Mark Vernon reveals the top five external threats to corporate
IT systems and suggests that a layered approach to defence can help
companies become more prepared for attacks
1. In terms of sheer frequency, the top spot on
the list of security threats must go to viruses. According to a DTI
survey, 72% of all companies received infected e-mails or files
last year and for larger companies this rose to 83%. Worms and
Trojan horses share the first prize in malignancy: the internet
experienced three worms in only 12 days last summer, causing £1.8bn
in damages, according to Symantec's Internet Security Threat
Report.
2. The after-effects of viruses are so dangerous
that they take second place. The vulnerability here is the back
doors viruses leave in their wake, or the chinks in the corporate
armour that later generations of code can exploit. For example, in
January, MyDoom left a back door that was subsequently exploited by
Doomjuice and Deadhat. Companies that failed to close the back
door, as well as rid themselves of the primary attack, remained
exposed.
Another related threat is the worms that turn PCs into remote mail
servers and send cascading volumes of e-mails that cause denial of
service attacks. These attacks are becoming more
sophisticated.
"Most mass mail viruses require the recipient to open the
attachment to run the malicious code," says Carole Theriault,
security consultant at anti-virus company Sophos. "However, there
are viruses that can take advantage of security flaws which means
that only viewing or opening the e-mail is enough to launch the
malicious code."
3. Hacks, and application-specific hacks in
particular, have become even smarter. Many companies are alert to
the threat posed by so-called buffer overflows, the techniques by
which web servers are overloaded causing a denial of service
attack. But the new kid in this category, and the one the security
industry is talking about, is the more advanced SQL
injection.
SQL injection forces a database to yield otherwise secure
information by causing it to confuse classified data, such as
passwords or blueprints, with information that is for public
consumption, such as product details or contacts. It is hard to do
but, according to the experts, there are plenty of hackers up to
the task and plenty of customers ready to pay for the
service.
"We see it all the time," says David Litchfield, founder of
NGSSoftware. "It is behind breaches such as the half a million
credit card numbers stolen by Russian gangs or details from the
Drug Enforcement Agency being sold onto drug runners. These are
documented cases. SQL injection is not getting the respect it
deserves."
4. Phishing, or identity theft, is most commonly
targeted at bank customers but everybody should be alert to it. The
bank users receive an e-mail as if from the bank asking for their
log-on and password and, according to risk specialist company mi2g,
less than half of 1% of customers oblige, a significant figure if
millions of e-mails are sent.
A more sophisticated version of phishing, cross-site scripting, is
on the rise, where users are driven to an identical but fake
version of the bank's website and are lured into handing over
confidential information unawares.
5. Blended attacks are combinations of two or more
of the above and are doubly alarming. The solution to protecting a
company against these attacks is to combine the piecemeal security
systems that protect against each kind of threat. But how secure
are these security systems and who is winning, the attacker or the
attacked?
Protective measures
Most of the measures companies can take to protect themselves are
reactive, and anti-virus patches and firewalls are now, for the
most part, implemented as standard. But these are responses to
known attacks, rather than an anticipation of the unexpected. They
do nothing to thwart the activities of worms that turn PCs into
machines from which further attacks, such as mass e-mailing, can be
launched. Nor can they deal with the more sophisticated hacks, such
as SQL injection. To combat this level of threat, additional
security must also be in place.
This security can be grouped in three layers. The first layer scans
IT systems for suspect activities by using intrusion prevention
technology and by monitoring anomalous requests. For example, SQL
injection often works by sending unusually long search strings to
database query tools.
"An intrusion prevention system that monitors traffic and watches
for unexpected behaviour such as this should pick up the attempt,"
says Nick Garlick, sales director of Nebulas Security.
Alternatively, a denial of service attack might be thwarted if the
security system recognises high levels of a particular sort of
traffic before they become so high the network falls over.
Garlick also points out that testing new software adequately before
it goes online is important. "The big issue is that coders tend to
work to deadlines and do not think like security people," he says.
"Build processes should also include penetration testing."
A second layer is added when defences are integrated. For example,
if a virus is known to open up a back door, the anti-virus system
should not only search for the virus but also for the back door.
Alternatively, it must prompt the firewall to stop entry through
the back door. This is a complex process to carry out across
enterprise-wide IT systems, and so experts advocate the
installation of security management systems.
"Suppliers are starting to develop the capabilities of systematic
and effective patch management systems," says Jan Fundgren, a
security analyst at Forrester. "When there is no 'all-in-one'
solution, better enterprise security management is more likely to
succeed." Compliance tools add another form of defence and can
monitor how thoroughly systems have been patched against
viruses.
The third layer is good risk assessment. Online systems inevitably
bring a degree of vulnerability along with excellent business
opportunities, so internet security should be built into the
company's calculations. If the business can understand which
systems are most vulnerable, protective measures can be taken to
cut the risk. That is the essence of dealing with external security
threats.
The threats you face
Viruses - damages worth £1.8bn in 12 days on the
internet in 2003
Virus back doors - hidden after-effects with
potentially devastating impact
Application-specific hacks - advanced SQL
injection could be stealing your data
Phishing - duped end-users could lose faith in
ITsystems
Blended attacks - criminals use multiple methods
to beat even the best security.