Worms, Attacks, Assorted Security Threats On Businesses Rise Sharply In 2003
The number of security incidents and confirmed attacks detected by businesses skyrocketed by 84 percent in the first three months of the year according to a report scheduled to be made public on Monday by Internet Security Systems.
And that's the good news.
In the same time frame, said ISS' quarterly “Internet Risk Impact Statement,” the total number of reported security events, which range from relatively minor activities such as automatic probing to full-scale onslaughts by worms, jumped ten-fold over the previous three months.
Blame the worm, said ISS.
“The large increase in mass mailing, highly persistent worms and security events indicates that this year will be challenging for security officers and administrators around the world,” said Chris Rouland, the director of ISS' X-Force security research section. With numbers like these, that's an understatement.
ISS pointed out that worms are increasingly able to cause dramatic damage worldwide with a minimum of effort on the part of the attacker. While SQL Slammer -- a worm unleashed on unpatched Microsoft SQL Server 2000 system that succeeded in infecting more than 200,000 machines in just 10 minutes -- is the most notable, a host of other worms are in the wild and causing trouble. The ISS report identified such new worms as Code Red.F, a variant of Code Red II, which was discovered last month and can install a 'back door' on vulnerable systems, giving access to attackers.
But the scariest conclusion from the ISS report is that hackers are catching up with enterprise security defenses, and the research conducted by firms -- such as ISS, Symantec, Network Associates, and others -- which corporations rely on sniff out attacks. ISS' diagnosis of the last three months, where the number of threats outpaced vulnerabilities, show that attackers aren't waiting for security flaws to be made public, but are actively seeking out holes they can exploit.
A good example of this disturbing trend was the recently uncovered vulnerability within a .dll component of Microsoft's IIS Web server. While ISS (as well as numerous other security firms) documented the vulnerability on March 17, it was only after the flaw had been exploited by intruders. Such 'zero day' attacks, so called because there is literally no time between an attack and the discovery of the vulnerability, are especially threatening. In another example, a weakness in the popular freeware sendmail e-mail server was attacked within 24 hours of its discovery.
“It is increasingly dangerous for systems to remain unprotected while connected to the Internet,” stated the ISS report. “Administrators must maintain a constant watch over malicious code, immediately update their threat protection, and provide for rapid, timely patching.”
Among ISS' other findings were interesting factoids that security professionals should keep in mind.
-- Friday is the most active attack day, and Friday and Saturday account for a third of all security events. It's no coincidence: company security and network centers are typically running, if at all, at reduced levels on the weekend. The Slammer attack, for instance, began late on a Friday.
-- The top destination for attack remains port 137 (Windows NetBIOS).
Cyberterrorism anxieties aside, the vast bulk of attacks originate close to home^; more than 86 percent of all security events were traced back to North American IP addresses.
Cybercrime News Archive