security decisions up front and have policies about what they allow where. Some say, 'No Windows 98 in the DMZ' [demilitarized zone, or isolated mission-critical systems]. But very few companies eliminate platforms that have been compromised...Insecure platforms are a large component of total cost of ownership. The productivity loss of constantly applying all those patches is one TCO factor. If you do get hit, TCO goes through the roof. It makes business sense to say, 'We won't have SQL Server in our critical systems.'"
It's impossible to neglect IT security any longer. Shareholders and partners demand accountability for adequate security. The bad guys are legion and proliferate by the second. As a result, every business needs to review, update and maintain its practices.
David Hakala ([email protected]) is a freelance writer specializing in technology.
Virus Damage Estimates
Melissa $80M
Nimba$590M
Slammer $750M
Code Red $2.5B
I loveYou $2.6B to $10B
Companies
Cap Gemini Ernst & Young
New York, N.Y., www.cgey.com\ Cisco Systems
San Jose, Calif., www.cisco.com\ Immunity Security
New York, N.Y., www.immunitysec.com\ Internet Security Systems
Atlanta, Ga., www.iss.net\ Nemx Software
Ottawa, Ontario, www.nemx.com\ WhiteHat
Burlington, Ont., www.whitehatinc.com